Cybersecurity Roundup January 2026

From Kocho’s Security Operations Centre (SOC)

Published: 30 January 2026

The new year has arrived, but attacker behaviour hasn’t reset. January has already delivered active exploitation of Microsoft vulnerabilities, renewed pressure on infrastructure management planes, and fresh warnings around disruption-led attacks targeting UK organisations.

Our SOC team reveal some of the key vulnerabilities seen this month and provide recommendations to keep your estates protected.

Headlines:

Actively exploited Windows vulnerability patched
Emergency Office update addresses in-the-wild document attacks
HPE OneView flaw exposes infrastructure management platforms
UK warning: disruption-focused attacks target online services
New vulnerabilities added to CISA exploited list
Zero-click WhatsApp flaw targets group chats

Actively exploited Windows vulnerability patched in January | CVE-2026-20805

Microsoft has confirmed active exploitation of CVE-2026-20805, an information disclosure vulnerability affecting Windows Desktop Window Manager (DWM). The flaw allows a locally authenticated attacker with basic user privileges to access sensitive system memory addresses via Windows internal communication mechanisms.

While the vulnerability does not provide remote access or direct code execution, the exposed information can be used to weaken security protections and support follow-on activity, including privilege escalation or evasion of security controls. The issue affects multiple versions of Windows 10, Windows 11, and Windows Server.

What’s the risk?

Enables attackers with local access to extract sensitive system memory information
Low exploitation complexity once access is established
Increases the effectiveness of post-compromise activity rather than enabling initial access

Recommended actions

Prioritise patching for Windows systems used by administrators and privileged users.

Reduce standing local admin access where patching is delayed.

Monitor for post-exploitation activity following initial access.

Action point

Prioritise patching and hardening of privileged Windows endpoints.

Emergency Microsoft Office update addresses document-based attacks | CVE-2026-21509

Microsoft has issued out-of-band security updates for CVE-2026-21509, a security feature bypass vulnerability in Microsoft Office that is being actively exploited. The flaw allows an attacker to bypass OLE security mitigations by persuading a user to open a specially crafted Office file. Exploitation requires user interaction and does not trigger via the Preview Pane.

Microsoft confirmed that Office 2021 and later are protected through a service-side change, although Office applications must be restarted for this to take effect. Office 2016 and 2019 require specific updates to fully remediate the issue. The vulnerability has been added to CISA’s Known Exploited Vulnerabilities catalogue.

What’s the risk?

Allows attackers to bypass Office security controls using crafted documents
Exploitation requires user interaction but is already observed in real attacks
Older Office versions remain exposed without explicit patching

Recommended actions

Ensure January out-of-band Office updates are deployed across all supported versions.

Confirm Office applications have been restarted to apply service-side protections.

Maintain document handling controls for externally sourced files.

Action point

Ensure Office security bypass protections are active and fully applied across the estate.

HPE OneView remote code execution exploited in the wild | CVE-2025-37164

CISA has confirmed active exploitation of CVE-2025-37164, an unauthenticated remote code execution vulnerability affecting HPE OneView, a centralised infrastructure management platform. The flaw allows attackers to execute code via an unsecured REST API endpoint, with exploitation increasing after public technical details and a Metasploit module were released.

Because OneView sits at a privileged control plane with broad access to servers and lifecycle management, exploitation can grant centralised infrastructure control rather than access to a single system. HPE issued hotfixes in December, and recent reporting confirms automated exploitation is now underway.

What’s the risk?

Unauthenticated code execution with no prior access required
Compromise enables rapid lateral movement and persistence
Broad privileges and limited monitoring increase blast radius

Recommended actions

Patch or mitigate immediately in line with vendor guidance.

Review access logs and admin activity for signs of misuse.

Restrict management interfaces to trusted networks and enforce MFA.

Action point

Treat OneView exposure as a control-plane risk and prioritise remediation.

Disruption-focused attacks continue against UK organisations

The National Cyber Security Centre has issued a warning highlighting continued targeting of UK organisations by Russian-aligned hacktivist groups, focused on disruption rather than data theft. The activity primarily involves denial-of-service attacks intended to disrupt online services and deny access to public-facing systems.

The alert notes that local government bodies and operators of critical national infrastructure are at higher risk. While these attacks are typically low in technical sophistication, their impact can be significant, causing service outages, operational disruption, and extended recovery effort. The groups involved are ideologically motivated and operate independently but remain aligned to Russian state interests. The NCSC is urging organisations to review their defences and ensure they are prepared to respond effectively to DoS attacks.

What’s the risk?

Denial-of-service attacks disrupt access to public-facing services and online systems
Recovery effort and service restoration can consume significant operational capacity
Public disruption creates cover for phishing, impersonation, and follow-on fraud

Recommended actions

Review DDoS response plans and escalation paths.

Confirm upstream protections are enabled and tested.

Increase vigilance for secondary attack activity during and immediately after disruption.

Action point

Ensure your organisation can sustain and recover from service disruption without loss of control.

New additions to the Known Exploited Vulnerabilities catalogue

CISA has added multiple vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalogue in January. While not all are new disclosures, inclusion confirms verified exploitation rather than theoretical risk.

For security leaders, KEV remains one of the most reliable prioritisation signals available.

What’s the risk?

Vulnerabilities are already delivering attacker value
CVSS scores alone understate real-world impact
Slow triage keeps exploited flaws in production longer

Recommended actions

Review newly added KEV entries against your environment.

Prioritise remediation based on exposure and privilege, not severity scores.

Use KEV as a standing input into patch and vulnerability governance.

Action point

Use KEV to guide remediation priority. If it’s in KEV, attackers are already using it.

Zero-click WhatsApp vulnerability enables targeted attacks via group chats

A recently disclosed vulnerability in WhatsApp for Android exposes users to targeted zero-click attacks delivered via group chats. The issue allows a malicious media file sent to a newly created group to be automatically downloaded to a victim’s device where automatic media downloads are enabled, without user interaction.

The attack requires the victim to be added to a group alongside at least one known contact, which limits large-scale exploitation but makes the technique well suited to targeted campaigns. Google’s Project Zero disclosed the issue after a partial server-side mitigation was applied in November, with a comprehensive fix still pending. Until then, risk reduction relies on configuration changes rather than patching.

What’s the risk?

Zero-click delivery removes reliance on user interaction
Group chats create an attack surface outside most enterprise controls
Targeted exploitation is feasible where contact relationships are known

Recommended actions

Disable automatic media downloads in WhatsApp on Android devices.

Limit who can add users to WhatsApp groups.

Reinforce guidance on messaging app risk for staff handling sensitive information.

Action point

Reduce exposure to zero-click messaging attacks by tightening media handling settings.

From our blog

Microsoft 365 E3 vs E5: Choosing the right security licence in 2026

Microsoft 365 licensing decisions now carry direct consequences for security operations, governance, and AI readiness. As Microsoft continues to raise the baseline in E3 while concentrating advanced identity protection, security operations, compliance, and AI capabilities into E5, the gap between the two is no longer about features, but about operating assumptions.

This article looks at how E3 and E5 have evolved from a security perspective, what responsibility each licence places on internal teams, and how to make a licence choice that aligns with real-world risk, regulatory pressure, and operational capacity as organisations head into 2026.