Weekly Exploit Roundup

Generated 2026-01-20T08:00:19.194482+00:00 (UTC)

1. Patch Tuesday – January 2026
   Source: Rapid7 Cybersecurity Blog | Published: 2026-01-14T05:13:02+00:00 | Score: 24.931
   Microsoft is publishing 114 vulnerabilities this January 2026 Patch Tuesday . Today’s menu includes just one vulnerability marked as exploited in the wild, as well as two vulnerabilities where Microsoft is aware of public disclosure. There are no critical remote code execution or elevation of privilege vulnerabilities. So far this month, Microsoft has already provided patches to address one browser vulnerability and around a dozen vulnerabilities in open source products, which are not included in the Patch Tuesday count above. Windows DWM: exploited-in-the-wild information disclosure The Windows Desktop Windows Manager (DWM) is a high value target for vulnerability researchers and threat actors, and CVE-2026-20805 is the latest in an occasional series of exploited-in-the-wild zero-day vulnerabilities to have emerged from it. DWM is responsible for drawing everything on the display of a Windows system, which means it offers an enticing combination of privileged access and universal avai
2. Critical WordPress Modular DS Plugin Flaw Actively Exploited to Gain Admin Access
   Source: The Hacker News | Published: 2026-01-15T15:31:00+00:00 | Score: 24.752
   A maximum-severity security flaw in a WordPress plugin called Modular DS has come under active exploitation in the wild, according to Patchstack.
   The vulnerability, tracked as CVE-2026-23550 (CVSS score: 10.0), has been described as a case of unauthenticated privilege escalation impacting all versions of the plugin prior to and including 2.5.1. It has been patched in version 2.5.2. The plugin
3. Metasploit Wrap-Up 01/16/2025
   Source: Rapid7 Cybersecurity Blog | Published: 2026-01-16T18:49:01+00:00 | Score: 22.965
   Persistence, dMSA Abuse & RCE Goodies This week, we have received a lot of contributions from the community, such as h00die , Chocapikk and countless others, which is greatly appreciated. This week’s modules and improvements in Metasploit Framework range from new modules, such as dMSA Abuse (resulting in escalation of privilege in Windows Active Directory environments), authenticated and unauthenticated RCE modules, as well as many improvements and additions to the persistence modules and techniques. New module content (13) BadSuccessor: dMSA abuse to Escalate Privileges in Windows Active Directory Authors: AngelBoy, Spencer McIntyre, and jheysel-r7 Type: Auxiliary Pull request: #20472 contributed by jheysel-r7 Path: admin/ldap/bad_successor Description: This adds an exploit for "BadSuccessor" which is a vulnerability whereby a user with permissions to an Organizational Unit (OU) in Active Directory can create a Delegated Managed Service Account (dMSA) account in such a way that it can
4. Cisco Patches Zero-Day RCE Exploited by China-Linked APT in Secure Email Gateways
   Source: The Hacker News | Published: 2026-01-16T05:38:00+00:00 | Score: 19.672
   Cisco on Thursday released security updates for a maximum-severity security flaw impacting Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager, nearly a month after the company disclosed that it had been exploited as a zero-day by a China-nexus advanced persistent threat (APT) actor codenamed UAT-9686.
   The vulnerability, tracked as CVE-2025-20393 (CVSS
5. Reducing Cloud Chaos: Rapid7 Partners with ARMO to Deliver Cloud Runtime Security
   Source: Rapid7 Cybersecurity Blog | Published: 2026-01-14T14:00:00+00:00 | Score: 17.393
   Rapid7 has partnered with ARMO, a leader in cloud infrastructure and application security based on runtime data, to offer Cloud Runtime Security. The new offering, currently in beta, extends our vulnerability and exposure management solution, Exposure Command , into the moment where cloud risk becomes real: while applications and workloads are running. The solution does this with several differentiators that map directly to what security leaders need most: signal accuracy and response speed. Introducing Rapid7 Cloud Runtime Security Rapid7 Cloud Runtime Security combines kernel-level observability with AI-powered behavioral analysis to create a continuous, threat-aware defense layer within all cloud environments. The solution provides: AI-driven behavioral baselines for container activity . Because services, teams, and software releases create constant change, static policies can quickly become irrelevant and overly noisy. Cloud runtime security augmented by AI helps establish a behavi
6. Microsoft Fixes 114 Windows Flaws in January 2026 Patch, One Actively Exploited
   Source: The Hacker News | Published: 2026-01-14T09:38:00+00:00 | Score: 16.363
   Microsoft on Tuesday rolled out its first security update for 2026, addressing 114 security flaws, including one vulnerability that it said has been actively exploited in the wild.
   Of the 114 flaws, eight are rated Critical, and 106 are rated Important in severity. As many as 58 vulnerabilities have been classified as privilege escalation, followed by 22 information disclosure, 21 remote code
7. Fortinet Fixes Critical FortiSIEM Flaw Allowing Unauthenticated Remote Code Execution
   Source: The Hacker News | Published: 2026-01-14T11:53:00+00:00 | Score: 13.93
   Fortinet has released updates to fix a critical security flaw impacting FortiSIEM that could allow an unauthenticated attacker to achieve code execution on susceptible instances.
   The operating system (OS) injection vulnerability, tracked as CVE-2025-64155, is rated 9.4 out of 10.0 on the CVSS scoring system.
   "An improper neutralization of special elements used in an OS command ('OS command
8. Closing the Door on Net-NTLMv1: Releasing Rainbow Tables to Accelerate Protocol Deprecation
   Source: Threat Intelligence | Published: 2026-01-15T14:00:00+00:00 | Score: 13.607
   Written by: Nic Losby Introduction Mandiant is publicly releasing a comprehensive dataset of Net-NTLMv1 rainbow tables to underscore the urgency of migrating away from this outdated protocol. Despite Net-NTLMv1 being deprecated and known to be insecure for over two decades—with cryptanalysis dating back to 1999—Mandiant consultants continue to identify its use in active environments. This legacy protocol leaves organizations vulnerable to trivial credential theft, yet it remains prevalent due to inertia and a lack of demonstrated immediate risk. By releasing these tables, Mandiant aims to lower the barrier for security professionals to demonstrate the insecurity of Net-NTLMv1. While tools to exploit this protocol have existed for years, they often required uploading sensitive data to third-party services or expensive hardware to brute-force keys. The release of this dataset allows defenders and researchers to recover keys in under 12 hours using consumer hardware costing less than $600
9. China-Linked APT Exploited Sitecore Zero-Day in Critical Infrastructure Intrusions
   Source: The Hacker News | Published: 2026-01-16T07:18:00+00:00 | Score: 13.222
   A threat actor likely aligned with China has been observed targeting critical infrastructure sectors in North America since at least last year.
   Cisco Talos, which is tracking the activity under the name UAT-8837, assessed it to be a China-nexus advanced persistent threat (APT) actor with medium confidence based on tactical overlaps with other campaigns mounted by threat actors from the region.
10. Palo Alto Fixes GlobalProtect DoS Flaw That Can Crash Firewalls Without Login
    Source: The Hacker News | Published: 2026-01-15T08:18:00+00:00 | Score: 12.037
    Palo Alto Networks has released security updates for a high-severity security flaw impacting GlobalProtect Gateway and Portal, for which it said there exists a proof-of-concept (PoC) exploit.
    The vulnerability, tracked as CVE-2026-0227 (CVSS score: 7.7), has been described as a denial-of-service (DoS) condition impacting GlobalProtect PAN-OS software arising as a result of an improper check for

End of report.