Critical Patches, Crimeware Disruption, and AI Tooling Updates

Urgent security updates dominated the day, led by a critical remote code execution flaw in n8n and reinforced by a push to retire weak authentication with newly released Net‑NTLMv1 rainbow tables. The Schneier report details a CVSS 10.0 issue requiring immediate upgrades, while Google Cloud and Mandiant’s dataset aims to accelerate protocol deprecation and clean up lingering exposures. Alongside these preventive moves, industrial and web platforms shipped patches for actively exploited or high‑impact vulnerabilities, and investigators highlighted both a broad crimeware infrastructure takedown and targeted intrusion tradecraft against critical infrastructure.

Critical advisories and active exploitation

The n8n maintainers have issued a patched release addressing a maximum‑severity RCE affecting locally deployed automation servers, with guidance to upgrade to version 1.121.0 or later; given potential exposure of stored credentials and connected systems, teams should patch, rotate secrets and review logs. In parallel, researchers disclosed an unauthenticated command injection in Fortinet FortiSIEM’s phMonitor service that runs as root, tracked as CVE‑2025‑64155; CSO Online notes fixes are available across supported branches, with advice to patch immediately and restrict access to TCP 7900. Separately, HPE OneView admins face active, large‑scale exploitation of CVE‑2025‑37164 attributed to the RondoDox botnet; Check Point reports rapid attack growth and urges emergency remediation, with CISA adding the flaw to KEV.

Industrial operators also received targeted guidance: CISA’s advisory on AVEVA Process Optimization enumerates seven CVEs (up to CVSS 10.0) enabling remote code execution, privilege escalation and cleartext exposure risks; CISA directs updating to vendor‑fixed versions and tightening network exposure and ACLs. On the web stack, a CVSS 10.0 bug in the Modular DS WordPress plugin (CVE‑2026‑23550) allows unauthenticated admin takeover via a permissive direct‑request path; The Hacker News cites active exploitation beginning January 13 and recommends updating to 2.5.2, auditing for suspicious connector activity and removing unauthorized accounts.

Consumer and protocol exposures

KU Leuven researchers detailed WhisperPair (CVE‑2025‑36911), a critical weakness in implementations of Google’s Fast Pair that lets attackers forcibly pair to Bluetooth audio devices outside pairing mode, then control playback, activate microphones for eavesdropping, and even abuse location tracking. BleepingComputer reports patches are rolling out unevenly across manufacturers; mitigations hinge on installing device firmware updates and monitoring unexpected pairing or tracking alerts. The practical risk is high because pairing can occur within seconds at typical indoor ranges.

To accelerate retirement of legacy authentication, Mandiant and Google released Net‑NTLMv1 rainbow tables enabling recovery of DES key material from common known‑plaintext responses, making NT hash reconstruction possible on commodity hardware in under 12 hours. With the dataset already available, organizations should disable Net‑NTLMv1 via policy, and monitor authentication logs for LM/NTLMv1 to catch stragglers. Together, these developments underscore the security debt in convenience protocols and the importance of protocol hygiene alongside patching.

Crimeware disruption and targeted intrusion

Microsoft announced a coordinated action with Europol and German authorities to disrupt RedVDS, a cybercrime‑as‑a‑service platform selling disposable Windows servers used for phishing, credential theft and fraud. According to BleepingComputer, the service contributed to significant reported losses and widespread account compromises, highlighting how low‑cost infrastructure and AI‑assisted tools scale criminal operations.

Meanwhile, Talos details activity by UAT‑8837, assessed as China‑nexus, focusing on initial access against high‑value organizations—particularly critical infrastructure in North America—using zero‑days and n‑days (including a SiteCore ViewState deserialization bug), credential theft, Active Directory abuse and tooling rotation to evade EDR. The report includes IOCs and detection content, and warns that the combination of zero‑day capability and AD reconnaissance raises the risk of prolonged access and lateral movement.

Platforms and AI tooling evolve

Google expanded BigQuery’s AI integration with a preview of managed third‑party inference for open models, allowing SQL‑native provisioning and batch inference from Hugging Face and Model Garden. The Google Cloud post outlines CREATE MODEL workflows, resource controls and automated cleanup to streamline cost and lifecycle management. In developer tooling, Microsoft made the Copilot Studio extension for VS Code publicly available, enabling teams to treat agents as code with versioning, previews and CI/CD integration, as covered by BleepingComputer.

AWS introduced EC2 X8i, a next‑generation memory‑optimized instance family for large in‑memory and database workloads; AWS highlights performance and capacity gains over X2i, with initial regional availability. On the consumer AI front, Google debuted Personal Intelligence, a Gemini feature that links data from Gmail, Photos, Search and other products to deliver personalized answers; the beta is opt‑in with app‑level controls, according to BleepingComputer.