January 6, 2026 — Week 1

Welcome reader to your CybersecurityHQ CISO Weekly Intelligence Brief.

In partnership with:

Smallstep – Secures Wi-Fi, VPNs, ZTNA, SaaS and APIs with hardware-bound credentials powered by ACME Device Attestation

LockThreat – AI-powered GRC that replaces legacy tools and unifies compliance, risk, audit and vendor management in one platform

CybersecurityHQ Notice

CybersecurityHQ now operates as an External Cybersecurity Judgment of Record.
We issue dated, versioned judgments intended for reference in accountable security decisions.

This publication reports weekly changes in the judgment state of record.

Record Notice

CybersecurityHQ issued its Q4 2025 External Risk & Decision Judgment, establishing baseline positions rendered indefensible entering 2026.

This judgment is immutable and archival. Subsequent CybersecurityHQ judgments assume these invalidations rather than restate them.

The executive summary is publicly accessible during the initial notice period.

View Record Summary →

THEME: The MCP layer is now the primary attack surface. AI agents inherit identity failures faster than governance can constrain them.

CISO SIGNAL

2026 opens with structural confirmation: the Model Context Protocol layer is where AI security fails. CVE-2025-49596 (CVSS 9.4) in MCP Inspector allowed unauthenticated attackers to execute arbitrary commands through OAuth endpoints. The flaw affected 437,000+ downloads of mcp-remote. Anthropic patched, but the pattern is set.

The geometry is clear. SQL injection in SQLite MCP servers enables stored prompt injection. Attackers embed malicious instructions in database fields. When privileged agents read those fields during triage, they execute the payload. This is not a theoretical chain. Trend Micro documented it operating in production.

CISA lost its pre-ransomware notification lead. David Stern, who sent 2,100+ warnings in 2024 preventing attacks on water systems, energy utilities, and healthcare, resigned December 19 rather than accept forced reassignment. The program sent warnings based on intelligence community tips and researcher relationships. Those relationships are not portable.

Machine identities now outnumber humans 82:1 in enterprise environments. Tenable predicts NHIs will be the primary cloud breach vector in 2026. The convergence point: AI agents granted broad permissions to operate autonomously inherit every unrotated credential, every overprivileged service account, every governance gap in the identity stack. The collapse loop accelerates.

STRATEGIC SIGNALS

1. MCP Becomes the New API Gateway Attack Surface

OWASP released its first Top 10 for Agentic Applications. Two discoveries from Koi Security are cited. RCE vulnerabilities found in Claude Desktop's Chrome, iMessage, and Apple Notes connectors. All three had unsanitized command injection in AppleScript execution. CVSS 8.9. Patched, but the attack pattern persists: any webpage an AI agent visits can trigger code execution if extensions lack input validation.

Broken assumption: MCP servers operate in sandboxed, low-risk contexts.

2. RondoDox Botnet Exploits React2Shell at Scale

CVE-2025-55182 (CVSS 10.0) in React Server Components and Next.js remains under active exploitation. Shadowserver counts 84,916 vulnerable instances as of January 4. 66,200 in the US. RondoDox botnet has been exploiting this since March 2025, now incorporating React2Shell as initial access vector. Nine months of exploitation before widespread awareness.

Broken assumption: Framework vulnerabilities get patched before mass exploitation.

3. Ransomware Without Encryption Now Dominant

Morphisec documents the shift to exfiltration-only ransomware. Attackers use Azure Copy to blend theft with normal cloud operations. Data moves to Azure endpoints. No encryption events trigger detection. Victims often cannot determine what was stolen. Attackers claim exfiltration, demand payment, and organizations cannot disprove the claims. Forensics fail because logs age out before investigation begins.

Broken assumption: Ransomware detection relies on encryption signatures.

4. CISA 2015 Expires January 30

The Cybersecurity Information Sharing Act was temporarily reauthorized until January 30, 2026. If Congress does not act, liability shields, antitrust protections, and FOIA exemptions for threat intelligence sharing evaporate. Critical infrastructure operators that share indicators with government and ISACs face unquantified legal exposure. The six-week government shutdown in late 2025 already created one lapse.

Broken assumption: Threat intelligence sharing operates under stable legal framework.

WHAT BROKE THIS WEEK

700Credit: SSNs exposed across automotive dealership ecosystem. 108,000+ South Carolina residents confirmed. High-velocity attack lasting two weeks. API key enabled password reset capabilities. Lawsuits filed.

Aflac: 22.65 million individuals affected. Largest US health data breach reported in 2025. SSNs and health information exfiltrated.

Conde Nast/WIRED: 2.3 million subscriber records leaked. Hacker claims 40 million additional records pending. Ignored security warnings for a month before breach.

Illinois DHS: 600,000 patient records exposed. Configuration error left data publicly viewable for years.

Oltenia Energy Complex (Romania): Ransomware hit critical infrastructure operator on Christmas. The Gentlemen ransomware group attributed. IT infrastructure disrupted, production unaffected.

Two US Cybersecurity Professionals Guilty: Former incident responder and ransomware negotiator pleaded guilty as BlackCat affiliates. Breached pharmaceutical, engineering, healthcare organizations. The insider threat vector confirmed.

WHAT TO PATCH NOW

UNRESOLVED

CISA operates without a Senate-confirmed director. Sean Plankey's nomination held by Senator Rosen over unrelated policy dispute. Agency lost ~1,000 experts. Pre-ransomware warning program lost its lead. Proposed 17% budget cut pending.

The new national cyber strategy expected early 2026. National Cyber Director Cairncross previewed: short document, focused on shaping adversary behavior, introducing costs. CIRCIA final rule delayed until May 2026.

Quantum timeline estimates: nation-state capability expected 2027-2028. NIST post-quantum cryptographic standards released. Migration planning required, but ransomware and identity remain the 2026 problems.

JUDGMENT INDEX (VERSIONED)

This week's signals triggered issuance of the following CybersecurityHQ judgments:

CHQ-J-2026.01 AI Agents Constitute Privileged Access Principals Status: v1.0 issued

CHQ-J-2026.02 MCP Servers Are Tier-0 Infrastructure Status: v1.0 issued

CHQ-J-2026.03 Encryption-Based Ransomware Detection Is Structurally Obsolete Status: v1.0 issued (assumption retired)

CHQ-J-2026.04 CISA 2015 Liability Protections Expire January 30 Status: v1.0 issued (time-bounded)

Full judgment language, decision exposure, and board-citable text are maintained in the CybersecurityHQ Decision Ledger.

January 2026 marks the formal issuance of CybersecurityHQ's standing judgment ledger. Prior intelligence informed these judgments; versioned authority begins here.

Further reading (analytical framing): The Liability of Insight: why rigorous intelligence often can’t be cited in board or audit settings

Decision Ledger
Recorded, versioned cybersecurity judgments for accountable decisions.

CybersecurityHQ | Intelligence for Security Leadership

Get the 6-minute executive audio briefing of this week’s report.