Threat Briefing: January 9, 2026

In 2025, CISA added 245 vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, a 20% year-over-year increase, including major flaws like CitrixBleed 2 and Oracle E-Business Suite vulnerabilities. Microsoft blocked more than 13 million phishing messages tied to misconfigured email routing, highlighting the need for stronger DMARC and SPF controls.

Meanwhile, the RondoDox botnet exploited a Next.js flaw to compromise over 90,000 systems, while the Zestix group stole corporate data from cloud platforms using compromised credentials. Two malicious Chrome extensions also harvested sensitive data from nearly one million users, reinforcing the growing risk of browser-based threats.

• CISA KEV Catalog Grows 20% in 2025 with 245 New Exploited Vulnerabilities – In 2025, CISA added 245 new entries to its Known Exploited Vulnerabilities (KEV) Catalog, bringing the total number of actively exploited software and hardware flaws to more than 1,484 since the catalog’s launch in 2021. Of the newly added vulnerabilities, 24 were associated with ransomware activity. The update represents a 20% year-over-year increase—the largest expansion since the KEV debuted in November 2021. High-impact additions include CitrixBleed 2 and multiple Oracle E-Business Suite vulnerabilities, alongside much older flaws, with some dating back as far as 2002. Security Week
• Misconfigured Email Routing Fuels Surge in Internal Domain Phishing –Microsoft has warned of a rise in internal domain phishing attacks caused by misconfigured email routing and spoofing protections. Since May 2025, attackers—often using the Tycoon 2FA phishing-as-a-service platform—have impersonated trusted domains to deliver HR, voicemail, and financial scam emails across multiple industries. Microsoft blocked more than 13 million of these malicious messages in October 2025 alone. To reduce risk, organizations should enforce strict DMARC and SPF policies and properly configure third-party email services; tenants with MX records pointed directly to Office 365 are not affected. The Hacker News
• React2Shell Flaw Abused in Widespread RondoDox Botnet Attacks – TThe RondoDox botnet is exploiting the React2Shell vulnerability in Next.js to compromise unpatched smart devices and websites, allowing attackers to gain control without authentication. By the end of 2025, more than 90,300 vulnerable systems were identified, primarily across the U.S., Germany, France, and India. The campaign escalated from basic vulnerability testing to large-scale scanning of popular platforms and home routers, installing malware for cryptocurrency mining and removing rival botnets. Hack Read
• Zestix Steals and Sells Corporate Data from Cloud File-Sharing Platforms – The cybercriminal group Zestix is selling corporate data stolen from compromised ShareFile, Nextcloud, and OwnCloud environments. Attackers gained access using credentials harvested by info-stealing malware such as RedLine and Vidar—many of which had circulated in criminal databases for years, pointing to weak security controls like missing multi-factor authentication. Acting as an initial access broker, Zestix has targeted multiple sectors, including healthcare and government, prompting alerts to affected cloud service providers. BleepingComputer
• Malicious Chrome Extensions Steal AI Chat Conversations – Two malicious Chrome extensions posing as a legitimate AITOPIA tool were caught stealing sensitive browser data and AI chat conversations from platforms like ChatGPT and DeepSeek, according to OX Security. Before removal from the Chrome Web Store, the extensions reached more than 900,000 downloads and tricked users into granting permissions that enabled the theft of full conversations, session tokens, and user IDs. The incident raises serious risks, including corporate espionage and identity theft, and users are urged to uninstall the extensions immediately. SecurityWeek