New Cisco zero-day, CVE-2026-20045

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voice-rce-mORhqY4b

🟠 CVE-2026-20045 - High (8.2)

A vulnerability in Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), Cisco Uni...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-20045/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

‼️Attackers Actively Probing RCE Vulnerability in Cisco Enterprise Communications Products

CVE-2026-20045: Cisco Unified Communications Products Code Injection Vulnerability

CVSS: 8.2
CISA KEV: Added today; January 21st, 2026
CVE Published: January 21st, 2026

Advisory: https://nvd.nist.gov/vuln/detail/CVE-2026-20045

Description: A vulnerability in Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), Cisco Unity Connection, and Cisco Webex Calling Dedicated Instance could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device.  This vulnerability is due to improper validation of user-supplied input in HTTP requests. An attacker could exploit this vulnerability by sending a sequence of crafted HTTP requests to the web-based management interface of an affected device. A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root. Note: Cisco has assigned this security advisory a Security Impact Rating (SIR) of Critical rather than High as the score indicates. The reason is that exploitation of this vulnerability could result in an attacker elevating privileges to root.

Aktuelle Neuigkeiten: Aktuelle Angriffswelle gegen CVE-2025-59718, Patches unzureichend
https://www.cert.at/de/aktuelles/2026/1/aktuelle-angriffswelle-gegen-cve-2025-59718-patch-unzureichend

Our January 2026 maintenance releases of BIND 9 are available and can be downloaded from the links below. Packages and container images provided by ISC will be updated later today.

In addition to bug fixes and feature improvements, these releases also contain fixes for a security vulnerability. More information can be found in the following Security Advisory:

https://kb.isc.org/docs/cve-2025-13878

Download software and release notes at: https://www.isc.org/download/

🟠 CVE-2025-13878 - High (7.5)

Malformed BRID/HHIT records can cause `named` to terminate unexpectedly.
This issue affects BIND 9 versions 9.18.40 through 9.18.43, 9.20.13 through 9.20.17, 9.21.12 through 9.21.16, 9.18.40-S1 through 9.18.43-S1, and 9.20.13-S1 through 9.20.17-S1.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-13878/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

La vulnérabilité CVE-2026-24061 permet à un attaquant de se connecter en root en contournant l'authentification d'un service telnetd. Un code d'exploitation est disponible et son exploitation est triviale.
https://www.cert.ssi.gouv.fr/actualite/CERTFR-2026-ACT-003/

🔴 CVE-2026-24061 - Critical (9.8)

telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for the USER environment variable.

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-24061/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

Vulnerability in the Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in product of Oracle Fusion Middleware (component: Weblogic Server Proxy Plug-in for Apache HTTP Server, Weblogic Server Proxy Plug-in for IIS).

🔗 https://vulnerability.circl.lu/vuln/CVE-2026-21962

#vulnerability #vulnerabilitymanagement #cybersecurity

📰 Oracle Issues Critical Patch for CVSS 10.0 Auth Bypass in WebLogic Server

🚨 CRITICAL PATCH: Oracle's January 2026 update fixes 337 flaws, including a CVSS 10.0 auth bypass (CVE-2026-21962) in WebLogic Server. This is remotely exploitable with no user interaction. Patch immediately! ⚠️ #Oracle #PatchTuesday #CVE

🔗 https://cyber.netsecops.io/articles/oracle-january-2026-critical-patch-update-fixes-337-flaws-including-cvss-10-bug/?utm_source=mastodon&utm_medium=social…

Node.js – CVE-2026-23745 : cette faille de sécurité dans la bibliothèque node-tar est à prendre au sérieux https://www.it-connect.fr/node-js-cve-2026-23745-node-tar-vulnerabilite/ #ActuCybersécurité #Cybersécurité #Vulnérabilité

📝 New article by a CrowdSec Ambassador, Killian Prin-Abeil! 🎉

In this deep dive, Killian breaks down React2Shell (CVE-2025-55182), from how the RCE works in React Server Components to why Next.js apps are vulnerable by default.

He also explores how the community reacted in hours, with CrowdSec shipping a virtual patch and threat intel to reduce exposure immediately.

👉Read it here: https://crowdsec.net/blog/react2shell-overly-spicy-side-of-react-19

#react #NextJS #AppSec #opensourcesecurity #react2shell #CVE

WP Advanced Custom Fields Extended plugin bug gives admin

Your friendly reminder to minimize the WordPress plugins you deploy to what you actually need. BleepingComputer has an article:

A critical-severity vulnerability in the Advanced Custom Fields: Extended (ACF Extended) plugin for WordPress can be exploited remotely by unauthenticated attackers to obtain administrative permissions.

ACF Extended, currently active on 100,000 websites, is a specialized plugin that extends the capabilities of the Advanced Custom Fields (ACF) plugin with features for developers and advanced site builders.

Unauthenticated privilege escalation to get admin is about as bad as it gets. Though, it does appear the WordPress blog has to have mapped “role” as a custom field. It’s impossible for anyone other than the blog owner to know if that’s the case. Well, probably spammers and scammers seeking sites to compromise and turn into platforms to exploit might given which ones they successfully turn.

It’s tracked as CVE-2025-14533:

• NIST
• tenable

If you procrastinated iOS upgrade to 26.2 here’s a good reason to do so asap:

iOS Exploit Chain PoC Alert! Zeroxjf dropped analysis + PoC for CVE-2025-43529 (WebKit UAF) + CVE-2025-14174 (ANGLE OOB): https://github.com/zeroxjf/WebKit-UAF-ANGLE-OOB-Analysis

Vulnerable: iOS ≤26.1 (incl. 17.x–26.1) Patched: iOS 26.2+ Tested on iPhone 11 Pro Max / iOS 26.1 – expect crashes galore! (GC races + PAC issues)

#iOS #iPhone

Analysis of CVE-2025-43529 (WebKit UAF) + CVE-2025-14174 (ANGLE OOB) exploit chain - iOS Safari
https://github.com/zeroxjf/WebKit-UAF-ANGLE-OOB-Analysis

If you procrastinated iOS upgrade to 26.2 here’s a good reason to do so asap:

iOS Exploit Chain PoC Alert! Zeroxjf dropped analysis + PoC for CVE-2025-43529 (WebKit UAF) + CVE-2025-14174 (ANGLE OOB): https://github.com/zeroxjf/WebKit-UAF-ANGLE-OOB-Analysis

Vulnerable: iOS ≤26.1 (incl. 17.x–26.1) Patched: iOS 26.2+ Tested on iPhone 11 Pro Max / iOS 26.1 – expect crashes galore! (GC races + PAC issues)

#iOS #iPhone

Analysis of CVE-2025-43529 (WebKit UAF) + CVE-2025-14174 (ANGLE OOB) exploit chain - iOS Safari
https://github.com/zeroxjf/WebKit-UAF-ANGLE-OOB-Analysis