Cisco Unified Communications zero-day RCE (CVE-2026-20045) is being exploited — patch version-specifically

Cisco says it has observed attempted exploitation of a web-management RCE that can lead to root-level compromise across multiple Unified Communications products; CISA has also listed it as exploited.

Source: Cisco Advisory • NVD • MS-ISAC

💡 Key Takeaway: Treat UC management surfaces like tier‑0: patch immediately, restrict admin interfaces to a jump network/VPN, and run an assumed‑breach review of configs, accounts, and root-level indicators after updating.

Oracle’s January 2026 Critical Patch Update drops 300+ patches — prioritize remotely exploitable services first

Oracle’s January CPU includes hundreds of security updates across its portfolio. Focus first on products exposed to the network (middleware, database services, backup/recovery, and Java components) and any internet-facing management endpoints.

Source: Oracle CPU Jan 2026 • Tenable Analysis

💡 Key Takeaway: Don’t “patch by product” — patch by exposure: inventory externally reachable Oracle services, map them to CPU matrices, and enforce compensating controls (WAF, auth, segmentation) until maintenance windows land.

Ingram Micro discloses ransomware data exposure via Maine AG filing — third‑party concentration risk keeps paying attackers

A major IT distributor disclosed that a ransomware incident involved access to internal file repositories containing personal data for tens of thousands of people, per its notification filing.

Source: Maine AG Filing • SecurityWeek

💡 Key Takeaway: Update your vendor playbooks: require breach-notification SLAs, validate what sensitive data your distributors/MSPs store, and pre-stage a “third‑party incident” response path (tokens/keys rotation, access reviews, and comms).

CVE-2026-20045 (Cisco UC) — exploited RCE to root via web management interface

Unauthenticated attackers can send crafted HTTP requests to gain OS access and elevate to root. Cisco reports exploitation attempts in the wild.

Source: Cisco Advisory • MS-ISAC

💡 Key Takeaway: If you can’t patch today, immediately remove exposure: block admin interfaces from the internet, restrict by allowlist, and monitor for suspicious admin UI traffic patterns and new local users.

Malicious code in dev dependencies (eslint-config-prettier) added to CISA KEV — assume CI/CD pulls are an attack surface

CISA added an incident involving embedded malicious code in a widely used development dependency to its Known Exploited Vulnerabilities catalog.

Source: CISA KEV Catalog • KEV Additions Summary

💡 Key Takeaway: Pin and verify: enforce lockfiles, use artifact repositories, require signature/attestation where available, and alert on unexpected dependency drift in CI builds.

Zimbra Collaboration Suite remote file inclusion added to KEV — keep internet-facing mail/collab fully patched

A Zimbra Collaboration Suite issue was added to KEV, indicating confirmed exploitation in the wild.

Source: CISA KEV Catalog • KEV Additions Summary

💡 Key Takeaway: Inventory every externally reachable Zimbra instance (including DR) and patch/upgrade fast; add EDR + file-integrity monitoring for web roots and review outbound connections for webshell behavior.

The exploited surface is shifting up the stack: ‘dependencies’ and ‘management UIs’ are now first‑class intrusion paths

This week’s KEV adds highlight a blend of classic perimeter weaknesses (admin UIs) and modern supply-chain realities (malicious packages). Defenders should assume attacker automation will chase anything that’s easy to scan or easy to poison.

Source: CISA KEV Catalog

💡 Key Takeaway: Add two controls to your weekly rhythm: (1) block/segment management planes and (2) continuously verify software supply chain integrity (SBOMs, signing, and internal mirrors).

MS-ISAC advisories + subscriptions (free) — a clean way to operationalize patch urgency

The MS-ISAC publishes concise, actionable advisories and offers free public subscriptions so teams can get vendor-agnostic remediation guidance in their inbox.

Source: MS-ISAC • Public Subscriptions

💡 Key Takeaway: Use MS-ISAC alerts as a second signal alongside KEV/EPSS: wire them into your vuln-triage channel and map each advisory to a concrete ‘patch/mitigate/detect’ ticket.

Munson Healthcare issues notice tied to legacy Cerner access — third‑party EHR blast radius continues

Munson says an unauthorized party accessed data maintained by Cerner on legacy systems, prompting patient notifications and credit monitoring offers.

Source: Munson Notice

💡 Key Takeaway: Treat SaaS/EHR incidents as shared responsibility: verify what “legacy” systems still store, require vendor segmentation evidence, and keep a standing data‑minimization review for PHI/PII.

Michigan AG publishes consumer alert following Northern Michigan healthcare cyber incident

Michigan’s Attorney General reissued guidance for consumers after a healthcare cyber incident impacting patients in Northern Michigan.

Source: Michigan AG

💡 Key Takeaway: For healthcare orgs: assume regulators will amplify patient guidance quickly — pre-build patient comms templates and make ‘credit freeze + monitoring’ support frictionless.

HPE OneView exploitation campaign accelerates — apply the enhanced hotfix and hunt for botnet activity

Check Point reported large-scale automated exploitation attempts against CVE-2025-37164. HPE’s updated bulletin provides enhanced remediation hotfix guidance.

Source: Check Point Research • HPE Bulletin

💡 Key Takeaway: After patching, validate exposure and credentials: rotate OneView admin secrets, review API access, and isolate OneView from east-west traffic until you confirm no persistence.

CISA adds four more exploited flaws to KEV — treat KEV adds as a same-day change request

CISA’s KEV catalog continues to expand; new additions this week span enterprise products and development tooling.

Source: CISA KEV Catalog

💡 Key Takeaway: Define a KEV runbook: within 24 hours, identify exposure, apply mitigations, and document detection coverage (logs, EDR, and network controls).

Oracle CPU reminds defenders: ‘remotely exploitable without auth’ should trump CVSS in prioritization

Oracle’s risk matrices explicitly flag components remotely exploitable without authentication — a pragmatic priority signal for enterprise patch sequencing.

Source: Oracle CPU Jan 2026

💡 Key Takeaway: Automate priority: ingest vendor ‘remote without auth’ flags into your vuln platform and bubble those to the top even if CVSS looks ‘only’ high.

Build a ‘Tier‑0 exposure’ inventory and enforce it with network policy

Most of this week’s high-risk items share one trait: they live on management planes and trusted update paths.

💡 Key Takeaway: Create an authoritative list of Tier‑0 systems (IAM, EDR/MDM, backup, UC, infra management, CI/CD). Enforce: no direct internet exposure, mandatory MFA + device posture, admin via jump hosts only, and continuous log forwarding + alerting for privileged changes.

Final Word

If you can reach it from the internet, attackers will eventually script it. If it’s a management plane, they’ll script it first.

💡 Key Takeaway: Share this with someone who owns patching, identity, or the management plane — they’re the new perimeter.