Security Check-in Quick Hits: FortiSIEM Exploitation Surge, n8n RCE Vulnerability, UAT-8837 Sitecore Attacks, OWASP Top 10 Refresh, and VoidLink Malware Discovery
For January 19, 2026
The FortiSIEM Fiasco - Critical RCE Vulnerability Under Active Exploitation
In the fast-paced world of cybersecurity, few things send ripples through the industry like a zero-click remote code execution (RCE) flaw in a widely used security tool. Enter CVE-2025-64155, a command injection vulnerability in Fortinet’s FortiSIEM affecting versions 6.7 through 7.5. This bug, residing in the phMonitor service on port 7900, allows unauthenticated attackers to execute arbitrary OS commands as root, potentially leading to full system compromise.
The issue gained traction after Horizon3.ai disclosed it and released a proof-of-concept (PoC) exploit, amplifying the risk for exposed instances. Multiple researchers and security firms, including Defused and Help Net Security, confirmed active exploitation in honeypots and the wild, urging immediate patching or mitigation. Fortinet has provided updates, but with thousands of potentially vulnerable SIEM deployments out there, this could be a gateway for ransomware or data exfiltration campaigns.
For defenders: Scan your networks for exposed FortiSIEM instances, apply patches pronto, and consider firewall rules to block port 7900 externally. This vulnerability underscores the irony of security tools becoming attack vectors—stay vigilant, or risk your monitoring system monitoring you for the bad guys.
n8n’s Nightmare - Authentication Bypass in AI Workflow Automation
Automation tools are the backbone of modern DevOps and AI workflows, but when they falter, the fallout can be catastrophic. CVE-2026-21858 in n8n, a popular open-source workflow automation platform, is a perfect storm: a critical authentication bypass allowing remote attackers to access connected services like AWS, Salesforce, and OpenAI without credentials.
Reports highlight thousands of exposed instances worldwide, with active exploitation confirmed. This isn’t just theoretical—attackers can steal API keys, hijack workflows, and pivot into enterprise environments. n8n’s integration with AI agents makes it particularly appealing for supply chain attacks, as noted in recent threat overviews.
Admins should update to the latest version immediately or isolate instances. This breach potential emphasizes the need for robust access controls in automation tools. If you’re building AI-driven pipelines, audit your n8n setups now—before someone else automates your downfall.
UAT-8837’s Stealthy Strikes - China-Linked Group Targets Critical Infrastructure via Sitecore Zero-Day
Geopolitical cyber threats continue to dominate headlines, and UAT-8837 (a China-attributed advanced persistent threat group) is the latest actor making waves. Exploiting CVE-2025-53690, a zero-day in Sitecore CMS, they’ve targeted North American critical infrastructure for initial access. Using tools like Rubeus and Impacket, the group focuses on credential theft and reconnaissance, paving the way for deeper intrusions.
This aligns with broader supply chain sieges, including exposed customer data from Endesa and Instagram breaches. With Microsoft patching 114 CVEs (including three zero-days) in the same window, it’s clear nation-state actors are ramping up.
Organizations in critical sectors: Prioritize Sitecore updates, enhance endpoint monitoring, and implement multi-factor authentication everywhere. UAT-8837’s tactics remind us that cyber espionage isn’t slowing down—it’s evolving to hit where it hurts most.
OWASP Top 10 Gets a 2026 Makeover - What It Means for Web App Security
The OWASP Top 10, the gold standard for web application vulnerabilities, just dropped its latest refresh, and it’s packed with shifts reflecting today’s threat landscape. Key changes include security misconfigurations jumping to #2, a new category for “Mishandling of Exceptional Conditions,” and renaming “Vulnerable and Outdated Components” to “Software Supply Chain Failures.”
These updates come amid rising supply chain attacks and AI-integrated threats, emphasizing the need for better exception handling and component management. TCM Security’s analysis highlights how these evolve from predictions, stressing impacts on pentesting and developer practices.
For devs and security teams: Integrate these into your SDLC now. Run automated scans for misconfigs, audit third-party components, and train on exception handling. The refreshed list isn’t just a checklist—it’s a roadmap to fortify against tomorrow’s exploits.
VoidLink Unveiled - Sophisticated Linux Malware Targeting Cloud Environments
Deep in the shadows of Chinese cyber operations, VoidLink emerges as a multi-stage Linux malware framework hitting cloud setups, Kubernetes, and containers. Sysdig’s threat analysis reveals its use of kernel rootkits, eBPF hooks, and ICMP covert channels for C2, evading EDR/XDR tools with adaptive tactics.
Built in Zig for memory safety and obfuscation, VoidLink deploys via fileless loaders, compiles rootkits on-the-fly, and includes plugins for container escapes. It’s linked to threats like Krasue and Drovorub, targeting Linux servers globally.
Cloud admins: Leverage runtime detection like Falco, enforce least-privilege in containers, and monitor for anomalous kernel activity. VoidLink’s sophistication signals a new era of cloud-native malware—don’t let your infrastructure become a ghost in the machine.