InfoSec.Watch — Issue #121

Cisco releases final fixes for actively exploited Secure Email Gateway RCE (CVE-2025-20393)

Cisco published final patches and guidance for a critical unauthenticated remote command execution flaw in AsyncOS affecting Cisco Secure Email Gateway and Secure Email and Web Manager when Spam Quarantine is enabled and exposed

Source: Cisco, NVD

💡 Key Takeaway: Patch/upgrade immediately, then hunt for post-exploitation tooling and persistence around SEG/SEWM appliances. Treat the email gateway as a Tier-0 asset: lock down internet exposure, restrict admin access, and review quarantine-related access logs.

Microsoft January Patch Tuesday includes an actively exploited Windows zero-day (CVE-2026-20805) now in KEV

Microsoft’s first Patch Tuesday of 2026 addressed 100+ flaws, including an actively exploited Desktop Window Manager information disclosure bug that CISA added to KEV

Source: The Hacker News, Tenable, NVD

💡 Key Takeaway: Don’t ignore “low CVSS” when exploitation is confirmed. Prioritize the KEV item across privileged endpoints, VDI/jump hosts, and systems where exploit chains are most likely to land.

Ransomware hits Belgian hospital network; critical patients transferred and surgeries canceled

AZ Monica hospital in Belgium shut down servers, canceled procedures, and transferred ICU patients to other facilities after a cyberattack disrupted operations

Source: The Record

💡 Key Takeaway: Healthcare disruption is an availability event first. Validate that downtime procedures actually work: “paper mode,” device isolation, segmented imaging/lab networks, and an off-network incident comms plan.

Actively exploited Gogs RCE chain (CVE-2025-8110) added to KEV

A high-severity flaw in Gogs’ PutContents API related to symbolic link handling is being actively exploited; Wiz published research after observing malware on public-facing instances

Source: Wiz, NVD, GitHub Advisory

💡 Key Takeaway: If you run self-hosted Git services, treat “dev infrastructure” as production. Restrict exposure, enforce SSO/MFA, and monitor for unexpected file writes and process launches from the Gogs service account.

Palo Alto Networks PAN-OS GlobalProtect DoS (CVE-2026-0227) can push firewalls into maintenance mode

An unauthenticated attacker can trigger a DoS condition affecting GlobalProtect Gateway/Portal; repeated attempts can force a firewall into maintenance mode

Source: Palo Alto Networks

💡 Key Takeaway: Availability vulnerabilities on perimeter VPN stacks are operational risk. Patch quickly, rate-limit and shield GlobalProtect endpoints, and ensure you have a tested “remote access failover” (alternate concentrator or cloud VPN).

Workflow automation platforms are becoming credential vaults (and supply-chain targets)

A reported supply-chain attack abused community nodes in the n8n workflow automation ecosystem to exfiltrate credentials and tokens from centralized integrations

Source: The Hacker News

💡 Key Takeaway: Inventory automation platforms (n8n, iPaaS, RPA) as high-risk assets: restrict marketplace plugins, rotate stored tokens, and monitor outbound calls for unusual destinations.

World Economic Forum — Global Cybersecurity Outlook 2026 (report)

A strategic read for leadership conversations on ransomware, supply-chain disruption, and systemic risk

Source: WEF PDF

💡 Key Takeaway: Use one chart/insight from the report to reinforce funding for identity hardening, KEV-driven patch SLAs, and third-party risk governance.

Patch Tuesday deep dive: exploitability and prioritization notes

Practical triage guidance on January’s patches.

Source: Qualys

💡 Key Takeaway: Use a second-source review to decide what truly belongs in your 48–72 hour patch lane.

Patch Tuesday roundup with defender-focused takeaways

Operational recap for prioritization.

Source: Expel

💡 Key Takeaway: Turn triage into a repeatable weekly ritual: publish an internal patch priority note.

More context on the Windows DWM KEV item

Why the info disclosure matters in exploit chains.

Source: The Register

💡 Key Takeaway: When details are scarce, increase monitoring around chain prerequisites (LPE paths, suspicious process trees, credential access).

Belgian hospital disruption shows the real cost of IT outages

Availability and safety impacts.

Source: The Record

💡 Key Takeaway: If your downtime plan hasn’t been exercised in the last 6 months, it’s not a plan.

Gogs KEV: what’s exposed and why it’s moving fast

Defender-friendly context.

Source: RunZero

💡 Key Takeaway: Use external exposure checks to find forgotten dev services before adversaries do.

Run a 90-minute “Tier-0 services” verification sprint

Pick one high-impact service class this week (email gateway, perimeter VPN, or dev Git service) and • Confirm patch level + exposure (ports, LB/WAF, admin access paths) • Review 7 days of logs for anomalous auth, command execution, or unexpected file writes • Validate you can rapidly disable the most-exploited feature (quarantine exposure, portal endpoints) • Capture owner + on-call contact + a one-page containment runbook

💡 Key Takeaway: The fastest improvement is knowing what’s exposed — and having a rehearsed “containment switch” when the next advisory drops.

Final Word

This was a week of availability and control-plane reality checks: email infrastructure, VPN gateways, and operational environments don’t fail gracefully. Patch fast, verify exposure, and practice containment — because the next outage won’t ask permission.

💡 Key Takeaway: Patch fast, verify exposure, and rehearse containment switches before you need them.