23 Jan 2026
Week in review
Greetings,
The ransomware group Everest is allegedly behind a major data breach affecting the popular sportswear company Under Armour, with about 72.7 million customer accounts compromised in an attack believed to have occurred in November 2025. The incident came to light after a member of the Everest group posted leaked files to a cybercrime forum on the 18th January 2026 after the company did not pay an undisclosed ransom demand within 7 days. Under Armour has not publicly acknowledged or responded to the breach.
The leaked data includes a significant amount of personal information such as names, email addresses, dates of birth, genders, geographic locations and detailed purchase histories. While credit card numbers do not appear to be included in this specific dump, the sheer volume of data – estimated at over 340GB – poses a severe risk for targeted phishing and identity theft. The breach has already been integrated into the "Have I Been Pwned" notification service to help users verify their exposure. Under Armour is likely to face regulatory scrutiny.
Ransomware attacks remain a significant challenge for organisations worldwide, as threat actors continue to evolve their methods with increasing sophistication and boldness. This serves as a clear reminder for businesses to implement strong cyber security policies and procedures such as keeping systems updated and patched, remaining vigilant against suspicious emails and attachments, and proactively managing potential vulnerabilities.
Cisco fixed actively exploited Unified Communications zero day
Date: 2026-01-21
Author: securityaffairs
[See AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2026.0554/]
Cisco patched a critical zero-day remote code execution flaw, tracked as CVE-2026-20045 (CVSS score of 8.2), actively exploited in attacks.
An unauthenticated, remote attacker can exploit the flaw to execute arbitrary commands on the underlying operating system of an affected device.
The bug affected Cisco Unified CM, Unified CM SME, IM & Presence, Unity Connection, and Webex Calling Dedicated Instance.
Actively exploited critical flaw in Modular DS WordPress plugin enables admin takeover
Date: 2026-01-17
Author: Security Affairs
A critical Modular DS WordPress flaw (CVE-2026-23550) is actively exploited, enabling unauthenticated privilege escalation.
Threat actors are actively exploiting a critical Modular DS WordPress vulnerability tracked as CVE-2026-23550 (CVSS score of 10).
Modular DS is a WordPress plugin with over 40,000 installs that helps manage multiple sites, enabling monitoring, updates, and remote administration.
Credential-stealing Chrome extensions target enterprise HR platforms
Date: 2026-01-17
Author: Bleeping Computer
Malicious Chrome extensions on the Chrome Web Store masquerading as productivity and security tools for enterprise HR and ERP platforms were discovered stealing authentication credentials or blocking management pages used to respond to security incidents.
The campaign was discovered by cybersecurity firm Socket, which says it identified five Chrome extensions targeting Workday, NetSuite, and SAP SuccessFactors, collectively installed more than 2,300 times.
Attackers Abuse WSL2 to Operate Undetected on Windows Systems
Date: 2026-01-19
Author: GB Hackers
Windows Subsystem for Linux (WSL) has transformed the developer experience on Windows. However, it has also quietly created a powerful hiding place for attackers.
With WSL2, Microsoft moved from lightweight translation to a whole virtual machine (VM) model. That architectural change gives adversaries a semi-isolated Linux environment running inside Hyper‑V that is rarely monitored by traditional endpoint security tools.
Fortinet admins report patched FortiGate firewalls getting hacked
Date: 2026-01-21
Author: Bleeping Computer
Fortinet customers are seeing attackers exploiting a patch bypass for a previously fixed critical FortiGate authentication vulnerability (CVE-2025-59718) to hack patched firewalls.
One of the affected admins said that Fortinet has allegedly confirmed that the latest FortiOS version (7.4.10) didn't fully address this authentication bypass vulnerability, which should've been patched in early December with the release of FortiOS 7.4.9.
Fortinet is also reportedly planning to release FortiOS 7.4.11, 7.6.6, and 8.0.0 over the coming days to fully patch the security flaw.
ESB-2026.0619 – Red Hat OpenShift GitOps v1.18.3: CVSS (Max): 9.1
Red Hat has released an Important security update for OpenShift GitOps v1.18.3, addressing multiple CVEs, bug fixes, and enhancements, with a post-upgrade audit recommended to review cross-namespace access permissions.
ESB-2026.0601 – Hubitat Elevation Hubs: CVSS (Max): 9.1
CISA has issued a Critical advisory for Hubitat Elevation Hubs, warning that CVE-2026-1201 allows authenticated attackers to bypass authorization and control devices beyond their permitted scope, with remediation available in firmware v2.4.2.157.
ASB-2026.0032 – Oracle Supply Chain: CVSS (Max): 9.8
Oracle has published multiple critical vulnerabilities in Oracle Agile PLM and AutoVue products, including unauthenticated remote exploits with CVSS scores up to 9.8.
ASB-2026.0020 – Oracle HealthCare Applications: CVSS (Max): 9.8
Oracle has identified multiple remotely exploitable vulnerabilities in Oracle Healthcare applications, including a critical unauthenticated flaw (CVSS 9.8) that could lead to full system compromise.
ESB-2026.0476 – govulncheck-vulndb: CVSS (Max): 9.9
SUSE has released a moderate security update for govulncheck-vulndb on openSUSE Leap 15.6, updating the vulnerability database with new and revised Go CVE and GHSA mappings.
Stay safe, stay patched and have a good weekend!
The AUSCERT team
