Daily Signal Note: Control Surface Exposure Now Outpaces Review Cycles

Welcome reader, here’s today’s Cyber Briefing Note.

Brought to you by:

Smallstep – Secures Wi-Fi, VPNs, ZTNA, SaaS and APIs with hardware-bound credentials powered by ACME Device Attestation

 LockThreat – AI-powered GRC that replaces legacy tools and unifies compliance, risk, audit and vendor management in one platform

CybersecurityHQ issues and preserves dated, bounded external cyber judgment.
Not news reaction. Not advisory opinion. Not consensus analysis.

—

Coverage spans ongoing CISO intelligence and versioned decision artifacts, depending on use context.

Listen to the 2-minute Daily CISO Briefing on Spotify.

Signal 1: Unauthenticated n8n RCE enables server takeover via form-based workflows

Cyera Research Labs disclosed CVE-2026-21858 (CVSS 10.0, codenamed Ni8mare) January 8, 2026. Vulnerability in n8n workflow automation platform allows unauthenticated remote attackers to access files on underlying server, extract sensitive secrets, forge administrator access, and execute arbitrary commands. Content-Type confusion flaw bypasses authentication by exploiting file-handling function called without verifying multipart/form-data content type. Affects all versions through 1.65.0. Patched in 1.121.0 (November 18, 2025). Third critical n8n flaw disclosed in January 2026 (CVE-2026-21877 CVSS 10.0, CVE-2025-68668 CVSS 9.9 also patched). Source: The Hacker News, n8n advisory.

Signal 2: CISA adds 16-year-old PowerPoint vulnerability to KEV, underscoring continued exploitation of legacy document parsers

CISA added CVE-2009-0556 (CVSS 8.8) to Known Exploited Vulnerabilities catalog January 7, 2026. PowerPoint vulnerability from 2009 affects Office 2000, 2002, 2003, and Office 2004 for Mac. Memory corruption via malformed OutlineTextRefAtom in PowerPoint files. FCEB agencies must remediate by January 28, 2026. The update coincided with KEV inclusion of a previously disclosed maximum-severity infrastructure management flaw. Source: CISA, The Hacker News.

Signal 3: CISA ICS advisory warns electric wheelchairs accept unauthenticated Bluetooth commands

CISA published ICSMA-25-364-01 December 30, 2025 detailing CVE-2025-14346 (CVSS 9.8) in WHILL Model C2 Electric Wheelchairs and Model F Power Chairs. Missing authentication for Bluetooth connections allows attacker within range to pair, issue movement commands, override speed restrictions, and manipulate configuration profiles without credentials. WHILL deployed firmware mitigations December 29, 2025 including blocking unlock commands during motion and obfuscating configuration files. QED Secure Solutions discovered vulnerability. All versions affected. Source: CISA ICS-CERT, HIPAA Journal.

Signal 4: Malicious Chrome extensions impersonating AI sidebar tool exfiltrate ChatGPT and DeepSeek conversations

OX Security disclosed December 30, 2025 that two Chrome extensions with 900,000+ combined users exfiltrate ChatGPT and DeepSeek conversations plus all Chrome tab URLs to C2 server every 30 minutes. Extensions impersonate legitimate AITOPIA AI sidebar extension. "Chat GPT for Chrome with GPT-5" (600K users) received Google "Featured" badge. Extensions request consent for "anonymous analytics" while exfiltrating complete conversation content. Attackers host privacy policies on Lovable.dev to obscure attribution. Google notified December 29, 2025. Extensions removed from Chrome Web Store January 7, 2026. Source: OX Security, BleepingComputer.