Vercel confirms a security incident after a compromised third-party AI tool's OAuth token allowed attackers to pivot into internal systems, exposing environment variables and API keys across its platform.
Anthropic is scrambling to contain fresh questions over its Mythos AI after online users reportedly accessed the ultra‑powerful model through previously mapped pathways, sharpening Pentagon supply chain concerns and spooking markets already on edge about AI‑driven cyber risk
According to Microsoft’s April 2026 Security Update Guide, the company fixed more than 160 vulnerabilities across Windows, Office and core services, including an actively exploited SharePoint zero‑day and a Defender privilege‑escalation flaw.
Microsoft has issued an emergency patch for a critical zero-day vulnerability (CVE-2026-20805) in its Windows operating system that is being actively exploited by attackers. The flaw affects all supported versions of Windows.
Cyber News Centre's cyber update for 19 January 2026: Microsoft has released an urgent security patch to address a zero-day vulnerability in its Windows operating system that is under active attack.
Update: Microsoft has confirmed that a zero-day vulnerability in its Windows operating system, tracked as CVE-2026-20805, is being actively exploited in the wild. The flaw, an information disclosure vulnerability in the Desktop Window Manager (DWM), was patched on January 13 as part of the company's monthly Patch Tuesday release, which addressed a total of 114 security holes. The vulnerability allows an attacker to bypass a fundamental security control known as Address Space Layout Randomisation (ASLR), which is designed to prevent memory-corruption exploits.
By defeating ASLR, an attacker can more reliably execute malicious code on a target system. The vulnerability affects all supported versions of Windows, including Windows 10, Windows 11, and Windows Server editions, making it a widespread threat. While Microsoft has given the flaw a middling CVSS score of 5.5 and an "Important" severity rating, security researchers are urging organisations to treat it with higher urgency due to the active exploitation. The company has not disclosed how the vulnerability is being used in attacks but has attributed its discovery to its own internal security teams, the Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC).
Why it Matters: The active exploitation of CVE-2026-20805 poses a direct and immediate threat to countless organisations. Given the near-universal adoption of Windows in business and government, the vulnerability exposes a massive attack surface, from small businesses to critical infrastructure operators. While the flaw itself only allows for information disclosure, its true danger lies in its ability to be chained with other vulnerabilities to achieve full system compromise. Attackers can use this zero-day as a reliable first step to disable key protections before launching more destructive code execution attacks.
The fact that it is already being used "in the wild" means this is not a theoretical risk; it is a clear and present danger. The only effective defense is to apply the security updates released by Microsoft immediately. Any delay leaves systems open to attackers who are already leveraging this weakness to bypass core Windows security features and launch more complex, damaging intrusions. The incident underscores the persistent threat of zero-day attacks and the critical importance of rapid, enterprise-wide patch management.
Get the stories that matter to you.
Subscribe to Cyber News Centre and update your preferences to follow our Daily 4min Cyber Update, Innovative AI Startups, The AI Diplomat series, or the main Cyber News Centre newsletter — featuring in-depth analysis on major cyber incidents, tech breakthroughs, global policy, and AI developments.
Vercel confirms a security incident after a compromised third-party AI tool's OAuth token allowed attackers to pivot into internal systems, exposing environment variables and API keys across its platform.
According to Microsoft’s April 2026 Security Update Guide, the company fixed more than 160 vulnerabilities across Windows, Office and core services, including an actively exploited SharePoint zero‑day and a Defender privilege‑escalation flaw.
The largest DeFi exploit of 2026 has seen $293 million drained from Kelp DAO's LayerZero cross-chain bridge, triggering a $5.4 billion withdrawal panic across the broader ecosystem and exposing critical centralization flaws in modular security.
ShinyHunters has exposed a critical weakness in cloud systems. The McGraw Hill breach shows how misconfigured Salesforce portals enabled large scale data leaks, with no software flaw to fix. This marks a shift toward exploiting common operational gaps rather than rare vulnerabilities.
Where cybersecurity meets innovation, the CNC team delivers AI and tech breakthroughs for our digital future. We analyze incidents, data, and insights to keep you informed, secure, and ahead. Sign up for free!
