No Place Like Home Network: Disrupting the World's Largest Residential Proxy Network
Google dismantled the IPIDEA network that used residential proxies to route malicious traffic.
https://cloud.google.com/blog/topics/threat-intelligence/disrupting-largest-residential-proxy-network
Fake Clawdbot VS Code Extension Installs ScreenConnect RAT
The news about Clawdbot (now Moltbot) is used to distribute malware, in particular malicious VS Code extensions.
https://www.aikido.dev/blog/fake-clawdbot-vscode-extension-malware
Threat Bulletin: Critical eScan Supply Chain Compromise
Anti-virus vendor eScan was compromised, and its update servers were used to install malware on some customer systems.
https://www.morphisec.com/blog/critical-escan-threat-bulletin/

Odd WebLogic Request. Possible CVE-2026-21962 Exploit Attempt or AI Slop?
We are seeing attempts to attack CVE-2026-21962, a recent weblog vulnerability, using a non-working AI slop exploit
https://isc.sans.edu/diary/Odd%20WebLogic%20Request.%20Possible%20CVE-2026-21962%20Exploit%20Attempt%20or%20AI%20Slop%3F/32662
Fortinet Patches are Rolling Out
Fortinet is starting to roll out patches for the recent SSO vulnerability
https://fortiguard.fortinet.com/psirt/FG-IR-26-060
SolarWinds Web Helpdesk Vulnerability
Another set of vulnerabilities in SolarWinds Web Helpdesk may result in unauthenticated system access
https://horizon3.ai/attack-research/cve-2025-40551-another-solarwinds-web-help-desk-deserialization-issue/

Initial Stages of Romance Scams [Guest Diary]
Romance scams often start with random text messages that appear to be misrouted . This guest diary by Faris Azhari is following some of the initial stages of such a scam.
https://isc.sans.edu/diary/Initial%20Stages%20of%20Romance%20Scams%20%5BGuest%20Diary%5D/32650
Denial of Service Vulnerabilities in React Server Components
Another folowup fix for the severe React vulnerability from last year, but now only fixing a DoS condition.
https://github.com/facebook/react/security/advisories/GHSA-83fc-fqcc-2hmg
OpenSSL Updates
OpenSSL released its monthly updates, fixing a potential RCE.
https://openssl-library.org/news/vulnerabilities/
Kubernetes Remote Code Execution Via Nodes/Proxy GET Permission
Many Kubernetes Helm Charts are vulnerable to possible remote code executions due to unclear defined access controls.
https://grahamhelton.com/blog/nodes-proxy-rce

Scanning Webserver with pwd as a Starting Path
Attackers are adding the output of the pwd command to their web scans.
https://isc.sans.edu/diary/x/32654
Microsoft Office Security Feature Bypass Vulnerability CVE-2026-21509
Microsoft released an out-of-band patch for Office fixing a currently exploited vulnerability.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509
Exposed Clawdbot Instances
Many users of the AI tool clawdbot expose instances without access control.
https://x.com/theonejvo/status/2015485025266098536

Analysis of Single Sign-On Abuse on FortiOS
Fortinet released an advisory. FortiOS devices are vulnerable if configured with any SAML integration, not just FortiCloud
https://www.fortinet.com/blog/psirt-blogs/analysis-of-sso-abuse-on-fortios
Outlook OOB Update
Microsoft released a non-security OOB Update for Outlook, fixing an issue introduced with this months security patches.
https://support.microsoft.com/en-us/topic/january-24-2026-kb5078127-os-builds-26200-7628-and-26100-7628-out-of-band-cf5777f6-bb4e-4adb-b9cd-2b64df577491
VMware vCenter Server Vulnerabilities Exploited (CVE-2024-37079, CVE-2024-37080, CVE-2024-37081)
A VMWare vCenter vulnerability patched last June is now actively exploited.
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24453

Is AI-Generated Code Secure?
Xavier used the free static code analysis tool Bandit to review code he wrote with heavy AI support.
https://isc.sans.edu/diary/Is%20AI-Generated%20Code%20Secure%3F/32648
Malicious Configuration Changes On Fortinet FortiGate Devices via SSO Accounts
Arctic Wolf summarized some of the attacks it is seeing against FortiGate devices via the insufficiently patched SSL vulnerability.
https://arcticwolf.com/resources/blog/arctic-wolf-observes-malicious-configuration-changes-fortinet-fortigate-devices-via-sso-accounts/
ISC BIND DoS vulnerability in Drone ID Records
HHIT and BRID records, which are used as part of Drone ID, can be used to crash named if their length is 3 bytes.
https://marlink.com/resources/knowledge-hub/isc-bind-vulnerability-discovered-and-disclosed-by-marlink-cyber/
SmarterTools SmarterMail Password Reset Vulnerability
SmarterTools recently patched a trivial vulnerability in SmarterMail that would allow anybody without authentication to reset administrator passwords.
https://labs.watchtowr.com/attackers-with-decompilers-strike-again-smartertools-smartermail-wt-2026-0001-auth-bypass/

Automatic Script Execution In Visual Studio Code
Visual Studio Code will read configuration files within the source code that may lead to code execution.
https://isc.sans.edu/diary/Automatic%20Script%20Execution%20In%20Visual%20Studio%20Code/32644
Cisco Unified Communications Products Remote Code Execution Vulnerability A vulnerability in Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), Cisco Unity Connection, and Cisco Webex Calling Dedicated Instance could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device.
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voice-rce-mORhqY4b
Zoom Vulnerability
A Command Injection vulnerability in Zoom Node Multimedia Routers (MMRs) before version 5.2.1716.0 may allow a meeting participant to execute remote code on the MMR via network access.
https://www.zoom.com/en/trust/security-bulletin/zsb-26001/
Possible new SSO Exploit (CVE-2025-59718) on 7.4.9
https://www.reddit.com/r/fortinet/comments/1qibdcb/possible_new_sso_exploit_cve202559718_on_749/
SANS SOC Survey
The 2026 SOC Survey is open, and we need your input to create a meaningful report. Please share your experience so we can advocate for what actually works in the trenches.
https://survey.sans.org/jfe/form/SV_3ViqWZgWnfQAzkO?is=socsurveystormcenter

Add Punycode to your Threat Hunting Routine
Punycode patterns in DNS queries make excellent hunting opportunities.
https://isc.sans.edu/diary/Add%20Punycode%20to%20your%20Threat%20Hunting%20Routine/32640
GNU InetUtils Security Advisory: remote authentication by-pass intelnetd
telnetd shipping with InetUtils suffers from a critical authentication by-pass vulnerability.
https://www.openwall.com/lists/oss-security/2026/01/20/2
6-day and IP Address Certificates are Generally Available
Let s Encrypt will now offer 6-day certificates as an option. These short-lived certificates can be used for IP addresses.
https://letsencrypt.org/2026/01/15/6day-and-ip-general-availability
Oracle Quarterly Critical Patch Update
Oracle released its first quarterly patches for 2026, fixing 337 vulnerabilities
https://www.oracle.com/security-alerts/cpujan2026.html#AppendixFMW

"How many states are there in the United States?"
Attackers are actively scanning for LLMs, fingerprinting them using the query How many states are there in the United States? .
https://isc.sans.edu/diary/%22How%20many%20states%20are%20there%20in%20the%20United%20States%3F%22/32618
Closing the Door on Net-NTLMv1: Releasing Rainbow Tables to Accelerate Protocol Deprecation
Mandiant is publicly releasing a comprehensive dataset of Net-NTLMv1 rainbow tables to underscore the urgency of migrating away from this outdated protocol.
https://cloud.google.com/blog/topics/threat-intelligence/net-ntlmv1-deprecation-rainbow-tables
Out-of-band update to address issues observed with the January 2026 Windows security update
Microsoft has identified issues upon installing the January 2026 Windows security update. To address these issues, an out-of-band (OOB) update was released today, January 17, 2026
https://learn.microsoft.com/en-us/windows/release-health/windows-message-center

Battling Cryptojacking, Botnets, and IABs
Cryptojacking often comes with less obvious addons, like SSH backdoors
https://isc.sans.edu/diary/Battling%20Cryptojacking%2C%20Botnets%2C%20and%20IABs%20%5BGuest%20Diary%5D/32632
Microsoft Copilot Reprompt Attacks
Adding a query parameter to the URL may prefill a Copilot prompt, altering the meaning of the prompts that follow.
https://www.varonis.com/blog/reprompt
Hijacking Bluetooth Accessories Using Google Fast Pair
Google s fast pair protocol is often not implemented correctly, allowing the Hijacking of Bluetooth accessories
https://whisperpair.eu/#about

Infection repeatedly adds scheduled tasks and increases traffic to the same C2 domain
https://isc.sans.edu/diary/Infection%20repeatedly%20adds%20scheduled%20tasks%20and%20increases%20traffic%20to%20the%20same%20C2%20domain/32628
BodySnatcher (CVE-2025-12420): A Broken Authentication and Agentic Hijacking Vulnerability in ServiceNow
https://appomni.com/ao-labs/bodysnatcher-agentic-ai-security-vulnerability-in-servicenow/
Starlink Terminal GPS Spoofing/Jamming Detection in Iran
https://github.com/narimangharib/starlink-iran-gps-spoofing/blob/main/starlink-iran.md