Welcome {{ first name | reader }}, here’s today’s Cyber Briefing Note.
Brought to you by:
Smallstep – Secures Wi-Fi, VPNs, ZTNA, SaaS and APIs with hardware-bound credentials powered by ACME Device Attestation
LockThreat – AI-powered GRC that replaces legacy tools and unifies compliance, risk, audit and vendor management in one platform
CybersecurityHQ issues and preserves dated, bounded external cyber judgment.
Not news reaction. Not advisory opinion. Not consensus analysis.
—
Coverage spans ongoing CISO intelligence and versioned decision artifacts, depending on use context.
Signal 1: VMware ESXi zero-day toolkit developed 12 months before Broadcom disclosure
Huntress disclosed January 9, 2026 analysis of December 2025 intrusion using MAESTRO toolkit to chain CVE-2025-22224 (CVSS 9.3), CVE-2025-22225 (CVSS 8.2), and CVE-2025-22226 (CVSS 7.1) for guest-to-hypervisor escape. PDB paths contain simplified Chinese strings dated February 2024, folder named "全版本逃逸--交付" (All version escape, delivery). Broadcom disclosed these as zero-days in March 2025. Toolkit supports 155 ESXi builds spanning versions 5.1 through 8.0. VSOCKpuppet backdoor uses VSOCK for guest-host communication invisible to network monitoring. Initial access via compromised SonicWall VPN. Shadowserver reports 30,000+ internet-exposed ESXi instances vulnerable as of January 8, 2026. Source: Huntress, SecurityWeek, The Register.
Signal 2: Instagram API scrape dataset weaponized within 48 hours of BreachForums posting
Threat actor "Solonik" published 17.5 million Instagram account records on BreachForums January 7, 2026. Dataset includes usernames, email addresses, phone numbers, partial physical addresses. Data allegedly harvested via API exposure in late 2024. Malwarebytes confirmed dataset validity January 9, 2026 during dark web monitoring. Users reported mass password reset notifications beginning January 8. Instagram denied breach January 11, stating external party exploited password reset endpoint. No passwords included in dump. SIM swapping and credential harvesting attacks anticipated. Meta issued no formal disclosure. Source: Malwarebytes, Engadget, CyberInsider.
Signal 3: Cisco ISE arbitrary file read via XML parsing allows admin credential extraction
Cisco disclosed CVE-2026-20029 (CVSS 4.9) January 8, 2026 affecting Identity Services Engine and ISE Passive Identity Connector. Authenticated attacker with admin privileges can read arbitrary files from underlying operating system via malicious XML upload to web management interface. Files accessible to attacker exceed admin authorization scope. Public PoC exploit available. Bobby Gould of Trend Micro Zero Day Initiative credited with discovery. Affects ISE/ISE-PIC releases prior to 3.2. Source: Cisco, The Hacker News.
Signal 4: Kido Schools ransomware group claims data deletion after child imagery extortion fails
Ransomware group Radiant claimed January 2026 to have deleted stolen photos and personal data of children after extorting nursery chain Kido Schools for £600,000 in Bitcoin. Hackers posted profiles and images of children on dark web. Group issued apology to BBC, stated "all child data is now being deleted." Initial access obtained via initial access broker selling compromised employee credentials. Security researchers doubt deletion claims, note ransomware operators historically retain or resell data post-claim. Source: BBC, BrightDefense.