Security Check-in Quick Hits: FortiSIEM Exploitation Surge, n8n RCE Vulnerability, UAT-8837 Sitecore Attacks, OWASP Top 10 Refresh, and VoidLink Malware Discovery

For January 20, 2026

FortiSIEM Exploitation Surge

In the ever-evolving landscape of cybersecurity threats, the recent surge in exploitation attempts targeting Fortinet’s FortiSIEM platform has raised significant alarms across the industry. FortiSIEM, a critical tool for security information and event management in enterprise environments, has been hit by a critical remote command execution (RCE) vulnerability, tracked as CVE-2025-64155 with a CVSS score of 9.8. This flaw allows unauthenticated attackers to inject malicious commands via improper sanitization in TCP request processing, potentially granting root-level access and enabling them to disable monitoring, delete logs, and evade detection entirely.

The vulnerability affects multiple versions, including 7.4.0, 7.3.0-7.3.4, and older releases down to 6.7.0. Attackers exploiting this could turn an organization’s security operations center (SOC) blind, paving the way for undetected ransomware deployments or data exfiltration campaigns. Fortinet has released patches for affected versions (e.g., 7.4.1 and above), urging immediate upgrades. In the interim, organizations should restrict access to ports 443, 19999, and 20000 to trusted IPs and consider VPN enforcement.

This incident underscores the growing risks to centralized security tools, which, when compromised, can amplify threats exponentially. Defenders are advised to audit for unusual shell processes spawning from the phoenix service and prioritize patch management. As exploits are already active in the wild, procrastination could prove costly—stay vigilant and patch now to safeguard your infrastructure.

n8n RCE Vulnerability

Automation workflows just got a wake-up call with the discovery of a severe remote code execution (RCE) vulnerability in n8n, the popular open-source workflow automation tool. This flaw, potentially allowing attackers to execute arbitrary code on affected systems, stems from inadequate input validation in the platform’s node execution environment. With n8n widely used for integrating services like databases, APIs, and cloud platforms, a successful exploit could lead to data breaches, unauthorized access, or even pivoting to other connected systems.

Details on the exact CVE are still emerging, but early reports indicate it impacts versions prior to the latest patch. The vulnerability’s exploitation could be as simple as crafting malicious workflows or injecting code via exposed endpoints, making it a prime target for threat actors seeking low-effort, high-impact attacks. n8n’s community-driven nature amplifies the risk, as custom nodes might introduce additional vectors.

To mitigate, users should immediately update to the patched version and review all active workflows for suspicious integrations. Implementing least-privilege principles, network segmentation, and regular code audits will further harden defenses. This event highlights the double-edged sword of automation tools: while they streamline operations, they also expand the attack surface. Organizations relying on n8n should treat this as a priority and reassess their dependency on third-party automation solutions.

UAT-8837 Sitecore Attacks

A chilling escalation in state-sponsored cyber espionage has come to light with the active exploitation of a zero-day vulnerability in Sitecore, a leading content management system (CMS). Tracked as CVE-2025-53690, this flaw is being weaponized by the China-linked advanced persistent threat (APT) group known as UAT-8837 (also referred to in some reports as related to broader Chinese cyber operations). Targeting North American critical infrastructure, the attacks aim to infiltrate high-value networks for intelligence gathering or sabotage.

The vulnerability enables remote code execution without authentication, allowing attackers to deploy webshells, exfiltrate sensitive data, or establish persistent backdoors. Sitecore’s use in enterprise websites and intranets makes it an attractive entry point for supply-chain compromises. Exploitation has been observed in real-world scenarios, with indicators including anomalous traffic to command-and-control servers.

Immediate patching is essential, as Cisco and other vendors have issued advisories linking similar tactics to this group. Organizations should scan for IOCs, such as unexpected file modifications in Sitecore directories, and enforce multi-factor authentication (MFA) on admin panels. This incident serves as a stark reminder of geopolitical cyber risks—defenders must adopt a proactive threat-hunting stance and collaborate with intelligence-sharing communities to counter such sophisticated adversaries.

OWASP Top 10 Refresh

The Open Web Application Security Project (OWASP) has unveiled its refreshed Top 10 list for 2026, providing an updated roadmap for tackling the most critical web application security risks. This iteration emphasizes emerging threats like insecure deserialization, server-side request forgery (SSRF), and AI/ML-related vulnerabilities, while retaining classics such as injection attacks and broken access controls. The refresh incorporates data from over 500,000 applications and reflects the shift toward cloud-native architectures and API-driven ecosystems.

Key changes include a stronger focus on software supply chain security, prompted by recent high-profile breaches, and new guidance on cryptographic failures in the era of quantum computing risks. Developers and security teams are encouraged to integrate these into their secure coding practices, using tools like static application security testing (SAST) and dynamic analysis.

This update isn’t just a list—it’s a call to action for shifting left in security. By prioritizing these risks, organizations can reduce breach likelihood by up to 50%, according to OWASP metrics. Stay ahead by attending OWASP webinars, contributing to the project, and embedding these principles into your DevSecOps pipeline.

VoidLink Malware Discovery

A new malware strain dubbed VoidLink has surfaced, posing a formidable threat to endpoint security. Discovered by threat researchers, VoidLink is a sophisticated info-stealer and backdoor combo, designed to harvest credentials, exfiltrate data, and enable remote control. It spreads via phishing emails disguised as software updates or through compromised supply chains, leveraging obfuscated JavaScript and living-off-the-land binaries (LOLBins) to evade detection.

Once installed, VoidLink targets browsers, email clients, and crypto wallets, while establishing persistence through registry modifications. Its modular design allows for easy updates, making it adaptable to new evasion techniques. Early indicators point to affiliations with financially motivated threat actors, possibly linked to ransomware-as-a-service (RaaS) operations.

Defenses include deploying endpoint detection and response (EDR) tools, educating users on phishing, and monitoring for anomalous outbound traffic. The discovery of VoidLink reinforces the need for layered security—combine signature-based antivirus with behavior analytics. As malware evolves, so must our strategies; regular threat intelligence feeds and incident response drills are crucial to staying one step ahead.