ServiceNow Agentic AI Privilege Escalation; Fast Pair Protocol Implementation Vulnerable; Microsoft Seizes RedVDS Infrastructure

ServiceNow has mitigated and patched an agentic AI flaw that AppOmni characterizes as "the most severe AI-driven security vulnerability uncovered to date." ServiceNow is a Fortune 500 company that provides "an IT services management platform for 85% of the companies that comprise the rest of the Fortune 500," as well as cloud services and helpdesk support. The company offers a "Virtual Agent" chatbot whose API can be integrated into third-party applications, such as Slack or Microsoft Teams, and has also introduced a newer and more powerful "Now Assist AI Agents" application. Aaron Costello, Chief of Security Research at AppOmni, discovered that the authentication logic for integrated Virtual Agent is unsecure and relies on a universal hardcoded secret. Exploiting the agent-to-agent (A2A) execution path, an unauthenticated attacker can "remotely drive privileged agentic workflows as any user," making the Virtual Agent engage the Now Assist Agent to grant admin privileges, acquiring full platform access armed only with platform details, the static secret, and knowledge of a user's email address. ServiceNow rotated provider credentials and patched Now Assist AI Agents and Virtual Agent API against CVE-2025-12420 (CVSS 9.3) in late October 2025, but Costello notes the risk that vulnerable configuration choices may still exist in organizations' custom code or third-party applications. AppOmni offers instructions for administrators to properly enable MFA for account linking, and recommends regular automated review of AI agents before deployment as well as de-provisioning of inactive and unused agents, noting that "an agent’s power is directly proportional to the risk it poses to the platform."

Researchers at Belgium’s KU Leuven University Computer Security and Industrial Cryptography group have discovered a vulnerability in the Fast Pair wireless protocol, a feature which allows one-tap pairing and account synchronization. Dubbed WhisperPair, the vulnerability — CVE-2025-36911, which results from incorrect Fast Pair implementations — was detected in 17 audio accessories sold by 10 different companies, including Sony and Logitec, as well as Google, who developed the Fast Pair protocol. The flaw could be exploited to allow attackers to connect with and take control of vulnerable devices. Users with vulnerable devices that connect to Google's Find Hub geolocation tracking feature could also be tracked by attackers. The researchers disclosed the vulnerability to Google in August 2025. Google says it has pushed out updates to its own affected accessories as well as an update to Find Hub; the researchers were able to circumvent the Find Hub patch. The researchers note that "the only way to fix this vulnerability is by installing a software update issued by the manufacturer of the accessory."

Microsoft has announced its seizure of domains belonging to the RedVDS cybercrime-as-a-service marketplace and customer portal, in a coordinated effort with Europol and international law enforcement. Civil actions were filed in the US and UK, and German authorities carried out a raid on the data center in Limburg an der Lahn where RedVDS was hosted. RedVDS operated a monthly subscription service offering "disposable virtual computers that make fraud cheap, scalable, and difficult to trace [...] allowing criminals to operate quickly, anonymously, and across borders." RedVDS has enabled a wide array of cybercrime including mass phishing, password spray attacks, and multifaceted spoofing, as well as prominent business email compromise (BEC) and payment diversion fraud, especially in the real estate sector but also impacting "construction, manufacturing, healthcare, logistics, education, legal services," and others. Two affected US companies, H-2 Pharma in Alabama and Gatehouse Dock Condominium Association in Florida, whose combined fraud losses total almost $8 million, are co-plaintiffs in Microsoft's lawsuits. "Since September 2025, RedVDS‑enabled attacks have led to the compromise or fraudulent access of more than 191,000 organizations worldwide." Microsoft estimates RedVDS caused approximately $40 million in fraud losses in the US alone since March 2025, noting that the actual impact is considerably higher not only financially worldwide, but also considering the harmful effects of fraud beyond financial loss.

On January 10, 2026, Eurail B.V. disclosed a data breach, and by January 13, customers began receiving notification emails; as of this writing, no information about the timing, nature, and scope of the attack has been published. Upon detecting unauthorized external access to systems and customer data, Eurail secured their systems, engaged third-party cybersecurity experts and legal advisors to investigate, and began notifying data protection authorities in compliance with GDPR requirements. The information accessed in the attack belongs to "customers who were issued a Eurail pass or made a seat reservation with Eurail" including through partners and distributors. Eurail also sent notifications to these partner organizations, including the DiscoverEU program, whose notice about the breach describes the affected data in greater detail than Eurail's notice, warning customers that their "name, surname, date of birth or age, passport/ID information or photocopies, email address, postal address and country of residence, phone number, bank account reference (IBAN), [and] data concerning health" may have been accessed. DiscoverEU recommends that affected individuals change their passwords, be vigilant for unsolicited communications, unusual financial activity, and requests for personal information, and report any suspicious activity to relevant authorities.

A Verizon outage on Wednesday, January 14, 2026 prevented some customers from completing calls and accessing mobile data, and there were reports that some customers were unable to reach 911 emergency services from their Verizon-connected devices. There were also reports that access to Verizon broadband internet was disrupted. Verizon said the incident was resolved as of 10:20pm ET on Wednesday, January 14. In a statement to news outlets on Thursday, January 15, Verizon said the outage was the result of "a software issue." The incident affected customers across the US, and the areas most heavily affected by the outage included New York City, Atlanta, Charlotte, Houston, and Dallas.

The US Federal Trade Commission (FTC) has issued a final order that settles allegations against General Motors and OnStar regarding selling customer geolocation data. Specifically, the car manufacturer and its subsidiary, OnStar, are prohibited from sharing customer geolocation and driving behavioral data with consumer reporting agencies. The data in question were collected via the OnStar Smart Driver feature, which collected information every three seconds. While Smart Drive was marketed to customers as a driving safety self-assessment tool, the information was sold to third parties, including consumer reporting agencies, which shared the information with insurance companies. The order says GM and OnStar failed to clearly inform customers of their data practices. The 20-year consent order bans the companies from sharing the data for five years and compels them to obtain consent from customers to collect information thereafter. They must also provide means for customers to request and obtain a copy of their data, to request that their data be deleted, and to disable the collection of geolocation data. GM may still share location information with emergency responders and use the data for internal research and development.

A cyberattack against Belgium's AZ Monica, which operates hospitals in Antwerp and Deurne, forced the organization to shut down servers, which in turn has led to the hospitals transferring critical patients elsewhere and cancelling surgeries. In all, seven patients were transferred to other facilities to ensure they would receive needed treatment. The incident was first disclosed on Tuesday, January 13. In a January 15 press statement, AZ Monica writes they "were able to perform 50% of [their] operational activities today under safe conditions."

Palo Alto Networks (PAN) has patched a high-severity vulnerability in its next-generation firewalls, affecting PAN-OS after version 10.1 and Prisma Access configurations "with an enabled GlobalProtect gateway or portal." CVE-2026-0227, CVSS score 7.7, allows an unauthenticated attacker to force a firewall into maintenance mode by repeatedly causing a denial of service (DoS) condition, due to a flaw categorized as CWE-754: Improper Check for Unusual or Exceptional Conditions. Most Prisma Access instances have already been upgraded through the cloud, except in the case of conflicting upgrade schedules. Users should check the version table in PAN's advisory to upgrade PAN-OS to a fixed version.

On Tuesday, January 13, 2026, Microsoft released updates to address more than 110 vulnerabilities across the company's product line. Eight of those flaws are rated critical, and one medium-severity information disclosure vulnerability (CVE-2026-20805) is being actively exploited. The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-20805 to the Known Exploited Vulnerabilities catalog with a mitigation deadline of February 3, 2026, for Federal Civilian Executive Branch agencies. Another vulnerability, a medium severity secure boot certificate expiration security feature bypass issue (CVE-2026-21265), was previously disclosed.