End-of-Day report
Timeframe: Mittwoch 21-01-2026 18:00 - Donnerstag 22-01-2026 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Guenes Holler
News
A patch for the NIS2 Directive
On January 20th, 2026 the EU Commission presented a package of legislative proposals, including an update to the NIS2 directive.
https://www.cert.at/en/blog/2026/1/a-patch-for-the-nis2-directive
Look at FortiCloud SSO Bypass Exploitation (CVE-2025-59718/59719)
In December last year, Fortinet disclosed [1] a vulnerability in SAML processing, which allowed full bypass of authentication to management interfaces with FortiCloud SSO enabled. According to new, still not officially confirmed reports, the vulnerability may not have been fully patched [10]. As affected devices are represented in my small high-interactive honeypots network, we have an opportunity to take a look at what the attackers do.
https://www.cert.at/en/blog/2026/1/look-at-forticloud-sso-bypass-exploitation
New Android malware uses AI to click on hidden browser ads
A new family of Android click-fraud trojans leverages TensorFlow machine learning models to automatically detect and interact with specific advertisement elements.
https://www.bleepingcomputer.com/news/security/new-android-malware-uses-ai-to-click-on-hidden-browser-ads/
Chainlit AI framework bugs let hackers breach cloud environments
Two high-severity vulnerabilities in Chainlit, a popular open-source framework for building conversational AI applications, allow reading any file on the server and leaking sensitive information.
https://www.bleepingcomputer.com/news/security/chainlit-ai-framework-bugs-let-hackers-breach-cloud-environments/
Is AI-Generated Code Secure?, (Thu, Jan 22nd)
The title of this diary is perhaps a bit catchy but the question is important. I don-t consider myself as a good developer. That-s not my day job and I-m writing code to improve my daily tasks. I like to say -I-m writing sh*ty code! It works for me, no warranty that it will for for you-. Today, most of my code (the skeleton of the program) is generated by AI, probably like most of you.
https://isc.sans.edu/diary/rss/32648
Malicious PyPI Package Impersonates SymPy, Deploys XMRig Miner on Linux Hosts
A new malicious package discovered in the Python Package Index (PyPI) has been found to impersonate a popular library for symbolic mathematics to deploy malicious payloads, including a cryptocurrency miner, on Linux hosts.
https://thehackernews.com/2026/01/malicious-pypi-package-impersonates.html
Preparing for the EU Cyber Resilience Act (CRA)
Product security has matured significantly over the last decade. Secure defaults, defined ownership of security risk, reliable update mechanisms, and structured vulnerability handling are now mainstream and well understood by experienced engineering and security teams. These practices are no longer aspirational. They are now the minimum required to build and operate digital products responsibly.
https://www.pentestpartners.com/security-blog/preparing-for-the-eu-cyber-resilience-act-cra/
Phishing-Falle: Verlust des Zugriffs auf ChatGPT
Eine aktuell kursierende Phishing-Mail warnt vor einer Kündigung des ChatGPT-Kontos. Schuld sei eine ausgebliebene Zahlung. Das Problem ließe sich aber mit einer Aktualisierung der notwendigen Daten aus der Welt schaffen. Wer dem entsprechenden Pfad folgt, übermittelt den Kriminellen allerdings Kreditkarten- und Kontaktinformationen.
https://www.watchlist-internet.at/news/phishing-falle-chatgpt/
European Space Agency-s cybersecurity in freefall as yet another breach exposes spacecraft and mission data
It has just been a few weeks since reports emerged of the Christmas cyber attack suffered by the European Space Agency (ESA), and the situation has already become worse.
https://www.bitdefender.com/en-us/blog/hotforsecurity/european-space-agencys-cybersecurity-in-freefall-as-yet-another-breach-exposes-spacecraft-and-mission-data
The Next Frontier of Runtime Assembly Attacks: Leveraging LLMs to Generate Phishing JavaScript in Real Time
Imagine visiting a webpage that looks perfectly safe. It has no malicious code, no suspicious links. Yet, within seconds, it transforms into a personalized phishing page.
https://unit42.paloaltonetworks.com/real-time-malicious-javascript-through-llms/
Osiris: New Ransomware, Experienced Attackers?
Poortry driver and modified Rustdesk tool used in recent attack campaign, which bears similarities to previous Inc ransomware attacks.
https://www.security.com/threat-intelligence/new-ransomware-osiris
Watering Hole Attack Targets EmEditor Users with Information-Stealing Malware
TrendAI- Research provides a technical analysis of a compromised EmEditor installer used to deliver multistage malware that performs a range of malicious actions.
https://www.trendmicro.com/en_us/research/26/a/watering-hole-attack-targets-emeditor-users.html
Cyber Is What We Make of It
Cyber Is What We Make of It "Its not what happens to you, but how you react to it that matters." - EpictetusNot long ago an Atlantic Council op-ed in CyberScoop outlined ten key reforms to close Americas cybersecurity gaps. The recommendations are sensible: migrate to memory-safe languages, apply formal verification to critical systems, establish zero trust architectures, build data resilience, conduct proactive threat hunting. Laudable, uncontroversial, and comprehensive;
https://buttondown.com/grugq/archive/cyber-is-what-we-make-of-it/
Vulnerabilities
SmarterMail Auth Bypass Exploited in the Wild Two Days After Patch Release
A new security flaw in SmarterTools SmarterMail email software has come under active exploitation in the wild, two days after the release of a patch.
https://thehackernews.com/2026/01/smartermail-auth-bypass-exploited-in.html
Security updates for Thursday
Security updates have been issued by AlmaLinux (gpsd), Debian (inetutils and modsecurity-crs), Fedora (cpp-httplib, curl, mariadb11.8, mingw-libtasn1, mingw-libxslt, mingw-python3, rclone, and rpki-client), Oracle (gimp, glib2, go-toolset:rhel8, golang, kernel, mariadb-devel:10.3, and thunderbird), Red Hat (buildah, go-toolset:rhel8, golang, grafana, kernel, kernel-rt, multiple packages, openssl, osbuild-composer, podman, and skopeo), Slackware (bind), SUSE (ffmpeg-4, libsodium, libvirt, net-snmp, open-vm-tools, ovmf, postgresql17, postgresql18, python-FontTools, python-weasyprint, and webkit2gtk3), and Ubuntu (glib2.0 and opencc).
https://lwn.net/Articles/1055484/
Jetzt handeln! Angreifer umgehen offenbar Fortinet-Sicherheitspatch
Medienberichten zufolge ist ein Sicherheitspatch für diverse Fortinet-Produkte defekt. Admins können Instanzen aber trotzdem schützen.
https://heise.de/-11149777
Updaten! Angriffsversuche auf Sicherheitslücken in Cisco Unified Communications
In mehreren Unified-Communications-Produkten von Cisco klafft eine Sicherheitslücke, die Angreifern ohne Anmeldung das Einschleusen von Schadcode aus dem Netz und dessen Ausführung mit Root-Rechten ermöglicht. Admins sollten die bereitstehenden Aktualisierungen zügig anwenden, da Cisco bereits Angriffsversuche aus dem Netz auf die Schwachstelle beobachtet hat.
https://heise.de/-11149877
Dell Data Protection Advisor über unzählige Sicherheitslücken angreifbar
Dell schließt teilweise sechzehn Jahre alte Schwachstellen in Data Protection Advisor, über die Angreifer Systeme kompromittieren können.
https://heise.de/-11150421
SSA-864900 V1.6 (Last Update: 2026-01-22): Multiple Vulnerabilities in Fortigate NGFW on RUGGEDCOM APE1808 Devices
https://cert-portal.siemens.com/productcert/html/ssa-864900.html