Daily Threat Intel Digest - January 8, 2026

🔴 Critical Threats & Active Exploitation

[NEW] CISA warns of active exploitation of 17-year-old Microsoft PowerPoint vulnerability
Attackers are actively exploiting CVE-2009-0556, a critical code injection vulnerability in Microsoft PowerPoint that enables arbitrary code execution through specially crafted presentations [CyberPress]. The vulnerability, which Microsoft patched in 2009, allows attackers to compromise systems by abusing how PowerPoint processes internal file structures. CISA has added this to its Known Exploited Vulnerabilities Catalog and mandated federal agencies to patch by January 28, 2026. Any organization running unpatched Office installations faces immediate risk of malware deployment and lateral movement through this vector [CISA].

[NEW] Hackers actively exploit VMware ESXi with zero-day MAESTRO toolkit
A sophisticated attack campaign is targeting VMware ESXi instances using a zero-day exploit toolkit called MAESTRO, which chains three previously unknown vulnerabilities (CVE-2025-22226, CVE-2025-22224, CVE-2025-22225) to achieve virtual machine escape [Huntress] [GBHackers]. Attackers gain initial access through compromised VPN appliances, then deploy the toolkit to break out of guest environments and gain host system control. The backdoor hijacks ESXi’s inetd service using VSOCK for covert guest-to-host communication, rendering it invisible to standard network monitoring. VMware ESXi versions from 5.1 through 8.0 without patches are vulnerable, requiring immediate emergency patching of hypervisor infrastructure.

[NEW] Max severity Ni8mare flaw allows hijacking of n8n automation servers
A critical vulnerability dubbed “Ni8mare” (CVE-2026-21858) enables unauthenticated remote code execution against n8n workflow automation platforms affecting approximately 100,000 servers globally [CyberScoop] [BleepingComputer]. The flaw stems from content-type confusion in webhook parsing, allowing attackers to bypass file upload restrictions and read arbitrary files. Since n8n instances often contain API keys, OAuth tokens, database credentials, and CI/CD secrets, successful exploitation could provide attackers with complete control over enterprise automation workflows. The n8n team has released version 1.121.0 with patches, and no workarounds are available [n8n advisory].

[NEW] CISA flags actively exploited HPE OneView vulnerability as maximum severity
CISA has added CVE-2025-37164 to its Known Exploited Vulnerabilities Catalog after confirming active exploitation of HPE OneView infrastructure management software [BleepingComputer]. The vulnerability enables unauthenticated attackers to achieve remote code execution through low-complexity code injection attacks against all OneView versions before v11.00. With no available workarounds or mitigations, organizations must upgrade to OneView 11.00 immediately. Federal agencies have until January 28 to comply with BOD 22-01 requirements [HPE advisory].

🎯 Threat Actor Activity & Campaigns

[UPDATE] China escalates cyber attacks against Taiwan to 2.6M daily intrusions
Taiwan’s National Security Bureau reports Chinese state-sponsored campaigns increased 6% in 2025, now averaging 2.63 million intrusion attempts daily against critical infrastructure, with particular focus on energy and hospital sectors [CyberScoop]. Attackers coordinated hacking operations with military activities, ramping up during Taiwanese ceremonies and official visits. Beyond traditional espionage, campaigns included ransomware attacks targeting hospitals to steal and sell patient data on dark web markets. The attacks leveraged software and hardware vulnerabilities in over half of operations, with recent telecommunications compromises extending to upstream semiconductor and defense suppliers.

[NEW] BlueDelta hackers target Microsoft OWA, Google, and Sophos VPN for credential theft
A Russian state-sponsored threat group linked to GRU’s Main Directorate conducted a sophisticated credential harvesting operation against critical infrastructure and research institutions throughout 2025 [GBHackers]. BlueDelta exploited Microsoft Outlook Web Access, Google services, and Sophos VPN vulnerabilities to harvest credentials, representing an evolution in persistent credential-theft operations. The campaign demonstrates advanced capabilities in compromising multiple authentication platforms simultaneously to maintain access across diverse target environments.

[NEW] Global GoBruteforcer botnet threatens 50,000 Linux servers
A sophisticated modular botnet known as GoBruteforcer is actively targeting Linux servers worldwide, with researchers estimating more than 50,000 internet-facing servers remain vulnerable to coordinated attacks [GBHackers] [BleepingComputer]. The campaign exploits weak default credentials, particularly in XAMPP deployments, and has recently evolved to target cryptocurrency and blockchain projects. Attackers leverage AI-generated server configuration examples that create predictable usernames, facilitating password spraying attacks against FTP, MySQL, PostgreSQL, and phpMyAdmin services.

[NEW] Malicious Chrome extensions with 900,000 downloads steal AI chat conversations
Security researchers have uncovered malicious Chrome extensions that collectively amassed 900,000 downloads while stealing AI chat conversations and sensitive user data [SecurityWeek]. The extensions exploited browser permissions to intercept and exfiltrate conversations from ChatGPT, Claude, Gemini, and other AI platforms, representing an escalation of previous Chrome extension threats. The stolen data includes proprietary business information, personal discussions, and potentially confidential development work shared with AI assistants.

⚠️ Vulnerabilities & Patches

[NEW] GitLab patches multiple high-severity vulnerabilities including XSS flaws
GitLab has released security updates addressing seven vulnerabilities across multiple deployment configurations, including stored and reflected cross-site scripting vulnerabilities that could allow arbitrary JavaScript execution [CyberPress] [GBHackers]. The most critical issues include CVE-2025-9222 (stored XSS via crafted Markdown placeholders, CVSS 8.7) and CVE-2025-13761 (reflected XSS enabling unauthenticated code execution, CVSS 8.0). Organizations should update to GitLab 18.7.1, 18.6.3, or 18.5.5 immediately, particularly for self-managed instances where exploitation could expose sensitive repository and pipeline data.

[NEW] Cisco Identity Services Engine vulnerability allows file access with admin credentials
Cisco has patched CVE-2026-20029 in its Identity Services Engine (ISE) network access control solution after public proof-of-concept exploit code became available [BleepingComputer]. The XML parsing vulnerability enables authenticated administrators to read arbitrary files from the underlying operating system, potentially exposing sensitive data that should remain inaccessible even to privileged users. While Cisco found no evidence of active exploitation, the availability of exploit code elevates risk. Organizations running ISE or ISE-PIC should upgrade to 3.2 Patch 8, 3.3 Patch 8, or 3.4 Patch 4 immediately [Cisco advisory].

[NEW] Critical jsPDF library vulnerability enables file system access
A critical vulnerability in jsPDF (CVE-2025-68428) allows attackers to read arbitrary files from servers running Node.js builds of the library [CyberPress] [BleepingComputer]. The flaw stems from improper path sanitization in loadFile, addImage, html, and addFont methods, enabling attackers to embed sensitive system files into generated PDFs. With over 3.5 million weekly downloads, the vulnerability poses significant risk to applications using jsPDF for server-side PDF generation. Version 4.0.0 patches the issue by restricting filesystem access by default.

[NEW] Linux TLP utility vulnerability enables authentication bypass
SUSE researchers have discovered CVE-2025-67859, a critical authentication bypass vulnerability in TLP version 1.9.0 that allows local attackers to bypass Polkit authentication and modify power profiles without authorization [CyberPress] [GBHackers]. The vulnerability stems from unsafe use of Polkit’s deprecated “unix-process” subject, vulnerable to race conditions allowing privilege escalation. TLP version 1.9.1 patches the issue by switching to secure “system bus name” authentication and generating unpredictable cookie values. System administrators should immediately update installations used for laptop battery optimization across enterprise environments.

[NEW] Veeam patches critical RCE flaw in Backup & Replication
Veeam has released a security update addressing CVE-2025-59470, a critical remote code execution vulnerability affecting Backup & Replication version 13 [CyberScoop]. The flaw allows users with “Backup Operator” or “Tape Operator” roles to execute commands as the “postgres” database user by sending malicious interval or order settings. While treating it as high severity due to the required privileged roles, the CVSS 9.0 rating highlights significant risk from insider threats or compromised operator accounts.

🛡️ Defense & Detection

[NEW] Researchers develop data poisoning technique to sabotage AI model training
A research team from the Chinese Academy of Sciences, National University of Singapore, and Nanyang Technological University has developed a defensive technique that renders stolen AI databases useless by deliberately poisoning proprietary knowledge graphs with plausible yet false information [GBHackers] [SecurityWeek]. The approach creates plausible-but-incorrect data points that compromise model accuracy without obvious detection, providing organizations with a proactive defense against AI model theft. This research represents a shift toward offensive defensive measures in protecting AI intellectual property.

[NEW] Deceptive-Auditing tool deploys Active Directory honeypots
Security researchers have released Deceptive-Auditing, a tool that automatically deploys Active Directory honeypots and enables auditing for those honeypots [BlackHillsInfoSec]. The tool provides defenders with increased visibility into attacker reconnaissance techniques against Active Directory environments, allowing collection of threat intelligence on TTPs used in privilege escalation and lateral movement attempts. The automated deployment capabilities make it accessible for organizations lacking dedicated red team resources.

[NEW] PatchGuard bypass technique enables process hiding on Windows systems
Security researchers have developed a technique to bypass Windows PatchGuard protections and hide processes from user-mode enumeration tools [Outflank]. The approach uses PsSetCreateProcessNotifyRoutineEx callbacks to repair LIST_ENTRY structures before PspProcessDelete validation checks, effectively hiding processes while avoiding system crashes. While requiring a signed kernel driver, the technique demonstrates continued viability of process hiding tactics against modern Windows security controls, informing defense strategies for detecting kernel-level rootkits.

📋 Policy & Industry News

[NEW] ownCloud urges MFA activation after widespread credential theft incidents
ownCloud has issued an urgent security advisory urging users to enable multi-factor authentication following a January 2026 threat intelligence report from Hudson Rock [CyberPress] [BleepingComputer]. The investigation revealed threat actors exploited compromised credentials from infostealer malware (RedLine, Lumma, Vidar) to access unprotected ownCloud instances. Despite the platform remaining uncompromised, the incidents highlight security risks of self-managed file sharing without MFA. ownCloud recommends immediate MFA deployment, password resets, session invalidation, and access log reviews.

[NEW] Logitech applications break on macOS after certificate expiration
Logitech’s Options+ and G HUB applications stopped working on macOS after their code-signing certificate expired, preventing users from launching the software [BleepingComputer]. The outage disrupted productivity-enhancing customizations for Logitech input devices, forcing users to either revert system dates or await official patches. Logitech confirmed the certificate issue and stated they would push new installers without version bumps, preserving user profiles and settings.

[NEW] Classic Outlook bug prevents opening encrypted emails
Microsoft is investigating a bug preventing recipients from opening emails encrypted with “Encrypt Only” permissions in classic Outlook after updating to Current Channel Version 2511 [BleepingComputer]. Affected users see message_v2.rpmsg attachments instead of readable content, with reading pane displaying credential verification prompts. Microsoft recommends workarounds including saving encrypted emails before sending or reverting to the previous software build while developing a permanent fix.