InfoSec.Watch — Issue #120

HPE OneView: exploitation observed against a critical flaw

HPE issued guidance for OneView after researchers reported active exploitation targeting impacted deployments.

Source: HPE Security Bulletin (HPESBGN04985)

💡 Key Takeaway: Treat management-plane software like a Tier‑0 asset: restrict exposure, patch/hotfix immediately, and review access logs for anomalous sessions and new local accounts.

D‑Link EOL/EOS DSL gateways: command injection via DNS feature under active exploitation

D‑Link confirmed exploitation activity tied to CVE‑2026‑0625 affecting certain legacy DSL gateways/routers; no patch is expected for end‑of‑life models.

Source: D‑Link Security Announcement (SAP10488)

💡 Key Takeaway: If it’s EOL and remotely reachable, it’s effectively unpatchable risk—retire/replace first, then add egress DNS controls and block risky management interfaces at the edge.

Trend Micro Apex Central patches a critical unauthenticated RCE

Trend Micro released a critical patch for Apex Central (on‑prem) addressing multiple issues, including an unauthenticated RCE (CVE‑2025‑69258, CVSS 9.8).

Source: Trend Micro Critical Security Bulletin (KA‑0022071)

💡 Key Takeaway: Prioritize Apex Central upgrades if exposed to untrusted networks; then validate with a quick port/service inventory and confirm the patched build is deployed everywhere.

CVE‑2025‑68428: jsPDF path traversal / local file read in Node builds

A critical jsPDF vulnerability can allow reading arbitrary local files when untrusted input reaches vulnerable methods in server‑side Node.js usage; fixed in jsPDF 4.0.0.

Source: Endor Labs analysis

💡 Key Takeaway: If jsPDF is used server‑side, upgrade and audit call sites where user input can influence file paths—treat this as a secrets‑exposure risk (configs, keys, creds).

Veeam Backup & Replication 13: multiple fixes in 13.0.1.1071

Veeam published an advisory covering several vulnerabilities addressed in Backup & Replication 13.0.1.1071.

Source: Veeam KB4792 (B&R 13.0.1.1071)

💡 Key Takeaway: Backup platforms are high‑privilege by design—patch fast, restrict admin roles, isolate the management plane, and verify immutability/offline recovery paths.

Prompt‑poaching via browser extensions is becoming an enterprise data‑loss pattern

OX Security detailed a campaign where malicious Chrome extensions exfiltrated ChatGPT/DeepSeek conversations and browsing data at scale—another reminder that “productivity” add‑ons can become covert DLP failures.

Source: OX Security research

💡 Key Takeaway: Treat browser extensions like SaaS apps: enforce allow‑lists, review permissions, and add controls for AI usage where sensitive data can be pasted into third‑party surfaces.

CISA closes 10 Emergency Directives as BOD 22‑01 coverage matures

CISA closed multiple historical Emergency Directives as remediation workflows and the KEV-driven model (BOD 22‑01) continue to standardize federal vulnerability response.

Source: SecurityWeek coverage

💡 Key Takeaway: Use this as a cue to harden your own “KEV-style” process: maintain a short list of must-fix exposures with clear deadlines, owners, and verification evidence.

Chainsaw: fast EVTX triage with Sigma hunting (incident response friendly)

Chainsaw is a Rust-based CLI that hunts Windows event logs using Sigma and built-in detection logic—great for rapid triage when you don’t have centralized logging available.

Source: WithSecureLabs/chainsaw (GitHub)

💡 Key Takeaway: Add Chainsaw to your IR jump kit and pre-stage a known-good Sigma ruleset; it’s a practical way to validate suspicious logins, service installs, and lateral movement quickly.

Android Security Bulletin (January 2026) published

Google published the January 2026 Android Security Bulletin with fixes for Android devices at patch level 2026‑01‑05 or later.

Source: Android Security Bulletin—January 2026

💡 Key Takeaway: If you manage Android fleets, align MDM compliance to patch level 2026‑01‑05+ and track device/vendor lag as an explicit risk metric.

FBI warns on Kimsuky ‘quishing’ (malicious QR codes in spear‑phishing)

A public FBI advisory details North Korea-linked Kimsuky activity using QR codes to push victims onto mobile flows that bypass typical desktop controls.

Source: FBI / IC3 advisory (PDF)

💡 Key Takeaway: Update phishing playbooks to include QR code handling: encourage URL previews, add mobile protections, and route QR links through safe browsing detonation where possible.

Critical n8n flaw enables takeover of exposed instances

Security reporting highlighted a critical n8n vulnerability (CVE‑2026‑21858) that can enable takeover attacks against vulnerable deployments.

Source: SecurityWeek report

💡 Key Takeaway: If you run n8n, review exposure of webhook endpoints and upgrade quickly—assume internet-facing automation platforms will be probed rapidly after disclosure.

Totolink EX200 range extender bug can enable root-level takeover

A Totolink EX200 firmware-upload handler issue can cause an unauthenticated root Telnet service to start, enabling full device takeover.

Source: SecurityWeek report

💡 Key Takeaway: Quarantine consumer/SMB-grade networking gear from production networks; where unavoidable, isolate and monitor for unexpected management services (Telnet/SSH).

Ransomware-linked breach impacts 377,000 at Texas gas station firm

A ransomware incident at Gulshan Management Services impacted hundreds of thousands of individuals, per regulatory notifications and reporting.

Source: SecurityWeek report

💡 Key Takeaway: Rehearse your breach muscle: validate offline restores, ensure logging retention is sufficient for forensics, and pre-assign ownership for regulator/customer comms.