Microsoft has issued an emergency patch for a critical zero-day vulnerability (CVE-2026-20805) in its Windows operating system that is being actively exploited by attackers. The flaw affects all supported versions of Windows.
January 2026 reveals AI’s true battleground: not just code, but power, chips, and physical infrastructure. From TSMC and ASML shaping compute supply to robots, exoskeletons, and soaring energy demand, the race for intelligence now spans factories, grids, and even orbit above and below too now
Japanese automaker Nissan is the latest victim of the Everest ransomware group, which claims to have stolen 900GB of sensitive data. The breach, announced January 10, threatens internal records, dealer info, and possibly customer data —raising serious concerns for its Australian operations.
Microsoft has issued an emergency patch for a critical zero-day vulnerability (CVE-2026-20805) in its Windows operating system that is being actively exploited by attackers. The flaw affects all supported versions of Windows.
Cyber News Centre's cyber update for 19 January 2026: Microsoft has released an urgent security patch to address a zero-day vulnerability in its Windows operating system that is under active attack.
Update: Microsoft has confirmed that a zero-day vulnerability in its Windows operating system, tracked as CVE-2026-20805, is being actively exploited in the wild. The flaw, an information disclosure vulnerability in the Desktop Window Manager (DWM), was patched on January 13 as part of the company's monthly Patch Tuesday release, which addressed a total of 114 security holes. The vulnerability allows an attacker to bypass a fundamental security control known as Address Space Layout Randomisation (ASLR), which is designed to prevent memory-corruption exploits.
By defeating ASLR, an attacker can more reliably execute malicious code on a target system. The vulnerability affects all supported versions of Windows, including Windows 10, Windows 11, and Windows Server editions, making it a widespread threat. While Microsoft has given the flaw a middling CVSS score of 5.5 and an "Important" severity rating, security researchers are urging organisations to treat it with higher urgency due to the active exploitation. The company has not disclosed how the vulnerability is being used in attacks but has attributed its discovery to its own internal security teams, the Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC).
Why it Matters: The active exploitation of CVE-2026-20805 poses a direct and immediate threat to countless organisations. Given the near-universal adoption of Windows in business and government, the vulnerability exposes a massive attack surface, from small businesses to critical infrastructure operators. While the flaw itself only allows for information disclosure, its true danger lies in its ability to be chained with other vulnerabilities to achieve full system compromise. Attackers can use this zero-day as a reliable first step to disable key protections before launching more destructive code execution attacks.
The fact that it is already being used "in the wild" means this is not a theoretical risk; it is a clear and present danger. The only effective defense is to apply the security updates released by Microsoft immediately. Any delay leaves systems open to attackers who are already leveraging this weakness to bypass core Windows security features and launch more complex, damaging intrusions. The incident underscores the persistent threat of zero-day attacks and the critical importance of rapid, enterprise-wide patch management.
Get the stories that matter to you.
Subscribe to Cyber News Centre and update your preferences to follow our Daily 4min Cyber Update, Innovative AI Startups, The AI Diplomat series, or the main Cyber News Centre newsletter — featuring in-depth analysis on major cyber incidents, tech breakthroughs, global policy, and AI developments.
Japanese automaker Nissan is the latest victim of the Everest ransomware group, which claims to have stolen 900GB of sensitive data. The breach, announced January 10, threatens internal records, dealer info, and possibly customer data —raising serious concerns for its Australian operations.
The Victorian Department of Education has confirmed a major data breach affecting all 1700+ government schools. Hackers accessed the names, emails, and encrypted passwords of current and former students, impacting potentially hundreds of thousands of individuals just weeks before the new school year
Australian car rental insurer Prosura has suffered a major data breach, exposing the personal and policy information of an estimated 300,000 customers. Attackers are now selling the stolen data identity data on a public forum after the company reportedly failed to meet their demands.
Instagram is denying a system breach after data from 17.5 million accounts was leaked online and users were hit with a wave of password reset emails. Meta says it fixed a bug causing the email spam, but the leaked data, though likely old, still poses a significant phishing risk to users.
Where cybersecurity meets innovation, the CNC team delivers AI and tech breakthroughs for our digital future. We analyze incidents, data, and insights to keep you informed, secure, and ahead. Sign up for free!
