Svoboda Cybersecurity Brief January 08, 2026

Critical n8n Vulnerability Allows Full Server Compromise

A critical vulnerability (CVE-2026-21858, CVSS 10.0) in the n8n workflow automation platform allows unauthenticated attackers to read arbitrary files, forge admin sessions, and execute commands. The flaw stems from content-type confusion in webhook parsing, enabling attackers to manipulate file paths. Over 100,000 n8n servers are potentially exposed.
Impact: Full system compromise, credential theft, and lateral movement.
Mitigation: Upgrade to n8n 1.121.0+, disable public webhooks, and enforce authentication.
Source: The Hacker News

GoBruteforcer Botnet Targets Crypto Projects via AI-Generated Configs

The GoBruteforcer botnet is exploiting weak default credentials in XAMPP and AI-generated server configurations to brute-force FTP, MySQL, and PostgreSQL services. Compromised servers are used to deploy wallet-scanning tools targeting TRON and Binance Smart Chain addresses.
Impact: Credential theft, crypto wallet draining, and botnet recruitment.
Mitigation: Avoid AI-generated configs, use strong passwords, and replace outdated stacks like XAMPP.
Source: BleepingComputer

D-Link Router Zero-Day Exploited in Active Attacks

A critical flaw (CVE-2026-0625, CVSS 9.3) in legacy D-Link DSL routers allows unauthenticated RCE via DNS configuration manipulation. Exploits have been observed since November 2025, targeting models like DSL-2740R and DSL-526B. No patches are available for these EoL devices.
Impact: Full device takeover, DNS hijacking, and network infiltration.
Mitigation: Replace affected routers and restrict management interface access.
Source: The Hacker News

Veeam Backup & Replication Vulnerabilities Expose Systems to RCE

Four flaws (CVE-2025-59470, CVE-2025-55125, etc.) in Veeam Backup & Replication allow privileged users to execute code as root or postgres. While exploitation requires high privileges, ransomware groups have historically targeted Veeam vulnerabilities.
Impact: Remote code execution and backup tampering.
Mitigation: Upgrade to version 13.0.1.1071 and restrict operator roles.
Source: SecurityWeek

Ledger Customer Data Breached via Third-Party Processor

Ledger’s payment processor, Global-e, exposed customer names and contact details due to unauthorized cloud access. The breach scope and timeline remain undisclosed.
Source: DataBreaches.net

Black Cat Gang Uses SEO Poisoning to Spread Malware

The Black Cat group is pushing fake sites (e.g., “cn-notepadplusplus[.]com”) via Bing search results to distribute backdoors. The malware steals browser data, keystrokes, and clipboard contents, compromising over 277,800 hosts in China.
Impact: Data theft and remote system control.
Mitigation: Download software only from official sources.
Source: The Hacker News

Critical jsPDF Flaw Exposes Local Files via PDF Generation

A vulnerability (CVE-2025-68428, CVSS 9.2) in jsPDF’s Node.js builds allows local file inclusion via unsanitized paths in functions like addImage or html. The library has 3.5M weekly npm downloads.
Impact: Sensitive file disclosure (e.g., configs, secrets).
Mitigation: Upgrade to jsPDF 4.0.0+ and use Node.js 22.13.0+ with --permission flag.
Source: BleepingComputer

ownCloud Warns of Credential Theft via Infostealers

Attackers are using infostealers (RedLine, Lumma) to compromise ownCloud instances lacking MFA. Stolen credentials are sold on dark web markets.
Impact: Unauthorized access to sensitive file-sharing data.
Mitigation: Enable MFA, reset passwords, and review logs.
Source: BleepingComputer

UK Allocates £210M to Public Sector Cyber Defense

The UK government plans to establish a Government Cyber Unit and enforce minimum security standards for public services. The initiative follows ransomware attacks on NHS and MOD systems.
Source: BleepingComputer

Malicious Chrome Extensions Steal AI Chat Logs

Two extensions impersonating AITOPIA harvested 900K users’ ChatGPT/DeepSeek conversations and browser data. The malware exfiltrated URLs, session tokens, and PII via Lovable.io infrastructure.
Impact: Corporate espionage and credential theft.
Mitigation: Remove the extensions and audit LLM usage.
Source: SecurityWeek

Share this brief: https://svo.bz/3GIo