Weekly Cyber Threat Advisory: Key Vulnerabilities and Campaigns 

The week of 12–18 January 2026 saw multiple high impact vulnerabilities and attack campaigns that demand urgent attention from security and IT teams. From critical WordPress plugin exploitation to large scale C2 infrastructure abuse, organisations must act quickly to patch, monitor, and harden their environments.

Several widely used platforms disclosed or patched vulnerabilities with significant exploitation potential this week.

allows attackers to gain full admin control over vulnerable sites and deploy malware, backdoors, and malicious redirects. The issue affects all versions up to 2.5.1 and is fixed in version 2.5.2, making immediate patching or temporary plugin disablement essential.

including CVE-2026-20805, an actively exploited Desktop Window Manager information disclosure bug used to weaken ASLR and support exploit chains. Additional flaws in Secure Boot (CVE-2026-21265) and VBS Enclave (CVE-2026-20876) highlight ongoing targeting of trusted OS components for privilege escalation and persistence.

(CVE-2025-59466, CVSS 7.5) affecting a broad range of LTS and current releases, with potential to abruptly terminate production workloads leveraging AsyncLocalStorage and popular frameworks.

Beyond patchable vulnerabilities, adversaries continued to scale their infrastructure and successfully compromise high trust organisations.

exposed personal and financial data of approximately 750,000 individuals after a phishing driven intrusion. Compromised records include names, dates of birth, government ID numbers, Social Insurance Numbers, and investment account details, underscoring the long tail risk of regulatory data aggregation.

hosted across 48 providers in China, with China Unicom, Alibaba Cloud, and Tencent Cloud accounting for the majority of malicious infrastructure. The ecosystem supports diverse malware families and frameworks such as Mozi, ARL, Cobalt Strike, Vshell, and Mirai, illustrating the scale of shared C2 backbones used by both cybercrime and advanced threat actors.

Patch and browser security releases this week further emphasise the breadth of the modern attack surface.

is causing affected Enterprise and IoT systems running version 23H2 with Secure Launch enabled to restart instead of shutting down or hibernating. As a temporary workaround, administrators can enforce shutdown via command line or consider disabling Secure Launch, though the latter introduces reduced boot time protection and should be weighed against risk.

addressed 114 vulnerabilities across Windows, Office, Azure, and related components, including eight rated Critical and 106 Important. The prominence of privilege escalation and information disclosure flaws reinforces the need for timely patching and continuous monitoring of post exploitation activity.

with fixes for 16 vulnerabilities, including high severity sandbox escapes in WebGL, Canvas, DOM, and the Messaging System, as well as multiple memory safety issues. While no active exploitation was reported at release time, the nature of these bugs makes them highly attractive for future browser based exploit chains.

Security leaders should translate this week’s threat intelligence into clear, actionable steps.

• Immediately update the WordPress Modular DS plugin to version 2.5.2 or later, disable it where patching is not possible, and audit for suspicious admin accounts and integrity anomalies on affected sites.
• Fast track deployment of Microsoft’s January 2026 patches, prioritising systems exposed to local user access and environments relying on Secure Boot and VBS for critical protections.
• Upgrade Node.js environments to patched releases, enforce strict input validation, and introduce guardrails to prevent unbounded recursion in production applications.
• Strengthen phishing resilience through targeted awareness, MFA enforcement, and email security controls, especially in financial and regulatory organisations holding large volumes of sensitive data.
• Enhance infrastructure centric threat hunting to detect C2 heavy abuse across cloud and hosting providers, focusing on IoT exposure, botnet indicators, and suspicious outbound connections.