search

CCTR.2.JAN.26

Monday morning cyber coffee read CCTR.2.JAN.26.

A critical unauthenticated Remote Code Execution vulnerability aka Ni8mare (CVE-2026-21858, CVSS 10.0) has been identified in the n8n workflow automation platform. n8n is widely deployed as core automation infrastructure across enterprises and AI driven environments.

Successful exploitation allows complete compromise of locally deployed n8n instances, including access to connected systems and downstream environments. An estimated ~100,000 servers are exposed globally.

  • Patch immediately and assume compromise where exposure cannot be ruled out.

  • Upgrade immediately to n8n version 1.121.0 or later.

  • Identify all n8n instances, including shadow IT and developer deployments.

  • Where possible, restrict network exposure and enforce authentication at the edge.

https://www.cyera.com/research-labs/ni8mare-unauthenticated-remote-code-execution-in-n8n-cve-2026-21858arrow-up-right

Word on the street is that Salt Typhoon is “almost certainly” present within parts of Australia’s critical infrastructure. Salt Typhoon is a China state aligned APT known for long dwell, low noise intrusions, with a focus on persistence an

d strategic pre-positioning, not opportunistic cybercrime.

  • If you are concerned, conduct intelligence-led purple team exercises mapped to Salt Typhoon TTPs.

https://www.smh.com.au/technology/salt-typhoon-hackers-almost-certainly-in-australia-s-critical-infrastructure-20251231-p5nqwn.htmlarrow-up-right

VulnCheck reported active exploitation of compromised D-Link DSL routers using high risk vulnerability CVE-2026-0625 (CVSS 9.3). The vulnerability enables unauthenticated remote code execution and presents a full device compromise.

This exploitation activity is part of the same historical attack family as GhostDNS and DNSChanger. Products associated with these vulnerabilities no longer receive updates or security maintenance.

  • Treat any exposed device as potentially compromised.

  • Immediately identify and retire affected D-Link DSL routers.

https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10488arrow-up-right

A number of vulnerabilities have been identified in Columbia Weather Systems MicroServer. Successful exploitation could allow attackers to gain administrative access to the web portal and obtain limited shell access.

These systems are used within critical infrastructure sectors and compromise could enable footholds into connected operational environments.

  • Minimise network exposure and ensure devices are not internet-facing

  • Use the Bureau of Meteorology’s $96.5 million website to get weather information rather than having your own.

https://www.cisa.gov/news-events/ics-advisories/icsa-26-006-01arrow-up-right

PreviousCCTR.3.JAN.26NextCCTR.1.JAN.26

Last updated