Executive Summary

The Australian cyber threat landscape for 14 January 2026 is dominated by a critical zero-day vulnerability in Microsoft Windows, actively exploited in the wild, and a confirmed breach of a major ASX-listed resource producer. The Australian Cyber Security Centre (ASD’s ACSC) has also issued fresh guidance on AI security following a surge in attacks targeting workflow automation platforms.

For security teams across Government, Healthcare, and SaaS, the priority today is patching the new Microsoft Desktop Window Manager flaw and auditing exposed automation tools.

Sector-Specific Threat Intelligence

Government & Critical Infrastructure

• Microsoft Zero-Day (CVE-2026-20805): In the last 24 hours, Microsoft’s January Patch Tuesday release has highlighted CVE-2026-20805, a privilege escalation vulnerability in the Desktop Window Manager (DWM). CISA and the ACSC have confirmed this is being actively exploited. Attackers are using this to gain ‘SYSTEM’ privileges on compromised government and enterprise workstations.
• Regis Resources Breach: Major Australian gold producer Regis Resources has confirmed a significant cyber incident. While details are emerging, this underscores the continued targeting of Australia’s critical resource sector by financially motivated ransomware groups.
• DFAT Vulnerability: On a positive note, a critical vulnerability in the Department of Foreign Affairs and Trade (DFAT) was responsibly disclosed by ethical hackers rather than exploited by nation-states, highlighting the value of robust Vulnerability Disclosure Programmes (VDPs).

Healthcare & eCommerce

• The "MongoBleed" Aftershocks (CVE-2025-14847): Security teams are still battling the fallout from the "MongoBleed" memory leak vulnerability. Threat actors are actively scanning for unpatched MongoDB instances in Australian healthcare providers to exfiltrate unstructured patient data (PII/PHI).
• eCommerce Session Hijacking: Retailers using MongoDB for session storage are at high risk. We have observed scripts in the wild attempting to scrape active session tokens via this flaw, potentially allowing account takeovers without credentials.

SaaS & FinTech

• n8n Workflow Automation RCE (CVE-2026-21858): A Critical (CVSS 9.8) Remote Code Execution vulnerability in the popular n8n workflow automation platform was flagged this week. SaaS providers and FinTechs using n8n for backend integrations (e.g., connecting CRMs to banking APIs) must isolate these instances immediately. Exploitation allows unauthenticated attackers to execute arbitrary code on the hosting server.
• IBM API Connect Auth Bypass: FinTechs relying on IBM API Connect for open banking implementations should review CVE-2025-13915. This authentication bypass flaw is being weaponised to skip API gateway security checks.

Education & EdTech

• University Data Retention Risks: Following the massive data breaches at the University of Sydney and Western Sydney University in late 2025, threat actors are now targeting alumni databases in EdTech platforms. The focus has shifted to extracting long-term historical data for identity theft.

IoT & AI Systems

• AI Security Alert: The ACSC released a new publication today (14 Jan 2026) regarding AI risks for small to medium businesses. This coincides with reports of Prompt Injection attacks targeting customer service chatbots, tricking them into revealing backend API keys.
• WatchGuard Firebox Exploits: Organisations using WatchGuard Firebox devices for edge security (common in distributed IoT networks) must patch CVE-2025-14733 immediately. Active exploitation is providing attackers with initial access to OT (Operational Technology) networks.

Vulnerability Watchlist: Top 3 to Patch Now

1. Microsoft Windows DWM (CVE-2026-20805):

   • Type: Privilege Escalation.
   • Status: Actively Exploited.
   • Action: Apply the January 2026 Patch Tuesday update immediately.

2. n8n Workflow Automation (CVE-2026-21858):

   • Type: Unauthenticated Remote Code Execution.
   • Status: PoC publicly available.
   • Action: Update to the latest stable release or restrict internet access to the instance.

3. MongoDB Server (CVE-2025-14847):

   • Type: Information Disclosure (Memory Leak).
   • Status: Targeted by ransomware groups.
   • Action: Upgrade to the latest patched version and audit log files for suspicious read operations.

Recommendations

Organisations should prioritise the patching of public-facing infrastructure, particularly the n8n and WatchGuard vulnerabilities. For internal networks, the Microsoft DWM flaw represents a critical risk for lateral movement if an endpoint is compromised.

Contact us for a quote for penetration testing service or adversary simulation.