Networking equipment maker Cisco has released security updates to address a critical remote code execution (RCE) vulnerability affecting its Unified Communications and Webex Calling platforms that has been actively exploited as a zero-day in the wild. Tracked as CVE-2026-20045, the flaw impacts Cisco Unified Communications Manager (Unified CM), Unified CM Session Management Edition, Unified CM IM & Presence, Cisco Unity Connection, and Webex Calling Dedicated Instance. The vulnerability exists due to improper input validation when handling HTTP requests, which could allow a remote attacker execute arbirtrary code on the affected system by sending a specially crafted HTTP request.
Cisco has also fixed a critical Cisco AsyncOS zero-day flaw (CVE-2025-20393) exploited in attacks against Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances since November 2025. The threat intelligence team Cisco Talos attributed the attacks to a likely Chinese state-linked group, tracked as UAT-9686, which deployed persistent backdoors and tunneling tools such as AquaShell, AquaTunnel, and Chisel.
Attackers are reportedly exploiting a patch bypass for a previously fixed critical FortiGate authentication vulnerability (CVE-2025-59718) allowing them to compromise even patched firewalls. Multiple users reported seeing malicious SSO logins on fully-patched FortiOS devices. Also, cybersecurity firm Arctic Wolf has warned of a new wave of automated malicious activity targeting FortiGate devices, involving unauthorized firewall configuration changes. In addition, a critical vulnerability in Fortinet FortiSIEM is now being actively exploited by threat actors following the public release of proof-of-concept exploit code. The flaw, tracked as CVE-2025-64155, is an OS command injection issue that allows a remote attacker to execute arbitrary shell commands on the target system.
Fortinet has confirmed it is working on a fix for a FortiCloud SSO authentication bypass bug. The issue is linked to the previously disclosed SAML SSO flaws (CVE-2025-59718 and CVE-2025-59719). Fortinet said it has identified a new attack path and will release an advisory once full details are available, noting the risk may affect all SAML SSO implementations.
On the same note, the watchTowr threat research team says that a new security flaw in SmarterTools’ SmarterMail email software is being actively exploited. The vulnerability, which has yet to receive an CVE identifier, stems from an error in the password reset feature. A remote non-authenticated attacker can reset password of an administrative user and gain full access to the application, including ability to execute system commands. The issue was responsibly disclosed on January 8, 2026, and fixed by SmarterTools in Build 9511 on January 15, 2026.
North Korean threat actors are running multiple long-running malware campaigns targeting developers and enterprise users, according to new reports from Jamf Threat Labs and Genians. In an operation, known as the ‘Contagious Interview’ campaign, attackers use fake job recruitment lures to trick developers into cloning malicious VS Code projects from GitHub, GitLab, or Bitbucket to plant RCE backdoors on target systems. Separately, a Konni APT campaign dubbed ‘Operation Poseidon’ abuses legitimate online advertising infrastructure from Naver and Google, weaponizing ad tracking and redirection URLs in spear-phishing emails to evade detection.
Hackers are targeting Afghan government employees with phishing emails disguised as official correspondence from the office of the country’s prime minister. Once opened, the document deploys malware known as FalseCub, which is capable of collecting and exfiltrating data from infected computers.
A long-running malvertising campaign is infecting organizations worldwide with a backdoor delivered via trojanized PDF documents. The campaign, dubbed ‘TamperedChef,’ has been active for some time, but now it has expanded across Europe, mainly targeting organizations in Germany, the UK, and France.
A new malware campaign dubbed PDFSIDER has been exploiting the legitimate PDF24 App to breach corporate networks and steal data while providing remote access to attackers. The PDFSIDER campaign involves targeted spear-phishing emails designed to trick victims into downloading ZIP archives containing what appears to be the real PDF24 Creator.
Cybersecurity researchers have shared details of a malware campaign targeting software developers via the Microsoft Visual Studio Code (VS Code) extension ecosystem. The campaign delivers a new information-stealing malware dubbed ‘Evelyn Stealer,’ designed to harvest sensitive data by masquerading as legitimate VS Code extensions.
Check Point Research says that the recently discovered VoidLink cloud-focused Linux malware framework was likely developed by a single developer with the help of AI tools. Initially, researchers believed VoidLink is the work of skilled Chinese-speaking malware authors, however, evidence from exposed server files, including source code, sprint plans, and AI-generated documents, suggests the malware was largely built within a week using an AI assistant embedded in the TRAE development environment.
A new phishing campaign is exploiting private messages on social media platforms to distribute malicious payloads and ultimately a remote access trojan. The attackers leverage weaponized files delivered through Dynamic Link Library (DLL) sideloading in combination with a legitimate open-source Python penetration testing script. The campaign targets high-value individuals on LinkedIn, where threat actors initiate conversations to build trust before tricking victims into downloading the malware.
Security researchers at Huntress have uncovered a new variant of the ClickFix attack, dubbed ‘CrashFix,’ that uses a malicious Chrome extension to crash users’ browsers and trick them into installing malware.
Pentera Labs found that many security vendors accidentally exposed vulnerable training apps such as such as OWASP Juice Shop, DVWA, and Hackazon to the public internet. The misconfigured apps allowed attackers to take over systems and access internal networks, and were actively exploited to install crypto miners, webshells, and other malicious tools.
A large spam campaign is reportedly abusing Zendesk servers. The attackers take advantage of Zendesk systems that let anyone create support tickets without signing up. So far, the spam messages appear to be generic and do not include malware or harmful links.
Okta is warning about new voice-based phishing (vishing) kits designed to steal SSO login credentials. The kits are sold as a service and are already being used in real attacks against Okta, Google, Microsoft, and crypto platforms.
Separately, LastPass has warned of an active phishing campaign using fake maintenance emails that pressure users to back up their vaults within 24 hours.
A Telegram-based marketplace called ‘Tudou Guarantee,’ known for advertising illegal services, appears to be slowing down. The platform has stopped transactions in its public groups after handling an estimated $12 billion in activity. While some services are still active, it is unclear whether this a sign of a full shutdown or a change in operations.
An initial access broker pleaded guilty to selling illegal access to the computer networks of dozens of companies. Known online as “r1z,” Feras Khalil Ahmad Albashiti sold unauthorized network access to an undercover officer in exchange for cryptocurrency. He faces up to 10 years in prison, his sentencing is scheduled for May 11, 2026.
Japanese police have arrested a 31-year-old man in Tokyo for creating and selling AI-generated deepfake sexual images of female celebrities. Authorities say the suspect used generative AI to produce hundreds of thousands of images, earning millions of yen through a paid website and custom requests.