Security Check-in Quick Hits: Fortinet FortiSIEM Exploits Rampant, n8n RCE Vulnerability, Gogs Zero-Day Attacks, Ransomware Surge, AI Voice Cloning Threats

For January 16, 2026

Fortinet FortiSIEM Vulnerability Under Active Exploitation (CVE-2025-64155)

In a concerning development for enterprise security teams, the Fortinet FortiSIEM vulnerability tracked as CVE-2025-64155 has moved from theoretical risk to real-world attacks. This critical OS command injection flaw allows unauthenticated remote code execution (RCE), enabling attackers to gain root-level access on affected systems. Honeypot deployments have captured targeted exploitation attempts, with indicators of compromise (IOCs) including IP addresses from providers like Baxet Group, Siamdata Communication, Contabo, China Mobile, Tencent, and China Telecommunications. Proof-of-concept (PoC) exploit code is now publicly available on GitHub, demonstrating full RCE chains, and exploit payloads often reveal secondary adversary infrastructure. Logs in /opt/phoenix/log/phoenix.log show suspicious PHL_ERROR entries with attacker URLs and file paths. Organizations using FortiSIEM should prioritize patching and monitor for unusual activity, as this bug poses severe risks to security monitoring infrastructure. The EPSS score suggests rapid exploitation, with business impacts including high confidentiality, integrity, and availability breaches.

n8n RCE Vulnerability: A Critical Threat to Workflow Automation (CVE-2026-21858)

The open-source workflow automation tool n8n is facing a maximum-severity remote code execution vulnerability, CVE-2026-21858 (CVSS 10.0), that could impact over 100,000 deployed instances worldwide. This flaw stems from improper handling of content-type headers, allowing attackers to hijack locally deployed servers without authentication. Discovered and detailed by security researchers, it enables full takeover, potentially leading to data corruption, exposure of sensitive information, or service disruptions. No official patch is mentioned yet, heightening the urgency for users to isolate instances or monitor for suspicious activity. Additional techniques like supply-chain attacks in related tools, such as Trust Wallet’s CI/CD compromise, underscore the broader ecosystem risks. Admins should validate exposures and apply mitigations swiftly to prevent escalation.

Gogs Zero-Day Vulnerability Actively Exploited (CVE-2025-8110)

Gogs, the self-hosted Git service, is under fire from a zero-day vulnerability (CVE-2025-8110) that’s seeing rampant exploits. This flaw, highlighted by CISA as actively targeted, allows unauthorized access and code execution, with proof-of-concepts likely circulating in underground forums. Impacts include unauthorized code runs, denial-of-service crashes, and full data modification or exposure. With industry averages for time-to-exploit dropping to just days, this bug’s appearance in the CISA Known Exploited Vulnerabilities (KEV) catalog is imminent. Users are urged to patch immediately or restrict access, as successful attacks could corrupt repositories and expose sensitive codebases in development environments.

Ransomware Attacks Hit Record Highs

Ransomware continues its unrelenting assault, with activity reaching record highs in the past day alone. A 24-hour snapshot reveals 32 total attacks, predominantly targeting the US (21 incidents), with sectors like construction (7), financial (4), legal (3), business services (3), and manufacturing (3) bearing the brunt. Top threat actors include Akira (7), Qilin (7), INC (4), Tengu (4), and Sinobi (2), employing advanced evasion techniques like safe-mode operations to bypass defenses. This surge aligns with broader trends of phishing and credential theft leading to multimillion-dollar breaches, such as a recent $4.81M incident. Organizations must bolster backups, implement multi-factor authentication, and monitor for indicators from these groups to mitigate the high CIA (confidentiality, integrity, availability) impacts.

AI Voice Cloning Exploit and Emerging Threats

AI-driven threats are escalating, with a spotlight on voice cloning exploits that enable sophisticated scams and social engineering. This technique, part of a broader bulletin covering 17 stories, allows attackers to mimic voices for fraudulent calls or deepfakes, often combined with malware fusion for enhanced persistence. Related issues include Wi-Fi kill switch vulnerabilities and PLC (programmable logic controller) flaws in industrial systems, which could lead to physical infrastructure disruptions. With AI-malware hybrids on the rise, security pros should integrate AI detection tools and train staff on voice verification protocols to counter these evolving risks.