Quantum-Safe Push, ICS Patches, and Active Exploits

New defensive rollouts arrived alongside critical industrial fixes. Palo Alto Networks set out a program to retire cryptographic debt and accelerate post-quantum migration in an announcement, while an urgent advisory from CISA republished Johnson Controls’ guidance for a CVSS 10.0 Metasys flaw. At the same time, attackers continued to exploit widely deployed software and identity paths, keeping response teams focused on patching and containment.

Platform controls expand

Palo Alto Networks introduced Quantum-Safe Security, a programmatic approach to discover legacy crypto, assess risk, and orchestrate remediation and governance across environments. The platform builds a live cryptographic bill of materials, prioritizes harvest-now-decrypt-later exposure, and supports staged transitions with virtual "cipher translation" at the edge, all detailed in the vendor’s announcement. Governance features map to standards such as NIST and DORA, with general availability slated for January 30, 2026.

AWS added web category–based filtering to Network Firewall, including explicit visibility and enforcement for generative AI services. Teams can reference predefined URL categories in stateful rule groups, pair them with TLS inspection to evaluate full paths, and centrally allow, log, or block traffic across accounts and regions. The feature, described in an update, reduces custom list maintenance and supports acceptable-use, data exfiltration prevention, and GenAI governance.

Google Cloud outlined new accelerators and scheduling controls for Dataflow, adding NVIDIA H100/H100 Mega GPU support and expanded TPU options, plus reservations and flex-start queuing for constrained resources. ML-aware autoscaling and heterogeneous pools aim to right-size pipelines by stage, improving performance and cost efficiency, according to the Dataflow blog. Separately, the Android Security Team broadened theft protections with a Failed Authentication Lock toggle, expanded Identity Check coverage, longer lockouts for failed unlocks, and stronger Remote Lock recovery; details are in the team’s post.

Meta’s WhatsApp introduced a Strict Account Settings mode geared to high-risk users, trading convenience for a reduced attack surface by restricting calls from unknown numbers and blocking unsolicited media. The rollout coincides with a major engineering shift to a Rust-based media library as part of the app’s memory-safety strategy, reported by The Hacker News. In a separate proof-of-concept effort, Cloudflare engineers ported a Matrix homeserver to Workers, mapping state to D1, KV, R2, and Durable Objects and layering end-to-end encryption over post-quantum hybrid TLS; the experiment is documented in a post.

Advisories and patches

Cyera Research Labs disclosed a critical sandbox escape in Grist-Core’s Python formula engine that allows a single spreadsheet formula to break out of the Pyodide sandbox and run arbitrary host-level code. Grist fixed the issue in version 1.7.9 by defaulting to Deno with permission-based isolation and urged administrators to upgrade and treat formula authoring as a privileged capability. Technical details and mitigation guidance are summarized by Infosecurity.

CISA republished Johnson Controls’ guidance for CVE-2025-26385 affecting multiple Metasys components, a CVSS 10.0 issue that could enable unauthenticated remote SQL execution and total loss of confidentiality, integrity, and availability across critical sectors. Patches are available via the vendor’s license portal, with network segmentation and port restrictions recommended. CISA also warned of a critical issue in iba Systems ibaPDA (CVE-2025-14988) enabling unauthorized filesystem actions; ibaPDA 8.12.1 remediates the flaw, per CISA’s advisory.

Microsoft Office received an out-of-band fix for CVE-2026-21509, a security feature bypass under active exploitation that circumvents OLE mitigations. Office 2021 and later get a service-side change after app restarts; Office 2016 and 2019 require published updates. Interim registry-based mitigation is available, as covered by The Hacker News.

In the open-source ecosystem, a critical sandbox escape in the vm2 Node.js library (CVE-2026-22709) stems from improper sanitization of async Promise callbacks, enabling host code execution from untrusted scripts; fixes are in 3.10.3, according to BleepingComputer. Email server operators face another pre-authentication takeover risk: SmarterMail’s CVE-2026-23760 allows anonymous password resets for known admin usernames; exploitation has been observed and build 9511 addresses the flaw, per BleepingComputer. Why it matters: trivial pre-authentication and content-borne exploit paths can convert routine workflows into reliable remote code execution or full system compromise if left unpatched.

Active exploitation and attack paths

The Google Threat Intelligence Group reports sustained, diverse exploitation of WinRAR CVE-2025-8088, a path traversal using Alternate Data Streams that lets malicious archives write files to arbitrary locations such as the Windows Startup folder. State-aligned and financially motivated actors have used the technique to deploy backdoors, RATs, and credential-stealing extensions since mid-2025; patching to WinRAR 7.13 and hunting for ADS extraction and Startup artifacts are advised, per Google TI.

Fortinet disclosed active abuse of an alternate authentication path in FortiCloud SSO (CVE-2026-24858) that let attackers create local admin accounts and exfiltrate firewall configurations. The company locked malicious accounts, temporarily disabled FortiCloud SSO globally, and restored it with server-side blocks for vulnerable firmware while patches are finalized. Indicators and response guidance—including removal of rogue accounts, configuration restoration from clean backups, and credential rotation—are detailed by BleepingComputer.

Breach impact and enforcement

SoundCloud account data mapping hit scale: Have I Been Pwned recorded approximately 29.8 million unique emails linked to public profile metrics after an ancillary service dashboard was accessed. The dataset, attributed to the ShinyHunters group, ties addresses to names, usernames, avatars, follower counts, and in some cases country, increasing phishing, spam, and harassment risk. Details are compiled by BleepingComputer.

U.S. authorities charged 31 additional defendants in a transnational ATM jackpotting operation that used Ploutus malware to drain cash from ATMs, bringing recent totals to 87 individuals charged. The indictment describes physical access, drive swaps or USB-based installs, and coordinated laundering of proceeds across ring members, reported by BleepingComputer.