Threat Report 1/26/26

Microsoft Product Vulnerabilities  

Multiple security vulnerabilities have been identified across Microsoft products. The most critical issues could allow an attacker to execute malicious code remotely under the permissions of the currently logged-in user.

If the affected user has administrative privileges, an attacker could:

• Install or run unauthorized programs

• View, modify, or delete sensitive data

• Create new accounts with full system access

Accounts with limited (non-administrative) privileges may reduce the overall impact of an attack.

Affected Systems

A wide range of Microsoft products are impacted, including—but not limited to:

• Windows

• Microsoft Office

• Microsoft Edge

Risk Level

• Large and medium-sized organizations: High

• Small businesses: Medium

Remediation Recommendations

• Ensure all Microsoft products are updated to the latest available versions

• Enforce the Principle of Least Privilege, granting elevated access only to users who require it

References

• Microsoft Security Update Guide: https://msrc.microsoft.com/update-guide/en-us

• January 2026 Release Notes: https://msrc.microsoft.com/update-guide/releaseNote/2026-Jan

Google Chrome Vulnerabilities

Multiple security vulnerabilities have been identified in Google Chrome. The most severe of these issues could allow an attacker to execute arbitrary code in the context of the currently logged-in user.

If successfully exploited, an attacker could:

• Install malicious or unauthorized programs

• View, modify, or delete data

• Create new accounts with full user privileges

The overall impact depends on the permissions of the affected user. Systems where users operate with standard (non-administrative) privileges may be less impacted than those using administrative accounts.

Affected Systems

• Google Chrome versions prior to 144.0.7559.59/60 for Windows and macOS

• Google Chrome versions prior to 144.0.7559.59 for Linux

Risk Level

• Large and medium-sized organizations: Medium

• Small businesses: Medium

Remediation Recommendations

• Ensure all devices running Google Chrome are updated to the latest available version

• Enforce the Principle of Least Privilege, granting elevated permissions only to users who require them

Reference

• Google Chrome Stable Channel Update (January 2026):
  https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html

Adobe Product Vulnerabilities

Multiple security vulnerabilities have been identified across various Adobe products. The most critical of these issues could allow an attacker to execute arbitrary code under the permissions of the currently logged-in user.

If successfully exploited, these vulnerabilities could enable an attacker to perform actions such as installing malicious programs, accessing or modifying data, or otherwise compromising the affected system. The severity of impact depends on the privileges of the logged-in user, with administrative accounts facing greater risk than standard user accounts.

Affected Systems

The following Adobe products and versions are impacted:

• Adobe Bridge 15.1.2 (LTS) and earlier

• Adobe Bridge 16.0 and earlier

• Adobe Dreamweaver 21.6 and earlier

• Adobe InCopy 19.5.5 and earlier

• Adobe InCopy 21.0 and earlier

• Adobe InDesign ID19.5.5 and earlier

• Adobe InDesign ID21.0 and earlier

• Adobe Substance 3D Designer 15.0.3 and earlier

• Adobe Substance 3D Modeler 1.22.4 and earlier

• Adobe Substance 3D Painter 11.0.3 and earlier

• Adobe Substance 3D Sampler 5.1.0 and earlier

• Adobe Substance 3D Stager 3.1.5 and earlier

• Adobe ColdFusion 2023 Update 17 and earlier

• Adobe ColdFusion 2025 Update 5 and earlier

• Adobe Illustrator 2025 (29.8.3) and earlier

• Adobe Illustrator 2026 (30.0) and earlier

Risk Level

• Large and medium-sized organizations: Medium

• Small businesses: Medium

Remediation Recommendations

• Update all Adobe products to the latest available versions as soon as possible

• Enforce the Principle of Least Privilege, granting elevated access only to users who require it

References

• Adobe Security Advisories: https://helpx.adobe.com/security/Home.html

• Dreamweaver Advisory: https://helpx.adobe.com/security/products/dreamweaver/apsb26-01.html

• InDesign Advisory: https://helpx.adobe.com/security/products/indesign/apsb26-02.html

• Illustrator Advisory: https://helpx.adobe.com/security/products/illustrator/apsb26-03.html

• InCopy Advisory: https://helpx.adobe.com/security/products/incopy/apsb26-04.html

• Bridge Advisory: https://helpx.adobe.com/security/products/bridge/apsb26-07.html

• Substance 3D Modeler Advisory: https://helpx.adobe.com/security/products/substance3d-modeler/apsb26-08.html

• Substance 3D Stager Advisory: https://helpx.adobe.com/security/products/substance3d_stager/apsb26-09.html

• Substance 3D Painter Advisory: https://helpx.adobe.com/security/products/substance3d_painter/apsb26-10.html

• Substance 3D Sampler Advisory: https://helpx.adobe.com/security/products/substance3d-sampler/apsb26-11.html

• ColdFusion Advisory: https://helpx.adobe.com/security/products/coldfusion/apsb26-12.html

• Substance 3D Designer Advisory: https://helpx.adobe.com/security/products/substance3d_designer/apsb26-13.html

Cisco Unified Communications Vulnerability

A critical vulnerability has been identified in Cisco Unified Communications (UC) products that could allow an attacker to execute code remotely.

Cisco UC products are an integrated suite of IP-based hardware and software that deliver voice, video, messaging, and data services on a single platform. Successful exploitation of this vulnerability could allow remote code execution with root-level privileges, potentially resulting in a complete compromise of the affected device.

Affected Systems

The following Cisco Unified Communications products are impacted:

• Unified Communications Manager (Unified CM) – CSCwr21851

• Unified CM SME – CSCwr21851

• Unified CM IM & Presence (IM&P) – CSCwr29216

• Unity Connection – CSCwr29208

• Webex Calling Dedicated Instance – CSCwr21851

Risk Level

• Large and medium-sized organizations: High

• Small businesses: Medium

Remediation Recommendations

• Update all Cisco Unified Communications products to the latest available versions as soon as possible

• Enforce the Principle of Least Privilege, limiting elevated access to only those users and services that require it

Reference

• Cisco Security Advisory:
  https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voice-rce-mORhqY4b

Mozilla Product Vulnerabilities  

Multiple security vulnerabilities have been identified across Mozilla products. The most severe of these issues could allow an attacker to execute arbitrary code under the permissions of the currently logged-in user.

If successfully exploited, an attacker could install malicious programs, access or modify sensitive data, or create new accounts with full user privileges. The level of impact depends on the permissions of the affected user, with administrative accounts posing a higher risk than standard user accounts.

Affected Systems

The following Mozilla products and versions are impacted:

• Mozilla Firefox versions prior to 147

• Mozilla Firefox ESR versions prior to 115.32

• Mozilla Firefox ESR versions prior to 140.7

• Mozilla Thunderbird versions prior to 147

• Mozilla Thunderbird ESR versions prior to 140.7

Risk Level

• Large and medium-sized organizations: High

• Small businesses: Medium

Remediation Recommendations

• Update all Mozilla products to the latest available versions as soon as possible

• Enforce the Principle of Least Privilege, ensuring elevated permissions are granted only where necessary

References

• Mozilla Security Advisories: https://www.mozilla.org/en-US/security/advisories/

• MFSA 2026-01: https://www.mozilla.org/en-US/security/advisories/mfsa2026-01/

• MFSA 2026-02: https://www.mozilla.org/en-US/security/advisories/mfsa2026-02/

• MFSA 2026-03: https://www.mozilla.org/en-US/security/advisories/mfsa2026-03/