InfoSec News 22JAN2026

General

• More Cisco Remote Code Execution (RCE) - in Cisco Unified Communications Manager.

This vulnerability is due to improper validation of user-supplied input in HTTP requests. An attacker could exploit this vulnerability by sending a sequence of crafted HTTP requests to the web-based management interface of an affected device. A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root.

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voice-rce-mORhqY4b
• Pwn2Own Automotive starts with a bang - "we awarded $516,500 for 37 unique 0-days", with more fun planned targeting head-units and chargers.
  • https://www.zerodayinitiative.com/blog/2026/1/21/pwn2own-automotive-2026-day-one-results
  • https://www.zerodayinitiative.com/blog/2026/1/20/pwn2own-automotive-2026-the-full-schedule
  • https://www.bleepingcomputer.com/news/security/tesla-hacked-37-zero-days-demoed-at-pwn2own-automotive-2026/
• Never a good time to be an admin of a Fortinet device - it appears that Fortinet failed to properly address a FortiGate authentication (SSO) vulnerability, and fully patched devices are getting owned.
  • https://www.bleepingcomputer.com/news/security/fortinet-admins-report-patched-fortigate-firewalls-getting-hacked/
  • https://www.reddit.com/r/fortinet/comments/1qibdcb/possible_new_sso_exploit_cve202559718_on_749/
• GitLab patching time - a few DoS and an MFA bypass. (Three High and two Medium security fixes)

GitLab has remediated an issue that could have allowed an individual with existing knowledge of a victim's credential ID to bypass two-factor authentication by submitting forged device responses.

• https://about.gitlab.com/releases/2026/01/21/patch-release-gitlab-18-8-2-released/
• https://www.bleepingcomputer.com/news/security/gitlab-warns-of-high-severity-2fa-bypass-denial-of-service-flaws/
• Ad-fraud gets a new twist - using computer-vision to identify where to click.
  • https://www.bleepingcomputer.com/news/security/new-android-malware-uses-ai-to-click-on-hidden-browser-ads/
• Phishing for Passwords - LastPass users targeted to "create a backup".
  • https://blog.lastpass.com/posts/new-phishing-campaign-targeting-lastpass-customers
  • https://www.cybersecuritydive.com/news/backup-request-phishing-campaign-lastpass/810083/

Getting Techy

• Huntress Labs looks at a (literal) copy and rename of uBlock Origin Lite, that drops ModeloRAT on domain-joined machines. Unfortunately, they were unable to recover a copy of the non-domain-joined-machine second-stage. Lots of anti-VM (Virtual Machine) tricks.
  • https://www.cybersecuritydive.com/news/backup-request-phishing-campaign-lastpass/810083/

Geo-Politics

• [BY] Ham Radio operators in Belarus are being arrested, accused of being part of a "massive spy network".

Propagandists claim that over fifty people have already been detained and more than five hundred units of radio equipment have been seized.
The charges they face are staggering. These men have been indicted for High Treason and Espionage. Under the Belarusian Criminal Code, these charges carry sentences of life imprisonment or even the death penalty. As a fellow operator, the sheer absurdity of these claims makes my blood run cold. The state displays mountains of confiscated Baofeng handhelds and SDR dongles as evidence of high-level espionage. Any ham operator knows that hardware like this is physically incapable of cracking the modern AES-256 digital encryption utilized by government security forces.

• https://steanlab.medium.com/mayday-389f5713fee4
• [EU] The European Commission is looking to improve resilience - whilst initially aimed at china, there are also concerns over the us of US technology.

A draft proposal released on Tuesday, revising the EU’s Cybersecurity Act and its Network Information Systems Directive, would see member states phase out the use of high-risk suppliers within their critical national infrastructure.

The use of U.S. technology and service providers has also prompted concern across the European Union following President Trump’s unpredictable decisions to sanction various political figures — resulting in prohibitions against them using technology provided by companies such as Microsoft — and aggressive comments towards Greenland.

• https://therecord.media/eu-unveils-new-plans-to-tackle-huawei-zte
• https://www.theregister.com/2026/01/21/eu_mulls_deadline_of_3_years/
• [US] The Federal Aviation Administration (FAA) have banned drones near Department of Homeland Security vehicles (including Immigration and Customs Enforcement).

ALL UNMANNED ACFT ARE PROHIBITED FROM FLYING WITHIN A STAND-OFF DISTANCE OF 3000FT LATERALLY AND 1000FT ABOVE ... DEPARTMENT OF HOMELAND SECURITY (DHS) FACILITIES AND MOBILE ASSETS, INCLUDING VESSELS AND GROUND VEHICLE CONVOYS AND THEIR ASSOCIATED ESCORTS ..
ASSETS MAY BE MITIGATED ... MITIGATION MAY RESULT IN THE INTERFERENCE, INTERCEPTION, SEIZURE, DAMAGING, OR DESTRUCTION OF UNMANNED AIRCRAFT DEEMED TO POSE A CREDIBLE SAFETY OR SECURITY THREAT TO PROTECTED PERSONNEL, FACILITIES, OR ASSETS.

• https://tfr.faa.gov/tfr3/?page=detail_6_4375
• https://www.404media.co/feds-create-drone-no-fly-zone-that-would-stop-people-filming-ice/

Privacy

• [IE] Ireland is planning to update its "Postal Packets and Telecommunications Messages (Regulation) Act", to allow interception of communications in all channels, encrypted or not.

Olga Cronin, surveillance and human rights senior policy officer at the Irish Council for Civil Liberties (ICCL), said the nonprofit "has very serious concerns about this shopping list of surveillance powers," despite the proposals still being in their infancy.
"These are surveillance tools and powers of extraordinary reach, with sweeping implications for people's rights and freedoms, and come in the context of An Garda Síochána already expanding their 'eyes and ears' via the Recording Devices Bill," Cronin added.
"Once powers of this magnitude are normalised, the damage to rights and freedoms can be extremely difficult to reverse," said Cronin.
"We must also remember that measures introduced for exceptional or serious crimes tend, over time, to be used for much less serious crimes because there is institutional pressure to use them more frequently. What was once exceptional becomes routine."

• https://www.gov.ie/en/department-of-justice-home-affairs-and-migration/press-releases/minister-jim-ocallaghan-strengthens-lawful-interception-powers/
• https://www.theregister.com/2026/01/21/ireland_wants_to_give_police/

AI

• OpenAI adds age verification to ChatGPT - of course starting with using a behaviour-based age-detection model. All the usual privacy-invasive options are there, if you want to assert your adulthood.
  • https://www.bleepingcomputer.com/news/artificial-intelligence/openai-rolls-out-age-prediction-model-on-chatgpt-to-detect-your-age/
• Google DeepMind - we have no plans for ads.
  • https://www.bleepingcomputer.com/news/artificial-intelligence/google-says-gemini-wont-have-ads-as-chatgpt-prepares-to-add-them/
  • https://sources.news/p/googles-ai-boss-no-plans-for-ads