Infosec bits for 2026 week 04

Heloise Meyer | Jan. 23, 2026, 1:33 p.m.

Cybersecurity News:

Why Identity Security Must Move Beyond MFA [Torsten George, Security Week]

Why Secrets in JavaScript Bundles are Still Being Missed [The Hacker News, The Hacker News]

Tesla hacked, 37 zero-days demoed at Pwn2Own Automotive 2026 [Sergiu Gatlan, Bleeping Computer]

Vulnerabilities & Patches:

Ancient telnet bug happily hands out root to attackers [Connor Jones, The Register]

100,000 WordPress Sites Affected by Privilege Escalation Vulnerability in Advanced Custom Fields: Extended WordPress Plugin [István Márton, Wordfence]

Critical Vivotek Vulnerability Allows Remote Users to Inject Arbitrary Code [Abinaya, Cyber Security News]

CVE-2025-25249: Remote Code Execution Vulnerability in FortiOS and FortiSwitchManager [Julian Tuin, Arctic Wolf]

Zoom fixed critical Node Multimedia Routers flaw [Pierluigi Paganini, Security Affairs]

Oracle’s First 2026 CPU Delivers 337 New Security Patches [Ionut Arghire, Security Week]

RCE flaw in Cisco enterprise communications products probed by attackers (CVE-2026-20045) [Zeljka Zorz, Help Net Security]

Fortinet admins report patched FortiGate firewalls getting hacked [Sergiu Gatlan, Bleeping Computer]

Cyber Attacks:

Malicious PyPI Package Impersonates SymPy, Deploys XMRig Miner on Linux Hosts [Ravie Lakshmanan, The Hacker News]

LastPass warns backup request is phishing campaign in disguise [David Jones, Cybersecurity Dive]

Mass Spam Attacks Leverage Zendesk Instances [Alexander Culafi, Dark Reading]

Proxyware Malware Disguised as Notepad++ Tool Leverages Windows Explorer Process to Hijack Systems [Tushar Subhra Dutta, Cyber Security News]

Tooling:

ZAP Releases OWASP PenTest Kit Browser Extension for Application Security Testing [Guru Baran, Cyber Security News]