Canada’s Investment Regulator Confirms Data Breach Affecting 750,000 Investors
The Canadian Investment Regulatory Organization (CIRO) has confirmed that a sophisticated phishing attack it suffered in August 2025 impacted approximately 750,000 Canadian investors. After more than 9,000 hours of forensic investigation, CIRO disclosed that the compromised data includes dates of birth, phone numbers, annual income, social insurance numbers, government-issued ID numbers, investment account numbers, and account statements. CEO Andrew Kriegler said the complexity of the cyberattack meant it took nearly five months to determine the full scope. CIRO emphasized that login credentials and passwords were not at risk since the organization doesn’t store such information, and there is no evidence the stolen data has been misused or published on the dark web. Affected investors are being notified and offered two years of free credit monitoring and identity theft protection.
Chinese-Linked Hackers Used VMware ESXi Zero-Day Toolkit a Year Before Disclosure
Security researchers at Huntress have detailed a sophisticated attack toolkit used by Chinese-speaking threat actors to escape virtual machines and compromise VMware ESXi hypervisors. The toolkit, dubbed MAESTRO, exploited three critical vulnerabilities (CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226) that weren’t publicly disclosed until March 2025, but development timestamps in the binaries suggest the exploits were created as early as February 2024. The attack, observed in December 2025, began with a compromised SonicWall VPN and used a Domain Admin account to pivot across networks before deploying the VM escape exploit. The toolkit supports 155 different ESXi builds spanning versions 5.1 through 8.0 and uses VSOCK-based backdoors that bypass traditional network monitoring entirely. As of January 8, 2026, over 30,000 internet-exposed ESXi instances remain potentially vulnerable.
Fortinet Patches Critical RCE Vulnerability in FortiOS and FortiSwitchManager
Fortinet has released urgent security updates addressing a high-severity heap-based buffer overflow vulnerability (CVE-2025-25249) in its FortiOS and FortiSwitchManager products. The flaw, discovered by Fortinet’s internal Product Security Team, exists in the CAPWAP Wireless Aggregate Controller Daemon and could allow an unauthenticated remote attacker to execute arbitrary code or commands via specially crafted requests. Affected versions include FortiOS 7.6.0 through 7.6.3, 7.4.0 through 7.4.8, and earlier releases dating back to 6.4.0. FortiSwitchManager versions 7.2.0 through 7.2.6 and 7.0.0 through 7.0.5 are also impacted. Organizations unable to patch immediately can mitigate the risk by removing “fabric” access from each interface or disallowing access to the CAPWAP daemon. This advisory comes on the heels of active exploitation of other critical Fortinet authentication bypass flaws discovered in December.
Critical FortiSIEM Vulnerability Allows Unauthenticated Remote Code Execution
A critical OS command injection vulnerability (CVE-2025-64155) in Fortinet’s FortiSIEM security information and event management platform could allow unauthenticated attackers to execute arbitrary code as root. The Multi-State Information Sharing and Analysis Center (MS-ISAC) issued Advisory 2026-003 warning that successful exploitation could allow attackers to install programs, alter or delete data, or create new accounts with full user rights. Affected versions include FortiSIEM 7.4.0, 7.3.0 through 7.3.4, 7.1.0 through 7.1.8, 7.0.0 through 7.0.4, and 6.7.0 through 6.7.10. MS-ISAC assesses the risk as high for large and medium government organizations and businesses. At the time of the advisory’s issuance, there were no reports of active exploitation in the wild, but organizations are urged to apply patches immediately following appropriate testing.
Windows SMB Client Vulnerability Enables Complete Active Directory Takeover
Security researchers are warning about a critical improper access control vulnerability in the Windows SMB client that could allow attackers to achieve complete Active Directory domain compromise through NTLM reflection attacks. The vulnerability exploits weaknesses in how Windows handles NTLM authentication, allowing attackers who already have network access to trick clients into authenticating to malicious servers, then relay those authentication challenges back to legitimate servers. When successful, attackers can impersonate users with higher privileges, potentially gaining full domain controller access. Recommended mitigations include implementing SMB signing across all domain-joined machines, disabling NTLM where possible in favor of Kerberos authentication, enabling Extended Protection for Authentication (EPA), and implementing strong network segmentation to isolate critical Active Directory components from less secure network areas.
