LastPass Users, Beware Phishing Attempts; cURL Closes Bug Bounty to Stem "Slop" Reports; Telnetd Was Vulnerable for Over Ten Years

The LastPass Threat Intelligence, Mitigation, and Escalation (TIME) team is alerting customers to a phishing campaign that urges users of the password manager to create a vault backup. The phony messages say the action needs to be undertaken prior to "scheduled maintenance." The subject lines, which include “Don’t Miss Out: Backup Your Vault Before Maintenance” and “Protect Your Passwords: Backup Your Vault (24-Hour Window),” create a false sense of urgency; links provided in the phishing messages take users to a phishing site, which TIME is working to take down. TIME also reminds customers that LastPass will never ask them for their master password. The campaign appears to have launched on Monday, January 19, likely to take advantage of reduced staff over the long weekend in the US and to delay detection of the campaign.

Daniel Stenberg, creator and maintainer of the open-source software project cURL, has announced to users that he intends for the project's bug bounty program to shut down at the end of January 2026, "to remove the incentive for people to submit crap and non-well researched reports to [cURL]. AI generated or not." In May 2025, citing such a high volume of "AI slop" that submissions almost constituted a denial-of-service attack, Stenberg began requiring reports to disclose assistance from AI, and instituted immediate bans for anyone submitting low quality reports. Outright hallucinations, technical inaccuracies, and "low-effort noise" are among the problems with many AI-generated submissions. While cURL and Stenberg are still open to direct private communication of possible security issues via email, references to the bug bounty program will be removed from documentation. Stenberg also advocates for "exposing, discussing and ridiculing the ones who waste [staff's] time," urging users not to report a bug or a vulnerability "unless you actually understand it - and can reproduce it."

GreyNoise has published an advisory warning of active exploitation of a critical flaw in telnetd, the GNU InetUtils telnet daemon, affecting all versions of GNU InetUtils from 2.7 all the way back to 1.9.3, which was released in 2015. CVE-2026-24061, CVSS score 9.8, "allows remote authentication bypass via a "-f root" value for the USER environment variable." An attacker can trivially bypass authentication controls and gain remote root access simply by running a command. Cybersecurity authorities in several countries have issued advisories, all of which urge users to disable telnetd and telnet services if possible; the Centre for Cybersecurity Belgium also recommends users ensure that any systems where telnet must be enabled are not exposed to the internet and are controlled with strict firewall access policies and VPN or ZNTA. No official patch has been released at the time of this writing.

Cisco has released updates to address a critical code injection vulnerability (CVE-2026-20045) affecting some of its Unified Communications products, including Cisco Unified Communications Manager (Unified CM), Session Management Edition (SME), IM & Presence Service (IM&P), Cisco Unity Connection, and Webex Calling Dedicated Instance platforms. The flaw could be exploited "to obtain user-level access to the underlying operating system and then elevate privileges to root." Cisco writes that the "vulnerability is due to improper validation of user-supplied input in HTTP requests." The flaw is being actively exploited. The US Cybersecurity and Infrastructure Security Agency (CISA) added the CVE to the Known Exploited Vulnerability catalog, giving Federal Civilian Executive Branch agencies until February 11, 2026, to mitigate the flaw.

Cloudflare has addressed a vulnerability in its ACME (Automatic Certificate Management Environment) validation logic that was disclosed as part of the company's bug bounty program. The vulnerability affects Cloudflare's Web Application Firewall (WAF). The ACME protocol is "used to automate the issuance, renewal, and revocation of SSL/TLS certificates." Cloudflare writes that "The vulnerability was rooted in how our edge network processed requests destined for the ACME HTTP-01 challenge path." The flaw was discovered and reported by researchers from FearsOff on October 13, 2025; Cloudflare pushed out updated code on October 27, 2025.

Researchers at Miggo Security have discovered a vulnerability in the integration of Google's Gemini LLM into the company's apps and services, allowing an attacker to coerce Gemini into exposing a target's complete calendar information. As part of Gemini's function as an assistant for Google Calendar, it ingests and "parses the full context of a user’s calendar events, including titles, times, attendees, and descriptions," including the details of event invites received. The researchers sent an event invite whose description contained innocuous natural language instructions to Gemini, directing the LLM to collect and dump schedule information into the description of a new meeting disguised as a free time slot, whenever the target user asks about their calendar. When the targeted user gives Gemini an ordinary query, the LLM loads and parses calendar events and reads this description as a command, a flaw known as indirect prompt injection. Miggo notes that "traditional application security (AppSec) is largely syntactic," involving detecting, blocking, and sanitizing malicious strings and patterns, but "in contrast, vulnerabilities in LLM powered systems are semantic," involving risks from the model's interpretation, context, and level of privilege. "When an application’s API surface is natural language, the attack layer becomes 'fuzzy.'" Google has reportedly added mitigations in light of this research. Miggo urges defenses beyond keyword blocking, such as runtime systems that account for semantics, intent, and data provenance, i.e., "security controls that treat LLMs as full application layers with privileges that must be carefully governed."

On Saturday, January 17, 2026, Microsoft issued an out-of-band update to address problems introduced in the company's January 2026 Windows security update, which was released on Tuesday, January 13. The January 17 update fixes two issues impacting Windows 11, Windows 10, and Windows Server. The first issue affects authentication for Remote Desktop apps; some users found themselves unable to sign in over Remote Desktop. The second issue affects some systems with Secure Launch enabled; when users tried to shut down or enter hibernation, the systems restarted instead. Microsoft has released updates to address the flaws in Windows 11, versions 25H2 and 24H2 (KB5077744); Windows 11, version 23H2 (KB5077797); Windows 10, version 22H2 ESU and Windows 10 Enterprise LTSC 2021 (KB5077796); Windows Server 2025 (KB5077793); Windows Server 2022 (KB5077800); and Windows Server 2019 and Enterprise LTSC 2019 (KB5077795).

Researchers at Huntress are warning of an ongoing ClickFix-type campaign dubbed "CrashFix." A victim seeking an ad blocker extension was served an advertisement leading to "NexShield," a malicious extension hosted on the legitimate Chrome Web Store, which is "almost entirely a clone of uBlock Origin Lite." An hour after installation, NexShield exhausts system resources and causes the browser to become unresponsive, then displays a phony browser crash error message and subsequent fake system scan, ultimately prompting the user to open a Windows Run dialog and paste and run a malicious PowerShell script. The script communicates with the threat actor's command and control (C2) server, using finger[.]exe to send information about installed antivirus software and indicating whether the system is domain-joined. Notably, only domain-joined hosts receive the ModeloRAT payload, a previously undescribed Python-based Windows remote access Trojan built with various persistence, obfuscation, anti-detection, and anti-analysis measures. Standalone machines and VMs that do not present the opportunity for lateral movement do not receive a malicious payload from the C2 server. Huntress provides indicators of compromise (IoCs) and YARA rules, and recommends defenders be vigilant for specific malicious network activity, for unusual use of "living off the land" binaries like finger[.]exe, for new browser extensions and suspicious permission requests, and for "pythonw.exe spawning hidden PowerShell processes and suspicious entries in the Run registry key that look a little too much like legitimate software."

The Canadian Investment Regulatory Organization (CIRO) has confirmed that a cybersecurity incident initially disclosed last summer affected personal data of about 750,000 investors. The compromised information includes dates of birth, phone numbers, annual income, social insurance numbers, government issued ID numbers, investment account numbers and account statements. CIRO, which was established in 2023, oversees investment dealers, mutual fund dealers, and trading in Canada. CIRO disclosed the incident in August 2025, when it launched an investigation.