Security Check-in Quick Hits: Government Hacking Guilty Plea, Cisco Zero-Day Exploits, Node.js Permission Bypass, DLL Sideloading Malware, and Black Basta Leader Hunt

For January 17, 2026

Tennessee Man Pleads Guilty to Hacking U.S. Supreme Court, VA, and AmeriCorps Systems

In a significant win for cybersecurity enforcement, Nicholas Moore, a 31-year-old from Springfield, Tennessee, has pleaded guilty to computer fraud charges related to unauthorized access of multiple high-profile government systems. Moore admitted to hacking into the electronic filing system of the U.S. Supreme Court, the Department of Veterans Affairs (VA) health system, and AmeriCorps, a national service organization.

The intrusions, which occurred over several instances, involved Moore exploiting vulnerabilities to gain access and even posting screenshots of sensitive data, including veteran health records, on Instagram. This not only compromised confidential information but also highlighted ongoing risks to federal IT infrastructure from individual actors.

Prosecutors emphasized that Moore’s actions violated the Computer Fraud and Abuse Act, potentially facing up to five years in prison and substantial fines. This case underscores the U.S. Department of Justice’s commitment to prosecuting cybercriminals, regardless of scale. It serves as a reminder for organizations to bolster access controls, implement multi-factor authentication, and monitor for anomalous activities.

As cyber threats evolve, cases like this reinforce the need for robust incident response plans and collaboration between law enforcement and private sectors to deter future attacks.

Cisco Zero-Day RCE Vulnerability (CVE-2025-20393) Actively Exploited

Cisco has confirmed active exploitation of a critical zero-day remote code execution (RCE) vulnerability in its Secure Email Gateway and Secure Email and Web Manager appliances. Tracked as CVE-2025-20393 with a CVSS score of 10.0, the flaw stems from improper input validation in the Spam Quarantine feature of Cisco AsyncOS Software, allowing unauthenticated attackers to execute arbitrary commands with root privileges via crafted HTTP requests.

Affected versions include AsyncOS 14.2 and earlier, 15.0, 15.5, and 16.0, particularly those with Spam Quarantine enabled and exposed to the internet on port 6025. Exploitation has been linked to a China-nexus advanced persistent threat (APT) group dubbed UAT-9686, which deploys a Python-based backdoor called AquaShell for persistence, along with tools like AquaTunnel and Chisel for lateral movement, and AquaPurge for log evasion. Indicators of compromise date back to November 2025, with Cisco alerting customers on December 10, 2025.

The impact is severe, compromising confidentiality, integrity, and availability, especially in telecommunications and critical infrastructure sectors. CISA added it to its Known Exploited Vulnerabilities catalog on December 17, 2025, requiring federal agencies to mitigate by December 24, 2025.

No workarounds exist; Cisco urges immediate upgrades to patched versions like 15.0.5-016 or 16.0.4-016 for Secure Email Gateway, and similar for Web Manager. Additional hardening steps include firewall restrictions, interface separation, disabling unused services, and external log monitoring. This incident highlights the urgency of prompt patching and zero-trust architectures in email security.

Node.js Permission Model Bypass Vulnerability (CVE-2026-21636)

A medium-severity vulnerability in Node.js, CVE-2026-21636, allows bypassing the experimental permission model’s network restrictions through unchecked Unix Domain Socket (UDS) connections. Discovered autonomously by an AI agent from winfunc.com and fixed in the January 13, 2026, security releases, it affects Node.js versions across active lines (20.x, 22.x, 24.x, 25.x).

The flaw enables attacker-controlled inputs—such as URLs or socketPath options—to establish connections to arbitrary local sockets via APIs like net, tls, undici, or fetch, even without the --allow-net flag. This undermines the permission model’s isolation, potentially granting access to privileged local services and leading to local privilege escalation or data exposure.

Part of a broader patch addressing eight vulnerabilities (including DoS and memory issues), CVE-2026-21636 primarily impacts applications using the --permission flag, which is experimental and not widely adopted in production. However, for environments like AI tools, desktop apps (e.g., Electron), or sandboxes, it poses risks where code execution is restricted.

Node.js now enforces network checks on UDS, treating them akin to IP-based connections. Users should update to versions 20.20.0, 22.22.0, 24.13.0, or 25.3.0 immediately. This vulnerability emphasizes the importance of thorough security audits in runtime environments and the value of AI-driven vulnerability detection in open-source ecosystems.

Active Malware Campaign Exploiting DLL Sideloading in Ahost.exe

Security researchers from Trellix have uncovered an ongoing malware campaign leveraging a DLL sideloading vulnerability in the legitimate ahost.exe utility, a component often found in Windows environments. This technique allows threat actors to execute malicious code by tricking the executable into loading rogue DLLs, bypassing standard security measures.

The campaign delivers commodity infostealers and remote access trojans (RATs), enabling data theft, persistence, and further compromise. Multiple actors appear involved, indicating a shared exploitation method across cybercriminal groups. Infections typically start via phishing or drive-by downloads, with ahost.exe sideloading the malicious DLL to deploy payloads like Lumma Stealer or Remcos RAT.

Detection is challenging due to the use of legitimate binaries, but indicators include unexpected ahost.exe behavior, anomalous network traffic, or unfamiliar DLL loads. Trellix recommends monitoring for sideloading patterns using tools like Sysmon or EDR solutions, applying least-privilege principles, and keeping systems patched.

This highlights the persistence of sideloading as a favored tactic—echoed in debates over whether it’s a vulnerability or feature. Organizations should prioritize behavioral analytics and threat hunting to counter such stealthy attacks, as traditional signature-based defenses often fall short.

Black Basta Ransomware Leader Oleg Nefekov Added to EU Most Wanted List

German authorities have placed Oleg Evgenievich Nefekov, a 35-year-old Russian national, on the EU’s Most Wanted list for his role as the founder and ringleader of the Black Basta ransomware group. Also added to Interpol’s Red Notice, Nefekov is accused of orchestrating global cyberattacks, extortion, and forming a criminal organization.

Operating under pseudonyms like “tramp,” “tr,” “gg,” “AA,” “kurva,” “Washingt0n,” and “S.Jimmi,” Nefekov allegedly developed Black Basta ransomware, selected targets, recruited members, managed negotiations, and distributed extorted cryptocurrencies. The group, linked to over 100 attacks in Germany alone and hundreds worldwide, infiltrated systems to steal data and encrypt files, demanding ransoms.

Black Basta, an evolution from the Conti group that disbanded in 2025 following leaks, targeted sectors like healthcare and manufacturing. Nefekov’s brief arrest in Armenia in June 2024 ended in release, after which he fled to Russia.

This development, supported by Ukrainian and German raids on associates, signals intensified international efforts against ransomware. Victims are advised against paying ransoms, and organizations should focus on backups, segmentation, and employee training to mitigate risks.