Gooooood morning on this rainy day! I had a bit of business to do with our chicken coop roof this morning before the rain hit - a bit of a band-aid solution with a new tarp until spring time comes when I will actually have time to replace the roof. Anyways.. on to the news!

A max-severity data center management flaw is under active exploitation, Chinese-speaking actors were caught wielding a VMware escape toolkit they likely built a year before anyone knew about the bugs, and CISA just retired ten emergency directives in one sweep. Meanwhile, the Clop ransomware campaign targeting Oracle E-Business Suite keeps producing breach disclosures by the week.

.\ HPE OneView flaw hits CISA KEV as Metasploit module circulates

A critical unauthenticated remote code execution vulnerability in HPE OneView is now confirmed under active exploitation. CISA added CVE-2025-37164 (CVSS 10.0) to the KEV catalog on January 7 with a January 28 remediation deadline. The flaw affects all versions prior to 11.0 and stems from an unsecured REST API endpoint (/rest/id-pools/executeCommand) reachable without authentication. Rapid7 published a Metasploit module on December 19, three days after HPE's hotfix dropped. OneView manages servers, storage, and firmware at enterprise scale — compromise here means centralized control of data center infrastructure.

.\ Source shelf: HPE Advisory · CISA KEV · Rapid7 · SecurityWeek

.\ Chinese-speaking actors deployed VMware ESXi escape toolkit a year early

Huntress published a detailed breakdown of an intrusion they stopped in December 2025 involving a sophisticated VM escape toolkit that chains three VMware ESXi vulnerabilities (CVE-2025-22224, CVE-2025-22225, CVE-2025-22226) disclosed as zero-days in March 2025. Build timestamps and file paths suggest the toolkit was developed as early as February 2024 — over a year before public disclosure. The attackers entered via a compromised SonicWall VPN, pivoted using stolen Domain Admin credentials, and deployed tools to escape guest VMs and plant a backdoor on the hypervisor itself. Simplified Chinese strings in development paths point to a well-resourced Chinese-speaking actor. The toolkit supports 155 ESXi builds spanning versions 5.1 through 8.0. Shadowserver reports over 30,000 internet-exposed ESXi instances remain vulnerable as of January 8.

.\ Source shelf: Huntress · BleepingComputer · The Hacker News

.\ Clop's Oracle EBS campaign hits 3.5 million at University of Phoenix

The University of Phoenix confirmed that nearly 3.5 million current and former students, staff, faculty, and suppliers had personal data stolen in the ongoing Clop ransomware campaign exploiting CVE-2025-61882 in Oracle E-Business Suite. The breach occurred between August 13-22 but wasn't detected until November 21 when Clop listed the university on its leak site. Exposed data includes names, Social Security numbers, dates of birth, and bank account details. This marks the largest single victim disclosure from the campaign so far. Other universities filing breach notifications this week include Dartmouth College (40,000+ affected) and Southern Illinois University. Clop has now listed over 100 organizations from this campaign.

.\ Source shelf: BleepingComputer · SecurityWeek · Infosecurity Magazine

.\ Chrome extensions with 900K installs caught stealing AI conversations

Security researchers at OX Security discovered two malicious Chrome extensions impersonating a legitimate AI sidebar tool were exfiltrating complete ChatGPT and DeepSeek conversations plus all browser tab URLs to attacker-controlled servers every 30 minutes. "Chat GPT for Chrome with GPT-5, Claude Sonnet & DeepSeek AI" (600K users) even carried Google's "Featured" badge; "AI Sidebar with Deepseek, ChatGPT, Claude and more" had 300K users. The extensions requested permission for "anonymous analytics" while harvesting prompts, AI responses, and session metadata. The technique — dubbed "prompt poaching" by Secure Annex — represents growing risk as employees use LLMs for sensitive code, documents, and business planning. Remove immediately if installed.

.\ Source shelf: OX Security · The Hacker News · SecurityWeek

.\ Ledger customers exposed in Global-e payment processor breach

Crypto hardware wallet maker Ledger confirmed that customer data was accessed after hackers breached Global-e, its e-commerce payment partner. Exposed information includes names, contact details, and order data (products purchased, prices) for customers who used Global-e as merchant of record. No payment information, passwords, or 24-word recovery phrases were compromised. Ledger emphasized it was "not the only brand" affected by the Global-e breach. The timing is particularly sensitive given Ledger's history — a 2020 breach led to physical "wrench attacks" targeting crypto holders, and co-founder David Balland was kidnapped in January 2025. Customers should watch for phishing attempts and ignore any unsolicited physical packages claiming to be replacement devices.

.\ Source shelf: Ledger Support · BleepingComputer · The Register

.\ TridentLocker hits federal contractor Sedgwick Government Solutions

Sedgwick confirmed a ransomware attack on its federal contractor subsidiary after the TridentLocker gang claimed responsibility on New Year's Eve. Sedgwick Government Solutions provides claims and risk management services to DHS, CISA, ICE, CBP, and Department of Labor. The company says the breach was limited to an isolated file transfer system with no evidence of access to claims management servers. TridentLocker — a ransomware-as-a-service operation that emerged in November 2025 — claims to have stolen 3.4GB and has already published samples. The group practices double extortion and has listed 12 victims since launch, including Belgian postal service Bpost. Network segmentation appears to have contained the damage.

.\ Source shelf: The Record · SecurityWeek · BleepingComputer

.\ CISA retires 10 emergency directives in largest-ever bulk closure

CISA announced the retirement of ten emergency directives issued between 2019 and 2024, marking the largest simultaneous closure in agency history. The retired directives include ED 21-01 (SolarWinds Orion), ED 21-04 (PrintNightmare), ED 20-04 (Netlogon/Zerologon), and ED 24-02 (Microsoft corporate email compromise by nation-state actors). CISA determined that required actions were either successfully implemented or are now covered by BOD 22-01, which mandates patching of KEV catalog vulnerabilities within specified deadlines. Acting Director Madhu Gottumukkala called the closures evidence of "operational collaboration across the federal enterprise." The move signals maturity of the KEV catalog as the primary forcing mechanism for federal vulnerability remediation.

.\ Source shelf: CISA · The Record · BleepingComputer

.\ Legacy D-Link DSL routers under active attack via DNS hijacking flaw

A critical command injection vulnerability in discontinued D-Link DSL routers is being actively exploited for DNS hijacking attacks. CVE-2026-0625 (CVSS 9.3) affects the dnscfg.cgi endpoint and allows unauthenticated remote attackers to execute arbitrary shell commands. Affected models include DSL-2740R, DSL-2640B, DSL-2780B, and DSL-526B — all end-of-life with no patches available. Shadowserver recorded exploitation attempts beginning November 27, 2025. Once compromised, attackers can silently redirect all downstream traffic from every device behind the router. Organizations running these legacy devices should replace them immediately. VulnCheck notes the same DNS configuration mechanism was leveraged in large-scale DNS hijacking campaigns between 2016-2019.

.\ Source shelf: The Hacker News · VulnCheck

.\ Also Notable

• n8n workflow automation: Two CVSS 10.0 flaws — CVE-2026-21858 allows unauthenticated attackers to extract secrets and execute commands; update to 1.121.0+.
• Trend Micro Apex Central RCE — CVE-2025-69258 (CVSS 9.8) lets unauthenticated attackers load malicious DLLs and execute code as SYSTEM.
• Korean Air breach via vendor — Clop compromised KC&D Service (catering/duty-free vendor), exposing 30,000 employee records including bank details.

.\ Ops Bench

HPE OneView requires immediate attention. The combination of CVSS 10.0, public Metasploit module, and confirmed exploitation makes this a drop-everything priority. Upgrade to v11.0 or apply hotfixes for versions 5.20-10.20. There are no workarounds.

.\ Source shelf: HPE Advisory

Audit VMware ESXi exposure. Shadowserver shows 30K+ vulnerable instances still exposed. The Huntress findings confirm sophisticated actors had working exploits long before disclosure. Patch to current versions, monitor for VSOCK processes using lsof, and watch for KDU-based driver loading. EOL versions have no fix.

.\ Source shelf: Huntress · Shadowserver

Review browser extension policies. The AI chat-stealing extensions carried Google's "Featured" badge and had 900K combined installs. Consider enforcing extension allowlists, blocking sideloading, and monitoring for the IOCs published by OX Security.

.\ Source shelf: OX Security

Until next week!