Daily Threat Briefing: Critical n8n RCE, Microsoft Zero-Days & Prosura Breach

Executive Summary

The Australian cyber threat landscape has seen a significant surge in activity over the last 24 hours. Critical alerts have been issued for widely used workflow automation platforms and cloud infrastructure, placing SaaS providers, government agencies, and FinTech organisations on high alert.

Our analysis for today highlights a critical unauthenticated Remote Code Execution (RCE) in the n8n platform, the fallout from Microsoft’s January Patch Tuesday involving actively exploited Hyper-V zero-days, and a confirmed breach affecting Australian insurance provider Prosura.

Top Priority: Critical n8n Workflow Automation RCE

Target: SaaS Providers, API Integrators, FinTech Vulnerability: CVE-2026-21858 (Critical)

The Australian Cyber Security Centre (ACSC) and global threat intelligence firms have flagged active exploitation of a critical vulnerability in the n8n workflow automation platform.

  • The Threat: CVE-2026-21858 allows unauthenticated threat actors to execute arbitrary code on the underlying server via malformed form-based workflows.
  • Impact: As n8n is often used to glue together disparate APIs and handle sensitive data pipelines (FinTech data, customer details), a compromise here effectively grants attackers the "keys to the kingdom," allowing lateral movement into connected cloud services.
  • Action: Organisations using n8n must isolate instances immediately and apply the latest hotfix.

Sector Watch: Key Incidents & Trends

FinTech & eCommerce: Prosura Data Breach

Australian rental car insurance provider Prosura has confirmed a significant cyber incident resulting in unauthorised access to customer data.

  • Details: Threat actors accessed internal IT systems, exposing driver's licences and policy documents. The attackers also utilised the compromised infrastructure to send fraudulent emails to customers.
  • Response: Prosura has paused its online self-service portal while forensic investigations continue.
  • Takeaway: This incident underscores the growing trend of "island hopping"—where attackers compromise a trusted service provider to launch phishing campaigns against its user base from a legitimate domain.

Government & Cloud Infrastructure: Microsoft Patch Tuesday Fallout

Following the January Patch Tuesday (13 Jan), security teams across the Australian Government and enterprise sectors are racing to patch eight zero-day vulnerabilities.

  • Critical Focus: CVE-2025-21333, CVE-2025-21334, and CVE-2025-21335 are actively exploited Privilege Escalation vulnerabilities in Windows Hyper-V.
  • Risk: These flaws allow an attacker with a foothold on a guest virtual machine to escape the sandbox and gain SYSTEM privileges on the host server. This is a "Code Red" risk for private cloud providers and government data centres relying on virtualised environments.

AI Systems: Open WebUI Code Injection

As AI adoption accelerates in Education and EdTech, a new vulnerability has emerged in Open WebUI (formerly Ollama WebUI), a popular self-hosted interface for LLMs.

  • Vulnerability: CVE-2025-64496 permits remote code injection via the 'Direct Connection' feature.
  • Risk: Attackers can hijack the AI interface to execute commands on the host, potentially poisoning models or exfiltrating proprietary training data.

Healthcare & IoT: WatchGuard & Trend Micro Alerts

  • Network IoT: A critical vulnerability in WatchGuard Firebox devices (CVE-2025-14733) is seeing active exploitation. Healthcare clinics using these appliances for edge security are urged to update firmware immediately to prevent perimeter breaches.
  • Security Management: Trend Micro Apex Central has patched a critical RCE (CVE-2025-69258) that allows attackers to execute code as SYSTEM without user interaction.

Threat Actor Activity

  • Medusa Ransomware: The group remains highly active in the region, recently claiming attacks on non-profits and healthcare adjacents. Their tactics continue to involve double extortion—encrypting data and threatening to leak sensitive medical records.
  • Crimson Collective: Following the Brightspeed breach, this group is showing increased aggression towards telecommunications and infrastructure targets.

Recommendations

  1. Patch n8n and Hyper-V: These are the most volatile vectors currently being exploited in the wild.
  2. Review Third-Party Risk: With the Prosura incident, verify the security posture of insurance and API partners.
  3. Secure AI Workloads: Ensure self-hosted AI tools like Open WebUI are not exposed to the public internet without strict access controls.

Contact us for a quote for penetration testing service or adversary simulation.

Contact us for a quote