Daily Threat Intel Digest - 2026-01-22

🔴 Critical Threats & Active Exploitation

[NEW] Critical Cisco Unified Communications Zero-Day Exploited for Root Access
Attackers are actively exploiting CVE-2026-20045, a critical RCE vulnerability in Cisco Unified Communications Manager, Unity Connection, and Webex Calling platforms, enabling unauthenticated remote command execution with root privilege escalation. The flaw stems from improper HTTP request validation in web-based management interfaces, affecting versions prior to 12.5, 14, and 15. CISA has added this to its KEV catalog with a Feb 11 remediation deadline for federal agencies, while Cisco has released patches and confirms active exploitation enables full system compromise and lateral movement. [Cisco Advisory]; BleepingComputer]

[NEW] Fortinet SSO Authentication Bypass Bypasses Patches
Attackers are exploiting CVE-2025-59718, a critical FortiCloud SSO authentication flaw, to create unauthorized admin accounts even on patched FortiGate firewalls running FortiOS 7.4.9/7.4.10. Malicious SSO logins from IP 104.28.244.114 create persistent “helpdesk” accounts, with Shadowserver tracking ~11,000 exposed devices. Fortinet confirms 7.4.11 will fully address the flaw; admins should immediately disable admin-forticloud-sso-login via CLI as a temporary workaround. [BleepingComputer]; Arctic Wolf]

[NEW] AI Framework Vulnerabilities Enable Cloud Takeover
Two critical flaws in Chainlit (CVE-2026-22218: Arbitrary File Read; CVE-2026-22219: SSRF), deployed across ~700k monthly PyPI downloads, allow unauthenticated cloud credential theft and lateral movement. Attackers exploit /project/element to read sensitive files (e.g., /proc/self/environ) and SSRF to access AWS IMDSv1 metadata, leaking keys for storage buckets and LLM services. Version 2.9.4 patches these flaws, but thousands of enterprise deployments remain at immediate risk. [Cyberpress]; BleepingComputer]

🎯 Threat Actor Activity & Campaigns

[NEW] LastPass Phishing Campaign Targets Master Passwords
Since Jan 19, attackers have sent spoofed “urgent vault backup” emails from addresses like support@lastpass.server8, redirecting users to mail-lastpass.com to steal master passwords. Leveraging compromised AWS S3 infrastructure (52.95.155.90) and timing with the US holiday weekend, this campaign bypasses security awareness by exploiting LastPass branding. LastPass confirms it never requests master passwords via email. [LastPass Blog]; BleepingComputer]

[NEW] TheGentlemen Ransomware Targets Energy, Auto Sectors
TheGentlemen group claims dual attacks: Rola Motor Group (South Africa) on Jan 20 and Sincere Corporation (Japan, environmental services) on Jan 21, threatening data leaks without ransom demands. These escalate the group’s multi-sector extortion spree, emphasizing critical infrastructure targeting. Sectors should monitor for data leak posts and validate backups. [DeXpose]

[NEW] Zendesk Spam Wave Abuses Open Ticket Policies
A global spam campaign exploits unverified Zendesk support ticket submissions to send mass emails from major brands (Discord, Dropbox, Tinder). Attackers abuse Zendesk’s automated responses to bypass filters using bizarre subjects (e.g., “FREE DISCORD NITRO!!”). Zendesk has deployed new safety features, but affected organizations must restrict ticket creation to verified users. [BleepingComputer]

⚠️ Vulnerabilities & Patches

[NEW] WordPress Plugin Backdoor Enables Admin Account Creation
A backdoor in LA-Studio Element Kit (≤v1.5.6.3, 20k+ sites) allows unauthenticated administrator account creation via lakit_bkrole parameter. Added by a terminated employee, CVE-2026-09220 (CVSS 9.8) enables full site compromise. Patched in v1.6.0; Wordfence users protected since Jan 13. [Wordfence]

[NEW] HPE Storage Arrays Vulnerable to RCE
HPE Alletra 5000/6000 and Nimble Storage arrays expose a privilege escalation flaw (HPESBST04995) in OS versions <6.1.2.800. Attackers could achieve remote code execution via unauthenticated network access. Immediate patching to 6.1.3.300/6.1.2.800 is critical. [Canadian Cyber Centre]

[NEW] Atlassian Products Patched in Bulletin Wave
Atlassian fixed multiple RCE and privilege flaws across Bamboo, Bitbucket, Confluence, Crowd, Jira, and Jira Service Management. Crowd versions 7.1.0-7.1.2 and 6.3.0-6.3.3 are particularly affected. Apply patches immediately to prevent exploitation. [Atlassian Advisory]

🛡️ Defense & Detection

[NEW] ANY.RUN-MISP Integration Accelerates Malware Triage
A new MISP module enables direct sample submission to ANY.RUN sandbox, returning enriched IOCs, MITRE ATT&CK mappings, and behavioral evidence without tool-switching. This reduces MTTR for evasive malware by integrating automated interactivity (e.g., clicking, file opening) to trigger delayed threats. [ANY.RUN Blog]

[NEW] Sandfly 5.6 Automates Linux Drift Detection
Sandfly Security’s agentless drift detection now automatically identifies novel threats in Linux environments, detecting unauthorized changes without endpoint agents. Enhances coverage for stealthy persistence tactics. [Sandfly Blog]

📋 Policy & Industry News

[NEW] GCVE Launches as Decentralized Vulnerability Tracker
The Global CVE Allocation System (GCVE), maintained by Luxembourg’s CIRCL, offers an alternative to MITRE’s CVE program. Using independent numbering authorities (e.g., GCVE-0-2023-40224 for CVE-2023-40224), it addresses CVE’s funding fragility with decentralized ID allocation while maintaining backward compatibility. [CyberScoop]

[NEW] CISA Staffing Cuts Scrutinized by Lawmakers
House Homeland Security Committee pressed acting CISA director Madhu Gottumukkala over 998 employee departures (30% workforce reduction) since Jan 2025. Democrats highlighted weakened defenses, while Republicans claimed efficiency gains. No formal staffing analysis was provided. [CyberScoop]