Threat Feed

Threat Report 158

Written by Craig Pepper | Jan 12, 2026 11:00:00 AM

This week’s threat report highlights four developments with immediate relevance for UK defence and healthcare organisations: a critical flaw in a widely used automation platform that enables complete server takeover, sustained exploitation by China-linked actors of zero‑day VMware hypervisor vulnerabilities, a severe weakness in a major backup solution that directly threatens data recovery and ransomware resilience, and a network access control bug with publicly available exploit code that materially increases the likelihood of compromise.

Critical Flaw in n8n Automation Platform Allows Complete Takeover

A critical security flaw has been found in n8n, a popular tool used to automate workflows between different applications. The vulnerability is so severe it has been given the highest possible risk score (10.0 out of 10 ). It allows an attacker to take complete control of the n8n server without needing a password. The flaw, nicknamed "ni8mare", affects an estimated 100,000 servers.

Many organisations, including those in health tech, use automation tools like n8n to connect important systems such as databases, cloud storage, and payment processors. Because n8n is often trusted with secret keys and passwords for these systems, an attacker who takes control of the n8n server could gain access to a huge amount of sensitive data. This represents a major supply chain risk for any organisation that uses or relies on services built with n8n, including those handling patient data under the NHS DSPT.

Recommendations

  • If your organisation uses n8n, you must update to version 1.121.0 or later immediately.

  • There is no workaround; patching is the only way to fix this vulnerability.

  • Check with your software suppliers to see if they use n8n and what steps they have taken to protect your data.

China-Linked Hackers Exploited VMware Flaws for Over a Year

Security researchers have discovered that a group of Chinese-speaking hackers were using three previously unknown security flaws in VMware ESXi, a widely used virtualisation platform. The flaws allowed the attackers to “escape” from a virtual machine and take control of the underlying server (the hypervisor ). Evidence suggests the attackers had this capability for over a year before the flaws were publicly disclosed and patched.

VMware is a core part of the IT infrastructure for thousands of UK businesses and healthcare organisations. It allows them to run multiple virtual servers on a single physical machine. A compromise of the hypervisor is a worst-case scenario, as it gives attackers access to all the virtual machines running on it. This could lead to a major data breach, widespread service disruption, and a complete loss of control over critical systems.
 

Recommendations

  • Ensure that all your VMware ESXi servers are patched with the latest security updates from Broadcom (VMware’s parent company).
  • Review security on your network appliances, as the attackers gained their initial foothold through a compromised VPN device.
  • Monitor for unusual activity between virtual machines and the hypervisor, as the attackers used a stealthy communication method that bypasses normal network monitoring.

Critical Vulnerability in Veeam Backup & Replication Software

Veeam, a very popular provider of backup software, has fixed four vulnerabilities in its Backup & Replication product. The most serious of these flaws has a risk score of 9.0 out of 10 and could allow a remote attacker to execute malicious code. Although an attacker would need some level of access already (a “Backup Operator” or “Tape Operator” account ), the flaw could allow them to take control of the backup server.

Backup systems are the last line of defence against ransomware attacks. Attackers know this, and they actively target backup software to delete or corrupt backups before launching their main attack. A flaw in a product as widely used as Veeam is a major concern for UK businesses and NHS organisations who rely on it to protect their data and recover from incidents. Compromise of the backup system could render an organisation helpless in the face of a ransomware attack.
 

Recommendations

  • Update to Veeam Backup & Replication version 13.0.1.1071 immediately.
  • Review who has “Backup Operator” or “Tape Operator” roles and limit these powerful permissions to only those who absolutely need them.
  • Ensure your backup server is isolated from the main network as much as possible and monitor it for any suspicious activity.

Cisco Network Security Flaw Gets Public Exploit Code

Cisco has patched a security flaw in its Identity Services Engine (ISE ), a product used by organisations to control who can access their networks. While the flaw itself is only rated as medium severity (4.9 out of 10), the risk has increased because instructions on how to exploit it (a “proof-of-concept”) have been released publicly. The flaw could allow an attacker who already has administrative access to read sensitive files from the system that they should not be able to see.

Cisco ISE is a key security gatekeeper for many corporate and healthcare networks, including those in the NHS. While an attacker needs to have already stolen an administrator’s password to exploit this, the flaw could allow them to dig deeper into the network and access more sensitive information. The public availability of exploit code means that less-skilled attackers can now attempt to use it, increasing the chances of an attack.

Recommendations

  • Apply the security patches released by Cisco for your version of ISE without delay.
  • There are no workarounds, so patching is essential.
  • Review and strengthen the security of all administrative accounts, using multi-factor authentication (MFA) wherever possible.

Want help staying ahead of threats like these? Contact Periculo about our Threat Intelligence services.
View full post