16 Jan 2026
Week in review
Greetings,
This week, Instagram confirmed it had resolved a password reset vulnerability and denied any breach of its systems, amid overlapping reports of a large dataset of Instagram user records circulating online. The social platform confirmed that a technical issue allowed third parties to trigger legitimate password reset email requests to certain users, prompting unexpected notifications.
Meta, Instagram’s parent company, said it has since fixed that issue and emphasised in public statements that there was no breach of its internal systems and that users’ accounts remain secure. Recipients of unsolicited reset emails have been told they can safely ignore them unless they themselves initiated a request.
The timing of the password reset problem coincided with reports from cyber security firm Malwarebytes about a dataset allegedly containing information tied to roughly 17.5 million Instagram accounts being traded on hacker forums. That dataset reportedly included usernames, email addresses, phone numbers and other contact data. While Instagram has denied any new breach, outside researchers suggest the information being circulated appears to relate to older incidents, potentially scraping or re-publishing data from earlier API exposures rather than stemming from the recent vulnerability.
Experts have stressed that even in the absence of a fresh breach, such information can be abused for phishing and social engineering campaigns, and they continue to urge users to maintain strong security measures like two-factor authentication.
Critical Apache Struts 2 Vulnerability Allows Attackers to Steal Sensitive Data
Date: 2026-01-12
Author: Cyber Express
[Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2026.0204.2]
A newly disclosed vulnerability in Apache Struts 2’s XWork component poses a significant threat to Java web applications worldwide.
The flaw, tracked as CVE-2025-68493 and rated as Important severity, could expose sensitive data and enable attackers to launch denial-of-service and server-side request forgery (SSRF) attacks if systems remain unpatched.
ServiceNow Patches Critical AI Platform Flaw Allowing Unauthenticated User Impersonation
Date: 2026-01-13
Author: The Hacker News
ServiceNow has disclosed details of a now-patched critical security flaw impacting its ServiceNow artificial intelligence (AI) Platform that could enable an unauthenticated user to impersonate another user and perform arbitrary actions as that user.
The vulnerability, tracked as CVE-2025-12420, carries a CVSS score of 9.3 out of 10.0. It has been codenamed BodySnatcher by AppOmni.
Fortinet Fixes Critical FortiSIEM Flaw Allowing Unauthenticated Remote Code Execution
Date: 2026-01-14
Author: The Hacker News
[See AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2026.0279/]
Fortinet has released updates to fix a critical security flaw impacting FortiSIEM that could allow an unauthenticated attacker to achieve code execution on susceptible instances.
The operating system (OS) injection vulnerability, tracked as CVE-2025-64155, is rated 9.4 out of 10.0 on the CVSS scoring system.
Trend Micro Apex Central RCE Flaw Scores 9.8 CVSS in On-Prem Windows Versions
Date: 2026-01-09
Author: The Hacker News
Trend Micro has released security updates to address multiple security vulnerabilities impacting on-premise versions of Apex Central for Windows, including a critical bug that could result in arbitrary code execution.
The vulnerability, tracked as CVE-2025-69258, carries a CVSS score of 9.8 out of a maximum of 10.0. The vulnerability has been described as a case of remote code execution affecting LoadLibraryEX.
Browser-in-the-Browser phishing is on the rise: Here's how to spot it
Date: 2026-01-13
Author: Help Net Security
Browser-in-the-Browser (BitB) phishing attacks are on the rise, with attackers reviving and refining the technique to bypass user skepticism and traditional security controls.
The technique is being used to target users of popular services and brands like Microsoft, Facebook, the Steam gaming platform, and others.
ASB-2026.0006 – AUSCERT: Microsoft Windows: CVSS (Max): 8.8
Microsoft has released its monthly security patch update for the month of January 2026. This update resolves 93 vulnerabilities across multiple products.
ESB-2026.0279 – Fortinet: Fortinet Products: CVSS (Max): 9.8
An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in FortiSIEM may allow an unauthenticated attacker to execute unauthorized code or commands via crafted TCP requests.
ESB-2026.0312 – Adobe: Adobe ColdFusion: CVSS (Max): 9.8
Adobe has released security updates for ColdFusion versions 2025 and 2023.
These dependency update resolves a critical vulnerability that could lead to
arbitrary code execution.
ESB-2026.0361 – Juniper Networks: Juniper Junos OS Evolved: CVSS (Max): 7.8
A Use of Uninitialized Resource in the Linux kernel driver for Human Interface Devices (HID) in Junos OS Evolved allows a local low-privileged attacker to use a malicious input device to read information from the report buffer. This could be used to leak kernel memory, enabling the exploitation of additional vulnerabilities.
ESB-2026.0373 – Tenable: Tenable Nessus Agent: CVSS (Max): 8.8
A vulnerability has been identified in the installation/uninstallation of the Nessus Agent Tray App on Windows Hosts which could lead to escalation of privileges.
Stay safe, stay patched and have a good weekend!
The AUSCERT team
