Welcome back! Between new vulnerabilities and recent cloud incidents, there’s a lot to track. Here is your curated shortlist of the month's most essential developments.
🐞 High Profile Vulnerabilities
Critical RCE Vulnerabilities in Ivanti Endpoint Manager Mobile
Ivanti has released security updates addressing two critical vulnerabilities (CVE-2026-1281 & CVE-2026-1340) in Ivanti Endpoint Manager Mobile (EPMM) that allow unauthenticated remote code execution. While Ivanti reports exploitation in only a very limited number of customer environments at the time of disclosure, successful exploitation could result in full compromise of affected EPMM appliances.
According to Wiz data, less than 1% of cloud environments have publicly exposed resources vulnerable to CVE-2026-1281.
Learn more here https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340?language=en_US
High Severity Vulnerabilities in Ingress NGINX
Multiple high-severity vulnerabilities have been disclosed in Ingress NGINX. The most severe issues (CVE-2026-1580 and CVE-2026-24512) allow authenticated users with limited privileges to inject malicious NGINX configuration, potentially leading to arbitrary code execution within the ingress-nginx controller and cluster-wide Secret disclosure. Note that on November 11, 2025, the Kubernetes project announced that Ingress NGINX will be retired in March 2026.
According to Wiz data, 43% of cloud environments have resources vulnerable to these vulnerabilities.
Learn more here https://discuss.kubernetes.io/t/security-advisory-multiple-issues-in-ingress-nginx/34115
Critical RCE Vulnerability in BeyondTrust Products
BeyondTrust have released information about a critical unauthenticated RCE vulnerability (CVE-2026-1731) affecting BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA). BeyondTrust have patched Remote Support SaaS and Privileged Remote Access SaaS, but customers using self-hosted instances must apply patches. CVE-2026-1731 has been observed being exploited in the wild.
Learn more here https://www.beyondtrust.com/trust-center/security-advisories/bt26-02
According to Wiz data, 6% of cloud environments have resources vulnerable to CVE-2026-1731.
RCE Vulnerabilities in PostgreSQL
PostgreSQL released patches for multiple vulnerabilities that can allow authenticated database users, or attackers exploiting SQL injection, to execute arbitrary code on the host system. The most severe issues (CVE-2026-2004, CVE-2026-2005, CVE-2026-2006) affect core string handling and bundled extensions, creating a high-impact attack chain capable of memory corruption, privilege escalation, and full system compromise.
According to Wiz data, 79% of cloud environments have resources vulnerable to these vulnerabilities, and 5% of them have vulnerable exposed instances of PostgreSQL.
Learn more here https://www.postgresql.org/about/news/postgresql-182-178-1612-1516-and-1421-released-3235/
Security incidents & campaigns
SANDWORM_MODE: Typosquatted npm Packages Used to Hijack CI Workflows
Researchers report an active npm supply-chain campaign (“SANDWORM_MODE”) that spreads via intentionally malicious, typosquatted npm packages designed to look like popular developer and AI tooling libraries. Importantly, no legitimate packages have been compromised; rather, the activity relies on look-alike package names to trick users/CI into installing attacker-controlled packages.
Learn more here https://socket.dev/blog/sandworm-mode-npm-worm-ai-toolchain-poisoning
TeamPCP Cloud-Native Campaign Targeting Exposed Control Planes
TeamPCP (also tracked as PCPcat, ShellForce, and DeadCatx3) is a cloud-focused cybercrime group conducting worm-driven exploitation of exposed cloud-native control planes. Since December 2025, the group has systematically abused misconfigured Docker APIs, Kubernetes clusters, Ray dashboards, Redis servers, and the react2shell vulnerability to build a distributed proxy, scanning, and monetization infrastructure used for data theft, extortion, cryptomining, and ransomware-related activity.
Read more here https://flare.io/learn/resources/blog/teampcp-cloud-native-ransomware
Notepad++ Hijacked by State-Sponsored Hackers
In mid-2025, Notepad++ update infrastructure was compromised as part of a targeted supply-chain attack attributed by multiple researchers to a likely Chinese state-sponsored actor (dubbed Lotus Blossom), allowing selective redirection of update traffic to malicious servers, including deployment of a custom backdoor (dubbed Chrysalis). The supply chain vector is no longer active, and this incident was unlikely to impact cloud environments. CVE-2025-15556 has been assigned to the incident on February 3rd, 2026.
Read more here https://notepad-plus-plus.org/news/hijacked-incident-info-update/
Hold on to your headphones!
Tune in to "Crying Out Cloud", our monthly roundup of cloud security news podcast! Hosted by the talented duo Eden Naftali and Amitai Cohen 👏
Listen on Spotify and Apple Podcasts.