Penetration Testers Arrested in 2019 Receive Settlement; Exploited Telnet Flaw Puts OT at Risk; Moltbot/Clawdbot Security Concerns

On January 22, 2026, officials in Dallas County, Iowa agreed to pay $600,000 to settle a civil suit brought by two penetration testers who were arrested while conducting red team exercises on behalf of the Iowa State Court Administration (SCA) in September 2019. Gary DeMercurio and Justin Wynn were employees of security company Coalfire, which had been contracted to perform physical penetration tests on the Iowa Judicial Branch Building, the Polk County Courthouse, and the Dallas County Courthouse. After an alarm went off during DeMercurio and Wynn's test of the Dallas County Courthouse, Dallas County Sherriff Chad Leonard had the pair arrested on felony charges of third degree burglary and possession of burglar tools, alleging that their authorization letter was invalid as "the SCA did not have the authority to authorize after-hours access to the Dallas County courthouse because it is owned by the county." Two contacts who signed the authorization letter also offered conflicting understandings of the test's scope when called. After 20 hours in jail, $100,000 paid in bail, and four months of litigation, the charges were reduced and ultimately dropped. In 2021, DeMercurio and Wynn filed a lawsuit against Dallas County and Sherriff Leonard for "false arrest, abuse of process, defamation, intentional infliction of emotional distress and malicious prosecution." Chad Leonard retired from Iowa law enforcement in August 2022. The lawsuit was moved to Polk County, then a Federal District Court, then back to the state court, and the parties reached a settlement less than a week ahead of the January 26, 2026 trial date.

A critical flaw that has made the GNU InetUtils telnet daemon vulnerable to authentication bypass since 2015 is under active exploitation, exposing primarily IoT equipment and legacy systems used in operational technology (OT). CVE-2026-24061, CVSS score 9.8, "allows remote authentication bypass via a "-f root" value for the USER environment variable." While a patch has been issued as part of GNU InetUtils 2.8, the flaw was added to the Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities catalog (CISA KEV) on January 26, 2026. The Shadowserver Foundation reports around 800,000 exposed telnet instances worldwide, and research by Forescout indicates that manufacturing, healthcare, government, and retail systems together account for more than 75% of all systems still using telnet, with printers, networking equipment, VoIP devices, and OT controllers being the most common devices using the protocol. GNU's security advisory recommends, "Do not run a telnetd server at all. Restrict network access to the telnet port to trusted clients. Apply the patch or upgrade to a newer release which incorporate the patch," and as a workaround, "Disable telnetd server or make the InetUtils telnetd use a custom login(1) tool that does not permit use of the '-f' parameter."

Researchers are warning that insecure instances of the Moltbot (previously known as Clawdbot) open source AI assistant are leaking sensitive data, including "API keys, OAuth tokens, conversation history, and credentials." Moltbot works with multiple messaging platforms. Researchers at Cisco write "Moltbot also stores persistent memory, meaning it retains long-term context, preferences, and history across user sessions rather than forgetting when the session ends," and note that "Security for Moltbot is an option, but it is not built in." The AI agent's name was changed to Moltbot earlier this week after Anthropic asked developer Peter Steinberger to change the name from Clawdbot because of its similarity to Claude. While Steinberger complied, malicious actors have exploited the resulting confusion.

Exploitation of a high-severity flaw in archive utility WinRAR is still ongoing and widespread despite the developer having fixed the vulnerability six months ago, according to Google Threat Intelligence Group (GTIG). Security firm ESET initially discovered and disclosed the flaw under active exploitation as a zero-day in late July 2025, and WinRAR released the update closing the vulnerability on July 30, 2025. CVE-2025-8088, CVSS score 8.4, allows an attacker to execute arbitrary code by crafting an archive file containing multiple hidden malicious alternate data streams, due to a path traversal vulnerability in WinRAR before version 7.13. GTIG's analysis describes an exploit chain that researchers have observed in use by "multiple government-backed actors ... predominantly focusing on military, government, and technology targets," including four Russia-nexus threat groups targeting Ukraine, a PRC-based actor delivering a remote access trojan (RAT), and financially-motivated groups installing backdoors in Indonesian systems, targeting LATAM hospitality and travel with RATs, and stealing Brazilian banking credentials, among others. Analysis points to "continued commoditization of the attack lifecycle," in which an online economy offering exploits for flaws such as CVE-2025-8088 lowers technical and resource thresholds for exploitation. GTIG provides indicators of compromise (IoCs), and urges users to keep software updated. Douglas McKee, director of vulnerability intelligence at Rapid7, stated to Dark Reading that "[the] risk is amplified in organizations where software like WinRAR is widely installed but rarely managed, audited, or updated. Employees in technical, operational, or administrative roles may trust archive files implicitly."

SolarWinds has released updates to address six CVEs affecting the SolarWinds Web Help Desk. SolarWinds has designated four of the vulnerabilities as critical and two as high-severity. The critical vulnerabilities include two authentication bypass issues (CVE-2025-40552 and CVE-2025-40554) and two deserialization of untrusted data remote code execution issues (CVE-2025-40551 and CVE-2025-40553). The high-severity vulnerabilities are a security control bypass vulnerability (CVE-2025-40536) and a hardcoded credentials vulnerability (CVE-2025-405367). Users are urged to update to Web Help Desk version 2026.1 as soon as possible.

Google Threat Intelligence (GTI), along with industry partners, has disrupted the IPIDEA residential proxy network, explaining that "residential proxy networks sell the ability to route traffic through IP addresses owned by internet service providers (ISPs) and used to provide service to residential or small business customers. By routing traffic through an array of consumer devices all over the world, attackers can mask their malicious activity by hijacking these IP addresses." GTI notes that the IPIDEA residential proxy network in particular was being used to "facilitat[e] several botnets: its software development kits played a key role in adding devices to the botnets, and its proxy software was then used by bad actors to control them." GTI has taken legal action to dismantle the IPIDEA command and control infrastructure and the domains used to sell IPIDEA products. GTI has also shared information about IPIDEA with industry partners to allow them to take measures to halt the network's operation. The write-up also includes indicators of compromise.

Apple has announced a privacy feature for iPhone Air, iPhone 16e, and iPad Pro (M5) devices running iOS or iPadOS 26.3 or later with a supported telecom carrier, allowing users to choose to share less specific location data with their carrier. Where ordinarily a cellular network receives data pinpointing a user's location to the level of a street address, activating the "Limit Precise Location" control blurs the location to approximately a neighborhood level, according to Apple. Any apps that users permit Location Services to share data with are not affected by this setting. Gary Miller, a researcher at Citizen Lab and senior director of network intelligence at iVerify, noted to TechCrunch that this is the first setting limiting device location disclosure to the network rather than at the app level. Telekom in Germany, AIS and True Thailand, EE and BT in the United Kingdom, and Boost Mobile in United States are the carriers supporting this feature so far.

Researchers at JFrog Security Research have "discovered and disclosed two vulnerabilities in the n8n workflow automation system's sandbox mechanism: CVE-2026-1470, rated 9.9 Critical, impacting the expression evaluation engine, and CVE-2026-0863, rated 8.5 High, affecting Python execution in the Code node (‘Internal’ mode)." Both vulnerabilities could lead to remote code execution. Updates are available to address the vulnerabilities: CVE-2026-1470 is fixed in versions 1.123.17, 2.4.5, and 2.5.1; CVE-2026-0863 is fixed in n8n versions 1.123.14, 2.3.5, and 2.4.2. This is the second time in the past few months that n8n has been in the news: the company also disclosed four vulnerabilities, including a critical unauthenticated remote code execution flaw (CVE-2026-21858) discovered by Cyera Research Labs.

Comstar, an ambulance billing and collections services company, has been ordered to pay more than half a million dollars to the states of Massachusetts and Connecticut to settle allegations that Comstar violated Health Insurance Portability and Accountability Act (HIPAA) and state privacy regulations. The charges arose following a March 2022 ransomware attack that compromised protected health information (PHI) belonging to nearly 350,000 Massachusetts and Connecticut residents. The compromised information includes names, Social Security numbers, driver's license numbers, financial account information, and medical and health insurance data. In June 2025, Comstar agreed to pay the US Department of Health and Human Services Office for Civil Rights (HHS OCR) $75,000 over the same incident after "OCR’s investigation determined that Comstar failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the ePHI that it holds." That settlement’s corrective action plan requires Comstar "to take definitive steps to ensure compliance with the HIPAA Security Rule and protect the security of ePHI." The most recent settlement, if approved, will require Comstar to establish and maintain a written information security plan (WISP), to use "anti-phishing software, multifactor authentication, an intrusion detection/prevention system, and a security incident and event management platform, ... [and to] implement and maintain a comprehensive and accurate IT asset inventory."