CVEs don’t sleep.

Patch Tuesday fallout, China sidelines Western security vendors, and a critical flaw puts industrial switches at risk of remote takeover. A ransomware attack disrupts a Belgian hospital, crypto scams hit investment clients, and Eurail discloses a data breach. Analysts press Congress to go on offense in cyberspace, and Sean Plankey gets another shot at leading CISA. In our Threat Vector segment, David Moulton sits down with Ian Swanson, AI Security Leader at Palo Alto Networks about supply chain security. And, an AI risk assessment cites a football match that never happened.

Today is Wednesday January 14th 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Patch Tuesday.

Microsoft’s January Patch Tuesday addresses at least 113 vulnerabilities across Windows and supported software, including eight rated critical and one confirmed zero-day under active exploitation. The zero-day, CVE-2026-20805, affects the Windows Desktop Window Manager and is already being used in attacks, despite a relatively low CVSS score. Researchers warn it can undermine core protections like Address Space Layout Randomization and be chained with other flaws, making rapid patching essential. Microsoft also fixed critical Office bugs exploitable via Preview Pane and removed legacy modem drivers linked to long-known privilege escalation risks. Separately, vendors flagged a critical Secure Boot bypass tied to expiring certificates, urging careful remediation. Browser updates from Mozilla, and pending Chrome and Edge patches, add to the busy patch cycle.

Adobe delivered fixes for 25 vulnerabilities across 11 products, including one critical flaw. The most severe issue, CVE-2025-66516, is an XML External Entity injection bug in Apache Tika modules that can enable remote code execution through malicious PDF files. Adobe resolved it in ColdFusion updates and assigned a top priority rating, urging immediate patching. Additional updates addressed high-severity code execution flaws in Dreamweaver and multiple Creative Cloud tools. Adobe reports no evidence of active exploitation.

Fortinet released patches for six vulnerabilities, including two critical flaws affecting FortiSIEM and FortiFone. The most serious, CVE-2025-64155, is an unauthenticated OS command injection bug in FortiSIEM that could allow remote code execution and is addressed by restricting access to a monitoring port. A second critical issue in FortiFone could expose device configurations without authentication. Fortinet also fixed a high-severity buffer overflow in FortiOS and related products, plus several lower-severity bugs. No active exploitation was reported.

Chinese authorities restrict the use of cybersecurity software from about a dozen U.S. and Israeli vendors. 

Chinese authorities have instructed domestic companies to stop using cybersecurity software from about a dozen U.S. and Israeli vendors, citing national security concerns, according to sources briefed on the matter. According to an exclusive report from Reuters, the affected firms include VMware, Palo Alto Networks, Fortinet, and Check Point Software Technologies. Beijing is concerned the software could collect and transmit sensitive data overseas, as it accelerates efforts to replace Western technology with domestic alternatives amid rising U.S.-China tensions. Regulators and the companies declined to comment. The move comes as both sides prepare for renewed high-level diplomacy and reflects longstanding Chinese concerns that foreign cybersecurity tools could enable espionage or sabotage.

A critical vulnerability exposes industrial Ethernet switches to remote takeover. 

Moxa warned of a critical vulnerability exposing its industrial Ethernet switches to remote, unauthenticated takeover. The flaw, CVE-2023-38408, stems from how a third-party OpenSSH library is handled and allows remote code execution when SSH agent forwarding is abused. Affected devices include multiple EDS and RKS switch models running older firmware. Moxa has released patched firmware and urges operators to update immediately. Until then, administrators should isolate vulnerable devices from the internet and restrict access to trusted networks only.

Ransomware shuts down a Belgium hospital. 

A ransomware attack has severely disrupted operations at AZ Monica hospital in Belgium, forcing canceled surgeries and reduced emergency services. The hospital shut down all servers across its Antwerp and Deurne campuses to contain the incident, which prosecutors confirmed as a cyberattack. The Belgian Red Cross helped transfer seven critically ill patients to other hospitals after their safety could not be guaranteed. Ambulances are no longer bringing patients to AZ Monica, increasing pressure on nearby facilities. Access to electronic patient records is unavailable, disrupting consultations, imaging, and chemotherapy. Hospital leaders say servers were taken offline proactively to prevent patient data compromise, while care continues with support from neighboring hospitals.

Attackers send fraudulent crypto-related emails to investment advisor customers. 

U.S. digital investment advisor Betterment confirmed a breach that allowed attackers to send fraudulent crypto-related emails to some customers. The incident stemmed from unauthorized access to a third-party marketing platform, not Betterment’s core systems. Using legitimate Betterment email infrastructure, the attacker promoted a fake reward scam claiming to triple Bitcoin and Ethereum deposits. While no customer accounts or credentials were accessed, exposed data included names, contact details, addresses, and dates of birth. Betterment warned customers on January 9, removed the attacker’s access, and said there is no evidence of further compromise. Some users later reported temporary access issues. The company is strengthening defenses against social engineering and plans a detailed post-incident report.

Eurail suffers a data breach. 

European rail pass provider Eurail, also known as Interrail, confirmed a data breach that exposed customer information, with notifications sent this week. Potentially affected data includes names, contact details, dates of birth, and passport information. Customers in the DiscoverEU program may also have ID copies, health data, and bank references exposed, according to the European Commission. Eurail says systems are secured, regulators notified, and there is no evidence of misuse so far.

Cyber policy analysts push congress for increased offensive cyber operations. 

Cyber policy analysts warned lawmakers that China and other adversaries are running persistent, large-scale cyber campaigns against U.S. critical infrastructure at little cost or risk. Testifying before the House Homeland Security subcommittee on cybersecurity and infrastructure protection, panelists argued current U.S. authorities are outdated and overly restrictive, limiting offensive cyber operations that could deter adversaries. They cited attacks on U.S. water systems and China’s Volt Typhoon as evidence of growing civilian risk. Experts urged clearer interagency roles, faster information sharing with industry, and a shift from reactive responses to sustained “defend forward” operations. CrowdStrike called for increasing the pace of infrastructure takedowns, as the White House weighs a more assertive cyber posture.

Sean Plankey is back in the running to lead CISA. 

President Donald Trump has re-nominated Sean Plankey to lead the Cybersecurity and Infrastructure Security Agency, reviving a nomination that stalled in the Senate last year. Plankey’s earlier bid advanced out of committee but was blocked by Senate holds tied to unrelated disputes, leaving CISA without a permanent director throughout 2025. The renewed nomination signals continued White House support, though it remains unclear whether those obstacles have been resolved. Plankey previously served in cybersecurity roles during Trump’s first term and most recently acted as a senior adviser on Coast Guard matters. The administration says confirming Plankey remains a priority, citing the need for stable leadership at the nation’s lead civilian cyber defense agency.

 

AI risk assessment cites a ghost game. 

What began as a routine soccer security decision ended as a quiet lesson in what happens when artificial intelligence gets a little too imaginative.

First, a soccer match in the UK gets flagged. Maccabi Tel Aviv fans are told they cannot attend a game against Aston Villa, after the Birmingham Safety Advisory Group, with police at the table, deems it “high risk” based on prior unrest.

Next, a key detail in the supporting report raises eyebrows. It cites trouble at a Maccabi Tel Aviv versus West Ham match that, awkwardly, never happened.

Then comes the cleanup tour. Twice, Chief Constable Craig Guildford tells MPs West Midlands Police “do not use AI,” pointing instead to social media scraping and a Google search.

And then, the twist ending arrives in writing. In a letter released to the Home Affairs Select Committee, Guildford concedes the error came from using Microsoft Copilot.

Finally, politics does what it does. Kemi Badenoch calls for Guildford to be sacked, while the prime minister says that authority was stripped away 15 years ago.

The AI promised assistance, not accuracy, and delivered exactly that. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

And that’s the CyberWire Daily, brought to you by N2K CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.