Weekly Cybersecurity Roundups Highlighting New Vulnerabilities and Incidents
Multiple outlets published weekly cybersecurity roundups summarizing a mix of vulnerability disclosures, ransomware/breach reporting, and policy developments rather than a single discrete incident. TechTarget highlighted a surge in reported vulnerabilities (citing 48,000+ new CVEs in 2025) and called out several high-impact issues, including a critical ServiceNow weakness tied to weak authentication in the legacy Virtual Agent chatbot that became more dangerous when paired with agentic AI (Now Assist), potentially enabling impersonation and admin-level access into connected enterprise systems.
Other roundup coverage aggregated unrelated security events across sectors. Sherpa Intelligence’s “Five for Friday” compiled items including ransomware claims (e.g., Everest targeting Nissan; Nightspire claiming an attack on a Hyatt Place property) and breach reporting (e.g., a Korean Air employee-data breach attributed to Clop). The Cyber Express weekly roundup similarly mixed disparate topics (platform policy changes around AI abuse, senior government appointments, and national-level connectivity disruptions), reinforcing that the common thread is curation of multiple stories rather than new primary reporting on one specific cyber event.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
39 events from the most recent confirmed update back to the earliest known activity.
UK NCSC warns of Russia-linked hacktivist DDoS activity
The UK's National Cyber Security Centre warned about Russia-linked hacktivist distributed denial-of-service activity. The warning underscored ongoing geopolitical cyber disruption risks.
CISA adds more vulnerabilities to KEV in late-January update
CISA added several additional vulnerabilities to its Known Exploited Vulnerabilities catalog in late January 2026. The update was referenced alongside multiple vendor advisories as exploitation activity continued to expand.
Access broker Feras Khalil Ahmad Albashiti pleads guilty
Feras Khalil Ahmad Albashiti pleaded guilty to selling access to at least 50 corporate networks as an initial access broker. The plea was highlighted as a significant cybercrime law-enforcement outcome.
Researchers report patched FortiGate devices still being compromised
Security reporting said some fully patched FortiGate firewalls were still being compromised, possibly in connection with CVE-2025-59718. The development raised concerns that fixes or post-exploitation persistence issues were not fully resolved.
Attackers probe Cisco RCE CVE-2026-20045 in the wild
By late January, reporting indicated active probing of critical Cisco remote code execution flaw CVE-2026-20045. The activity suggested attackers were rapidly testing exposure before broad remediation could occur.
Talos and vendors patch Foxit, Epic Games Store, and MedDream flaws
Cisco Talos disclosed multiple vulnerabilities affecting Foxit PDF Editor, Epic Games Store, and MedDream PACS, and vendors issued patches. The flaws included privilege escalation, use-after-free, and cross-site scripting issues that could enable code execution or unauthorized access.
Dutch police run fake ticket site for anti-scam awareness
Dutch police were reported to be operating a fake ticket website as a public anti-scam education effort. The initiative was presented as a proactive law-enforcement awareness campaign.
Slack publishes agentic SOC triage architecture
Slack published the design of an internal multi-agent triage system intended to reduce investigation time while preserving quality checks before human escalation. The architecture was highlighted as a notable security operations engineering development.
Google and Mandiant release Net-NTLMv1 rainbow tables
Google and Mandiant released Net-NTLMv1 rainbow tables to accelerate pressure for deprecating the weak authentication scheme. The release was framed as a defensive move to expose the protocol's continued risk.
AWS CodeBuild misconfiguration 'CodeBreach' is reported
Researchers reported 'CodeBreach,' an AWS CodeBuild misconfiguration that could have enabled supply-chain compromise of AWS GitHub repositories. The issue was highlighted as a cloud and software supply-chain risk.
CyberArk hijacks StealC operators via XSS in control panel
CyberArk researchers exploited a cross-site scripting flaw in the StealC malware control panel to observe and hijack operator sessions. The work demonstrated offensive counterintelligence opportunities against criminal infrastructure.
Researchers disclose WhisperPair flaws in Google Fast Pair devices
Academic researchers disclosed 'WhisperPair' vulnerabilities affecting Google Fast Pair audio accessories from multiple major vendors. The flaws raised concerns about the security of widely used Bluetooth pairing ecosystems.
Qilin claims Moen as ransomware victim
The Qilin ransomware group claimed Moen as a victim, though reporting said no proof of exfiltration was provided. The claim was included in roundup coverage of current ransomware activity.
Grubhub confirms unauthorized access amid extortion claims
Grubhub confirmed unauthorized access to internal systems while extortion claims circulated involving Salesforce and Zendesk-related data. The company acknowledgment marked the incident as an active enterprise breach response.
CIRO discloses August 2025 breach affecting 750,000 people
CIRO publicly disclosed that the August 2025 phishing attack exposed personal information belonging to roughly 750,000 individuals. The organization said some systems were shut down, but critical operations were not affected.
Researchers describe VoidLink Linux malware framework
Threat researchers published analysis of VoidLink, a China-affiliated cloud-native Linux malware framework designed for stealthy long-term access. Coverage noted the framework's capabilities even though no confirmed infections were reported.
WordPress plugin flaw enables unauthenticated admin takeover
Reporting highlighted active exploitation or disclosure of a WordPress plugin vulnerability, tracked in one roundup as CVE-2026-23550, that allowed unauthenticated administrator takeover. The issue was treated as a high-risk web application threat.
Check Point reports HPE OneView flaw exploited by RondoDox
Researchers reported active exploitation of CVE-2025-37164, a critical HPE OneView remote code execution flaw, by the RondoDox botnet. The vulnerability was also noted as added to CISA's KEV catalog.
Lumen disrupts AISURU and Kimwolf botnet infrastructure
Lumen reported null-routing and blocking more than 550 command-and-control servers tied to AISURU and Kimwolf botnet activity. The action was presented as a major infrastructure disruption against DDoS-related operations.
CISA adds exploited Windows and Gogs flaws to KEV
CISA added actively exploited vulnerabilities in Microsoft Windows and Gogs to its Known Exploited Vulnerabilities catalog. The move signaled elevated urgency for defenders to patch affected systems.
Ukraine and Germany target Black Basta leadership
A joint Ukraine-Germany operation targeted Black Basta leadership, with reporting also linking Black Basta to Conti through blockchain analysis. The action was highlighted in multiple weekly roundups.
Spanish police and Europol target Black Axe network
Spanish authorities, supported by Europol, carried out an operation against the Black Axe criminal organization. The action was cited as a significant law-enforcement move against cyber-enabled fraud.
Eurail/Interrail breach affects travelers
A breach affecting Eurail and Interrail travelers was reported in weekly security coverage. The incident was highlighted as a notable consumer-impacting data exposure.
PoC exploit released for FortiSIEM CVE-2025-64155
Public proof-of-concept exploit code was released for critical Fortinet FortiSIEM flaw CVE-2025-64155, an unauthenticated issue that could lead to remote code execution via crafted TCP requests. Multiple roundups also described thousands of internet-exposed instances at risk.
Meta denies claimed Instagram breach
Meta denied claims that Instagram had suffered a breach exposing data from 17.5 million accounts. The denial came amid reports that users were seeing repeated password reset prompts.
Researchers report Google Vertex AI service-agent privilege issue
A privilege-escalation issue involving Google Vertex AI service agents was reported in mid-January 2026. The finding was highlighted as a cloud security concern in roundup coverage.
Researchers disclose Reprompt attack against Microsoft Copilot
Security researchers reported the 'Reprompt' attack, which used prompt injection and URL parameter abuse to enable stealthy data exfiltration from Microsoft Copilot. Later roundup coverage noted the issue had since been fixed.
Clop-linked breach impacts Korean Air employee records
A separate Clop-linked breach was reported to have affected Korean Air employee records. The incident appeared in roundup reporting on notable enterprise data exposures.
Everest claims Nissan after earlier ASUS-related breach
The Everest ransomware group was reported as targeting Nissan following an earlier breach involving ASUS. The development was cited as part of ongoing ransomware victim disclosures.
Nightspire claims attack on Hyatt Place New York / Chelsea
The Nightspire ransomware group claimed it attacked the Hyatt Place New York / Chelsea Hotel. The claim was reported in a January 16 roundup of current ransomware activity.
Microsoft and partners disrupt RedVDS cybercrime platform
Microsoft, working with international law enforcement and through related legal action, disrupted the RedVDS cybercrime-as-a-service platform. RedVDS had been used to support large-scale phishing and fraud operations.
Cyble reports deVixor Android banking malware targeting Iranians
Researchers reported a new Android banking malware family, deVixor, targeting users in Iran through phishing-distributed APK files. The malware was presented as an emerging mobile banking threat.
Endesa discloses breach affecting Energía XXI customers
Spanish energy company Endesa disclosed a breach affecting customers of its Energía XXI unit. Subsequent reporting described the incident as a large-scale data exposure tied to Spain.
Iran enters fourth day of nationwide internet blackout
Iran experienced a fourth consecutive day of nationwide internet disruption during unrest linked to the collapse of the rial. The blackout was reported as a major public-stability and information-control event.
NSA appoints Timothy Kosiba as deputy director
The NSA named Timothy Kosiba as its 21st Deputy Director. The appointment was cited as a significant U.S. national security leadership development in mid-January 2026.
X tightens Grok AI safeguards after abuse reports
X, formerly Twitter, tightened controls on Grok AI to curb generation of nonconsensual sexualized images. The move followed reported abuse and investigations by U.S. and European authorities.
Microsoft releases January Patch Tuesday fixes
Microsoft's January 2026 Patch Tuesday addressed 114 vulnerabilities, including an actively exploited Desktop Window Manager zero-day tracked as CVE-2026-20805. The update was highlighted across multiple January security roundups.
Late-2025 attack on Poland's power grid attributed to Sandworm
Reporting later attributed a late-2025 cyberattack on Poland's power grid to the Russia-linked Sandworm group. The attribution appeared in January 2026 roundup coverage as a notable geopolitical development.
CIRO phishing attack compromises personal data
In August 2025, a sophisticated phishing attack compromised the personal information of about 750,000 individuals tied to the Canadian Investment Regulatory Organization. Some systems were shut down in response, but critical functions were reported as unaffected.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
14 references tracked. Mallory keeps watching after this page renders.
Week in review: Fully patched FortiGate firewalls are getting compromised, attackers probe Cisco RCE flaw - Help Net Security
helpnetsecurity.com
Open sourceSecurity Affairs newsletter Round 560 by Pierluigi Paganini - INTERNATIONAL EDITION
securityaffairs.com
Open sourceI scan, you scan, we all scan for... knowledge?
blog.talosintelligence.com
Open sourceCyber Briefing: 2026.01.21
linkedin.com
Open sourceSecurity Affairs newsletter Round 559 by Pierluigi Paganini – INTERNATIONAL EDITION
securityaffairs.com
Open sourceFive for Friday: January 16, 2026 - Sherpa Intelligence
sherpaintelligence.substack.com
Open sourceNews brief: Security flaws put thousands of systems at risk | TechTarget
techtarget.com
Open sourceTCE Weekly Roundup: Stories For NSA, Iran Blackout, And More
thecyberexpress.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Weekly Cybersecurity Roundups Covering Breaches, Zero-Days, and AI-Driven Threats
Two weekly “roundup” articles summarized a broad set of security developments rather than a single incident. Reported items included **data breaches** (e.g., PayPal, SpyX, California Cryobank), **active exploitation of multiple vulnerabilities** (including a **Google Chrome 0-day** and critical issues in products such as *BeyondTrust*, *Ivanti EPMM*, *Splunk Enterprise*, and *Windows Admin Center*), and **ransomware activity** (e.g., **Hellcat** reportedly breaching Ascom’s ticketing infrastructure and exfiltrating ~44GB of data). The digest also highlighted availability risk via a reported **Cloudflare** global outage attributed to a cascading password-rotation failure. The week-in-review content also mixed security news with interviews and tool/project updates, including discussion of the evolving CISO role amid **agentic AI**, the release of *REMnux v8* (malware analysis distro) with AI integration, and commentary on “harvest now, decrypt later” **quantum** risk. It additionally referenced separate security headlines such as a **firmware-level Android backdoor** on tablets and a **Dell zero-day** reportedly exploited since 2024, but did not provide a unified, single-event narrative across the items.
Mar 21, 2026
Security roundups covering multiple unrelated breaches, exploited vulnerabilities, and malware activity
The referenced items are **weekly newsletter/roundup posts** that aggregate multiple, unrelated cybersecurity developments rather than reporting a single discrete incident. They highlight a mix of **data breaches**, **ransomware**, **active exploitation and KEV additions**, and **malware campaigns**—including mentions of BeyondTrust RS/PRA vulnerabilities (including `CVE-2026-1731`) being exploited, CISA adding various flaws to the **Known Exploited Vulnerabilities (KEV)** catalog, and ongoing malware activity such as **LummaStealer**, **NetSupport RAT** targeting, and Linux botnet activity (e.g., **SSHStalker**). Separately, the roundup coverage also includes public-sector and critical-service disruptions and regulatory action: a reported cyberattack on the **European Commission’s mobile device management (MDM)** environment with potential exposure of staff contact details, a **ransomware** incident disrupting Senegal’s national identity services, and an Australian court penalty against **FIIG Securities** tied to inadequate cybersecurity controls following a prior ransomware breach and data exposure. Overall, the content is best treated as situational awareness across many stories, not as a cohesive incident requiring a single-issue response plan.
Mar 21, 2026
Weekly Cybersecurity Roundups Highlighting Government Campaigns, Nation-State Activity, and Emerging Vulnerabilities
Multiple weekly cybersecurity roundups and newsletters highlighted a mix of policy, threat, and vulnerability developments rather than a single discrete incident. UK government messaging featured prominently, including a campaign urging businesses to “lock the door” against cyber criminals and publication of longitudinal survey results indicating most organizations continue to experience cyber incidents (with reported rates in the 70–80% range across businesses and charities). Separately, commentary from European security circles emphasized growing calls for **offensive cyber capabilities** (“strike back”) amid concerns about Russian aggression and sabotage activity across Europe, including references to cyber operations targeting critical infrastructure. Threat reporting in the same period emphasized escalating **nation-state and proxy activity** against critical infrastructure and the defense industrial base, citing research that espionage groups (including those linked to China, Russia, and North Korea) have compromised organizations by exploiting **zero-day vulnerabilities in edge devices** (e.g., VPNs and gateways). Additional reporting pointed to newly identified OT-focused threat groups (e.g., **Sylvanite**, **Azurite**, **Pyroxene**) and a broad set of emerging technical risks and product/security changes, including discussion of an **OpenSSL RCE** risk, **Foxit 0-days**, and analysis of **LockBit 5.0** ransomware techniques (e.g., ETW tampering, process hollowing, log clearing) alongside Android platform security changes (e.g., deprecating cleartext traffic defaults and adding HPKE support).
Mar 21, 2026