F5 Threat Report - January 14th, 2026

Knownsec Leak Reveals China's Industrialized Cyber-Espionage Ecosystem

A significant data leak from the Chinese company Knownsec in November 2025 exposed its true nature as a state-aligned cyber contractor deeply integrated into China's national security, intelligence, and military objectives, rather than a conventional cybersecurity vendor. Knownsec's internal documents reveal a sophisticated, industrialized cyber-espionage ecosystem, including tools like ZoomEye for global internet-wide scanning and the Critical Infrastructure Target Library (TargetDB) which maps millions of foreign IPs, domains, and organizations by strategic value across 26 regions, with a strong focus on Taiwan, Japan, South Korea, and India. The company also maintains a massive `"o_data_*"` data lake of global breach data for identity correlation and deanonymization, enabling targeted social engineering. Its offensive toolkit comprises GhostX for browser exploitation, routing manipulation, and credential theft; Un-Mail for covert email account takeover and exfiltration across major global providers; and Passive Radar for reconstructing internal network topologies from PCAP data. Knownsec's organizational structure, including the 404 Security Lab and Military Products Division, mirrors a defense integrator, with primary clients being Public Security Bureaus, defense research institutes, and state-owned enterprises like State Grid and China Mobile, indicating a vertically integrated espionage stack for reconnaissance, exploitation, collection, and persistence in support of both domestic surveillance and foreign intelligence operations.

Severity: Critical

Sources

• https://dti.domaintools.com/the-knownsec-leak-yet-another-leak-of-chinas-contractor-driven-cyber-espionage-ecosystem/
• https://www.hendryadrian.com/the-knownsec-leak-yet-another-leak-of-chinas-contractor-driven-cyber-espionage-ecosystem-domaintools-investigations-dti/

Threat Details and IOCs

Mitigation Advice

• Add the IP addresses listed in Appendix A (210.242.194.198, 219.80.43.14, 220.130.186.202, 220.130.186.203, 103.21.60.3, 61.65.236.240) to the firewall blocklist.
• Immediately audit and apply all available security patches to internet-facing Fortinet devices.
• Immediately audit and apply all available security patches to internet-facing Sophos devices.
• Immediately audit and apply all available security patches to internet-facing Check Point devices.
• Audit all network routers and firewalls for any recently created or unauthorized administrator-level accounts.
• Review internal and external DNS server configurations and forwarders to ensure they point only to authorized and expected IP addresses.
• Add all specific email addresses and the domains @knownsec.com and @xm.knownsec.com listed in the article to the email gateway's blocklist.

Compliance Best Practices

• Prioritize and enforce the rollout of phishing-resistant multi-factor authentication (MFA) across all externally accessible services, including VPN, email, and cloud applications.
• Develop and implement a network segmentation strategy to isolate critical servers from user workstations and restrict east-west traffic based on the principle of least privilege.
• Deploy and tune an Endpoint Detection and Response (EDR) solution to create detection rules for suspicious browser process behavior, command-line execution patterns, and attempts to extract credentials from memory.
• Implement a Web Application Firewall (WAF) to protect all public-facing web applications and portals against common attacks like Cross-Site Scripting (XSS).
• Implement a network detection and response (NDR) tool to establish baseline traffic patterns and create alerts for anomalous activity, such as large outbound data transfers over FTP or SSH from non-standard servers.
• Establish a recurring security awareness training program that educates employees on identifying and reporting sophisticated phishing attacks that may leverage their personal or professional information found in data breaches.

---

OWASP CRS Flaw Lets Encoded Attacks Slip Past WAFs

A critical vulnerability, identified as CVE-2026-21876 with a CVSS score of 9.3, has been discovered in the OWASP Core Rule Set (CRS), allowing encoded Cross-Site Scripting (XSS) attacks to bypass Web Application Firewalls (WAFs). This flaw affects CRS versions 3.3.x through 3.3.7 and 4.0.0 through 4.21.0, specifically impacting rule 922110 in Apache ModSecurity, ModSecurity v3, and Coraza environments. The bypass occurs because rule 922110, designed to detect dangerous character encodings like UTF-7 in multipart form requests, only validates the final segment of such requests. Attackers can exploit this by embedding a malicious UTF-7 encoded JavaScript payload in an earlier part of a multipart request, followed by benign UTF-8 content in the final segment, thereby evading WAF detection. To mitigate this risk, immediate upgrades to CRS version 4.22.0 or 3.3.8 are essential, alongside verifying WAF configurations, restricting accepted character encodings to UTF-8, implementing custom WAF rules for mixed charset declarations, strengthening application-layer defenses with robust input validation and Content Security Policy headers, and enhancing monitoring and incident response capabilities. This incident underscores the necessity for continuous validation and updating of security controls, moving away from "set-and-forget" approaches towards principles of continuous verification.

Severity: Critical

Sources

• https://cyberpress.org/owasp-crs-vulnerability/
• https://gbhackers.com/owasp-crs-vulnerability/
• https://www.esecurityplanet.com/threats/owasp-crs-flaw-lets-encoded-attacks-slip-past-wafs/
• https://www.thehackerwire.com/owasp-crs-bypass-multipart-request-charset-validation-flaw-cve-2026-21876/

Threat Details and IOCs

Mitigation Advice

• Identify all Web Application Firewall (WAF) instances using OWASP Core Rule Set (CRS) and upgrade them to a patched version, either 4.22.0 or 3.3.8, to fix the vulnerability.
• Analyze WAF and web server logs for evidence of exploitation, specifically looking for multipart form requests that contain non-standard character encodings like UTF-7 or have mixed charsets across different parts.
• Configure all public-facing web servers, such as Apache or Nginx, to only accept UTF-8 character encoding and explicitly reject requests with other encodings, especially UTF-7 and UTF-16.
• If patching the OWASP Core Rule Set cannot be done immediately, create a custom WAF rule to inspect all parts of a multipart request for dangerous character encodings, not just the final part.

Compliance Best Practices

• Establish a secure coding program to enforce strict, server-side input validation on all user-supplied data across all web applications to prevent XSS attacks at the source.
• Mandate the use of context-aware output encoding libraries and practices in all web application development to neutralize any malicious scripts before they are sent to the user's browser.
• Develop and deploy a restrictive Content Security Policy (CSP) across all web applications to limit the impact of potential XSS vulnerabilities by controlling script execution sources.
• Improve security monitoring capabilities by creating specific alerts for anomalous HTTP traffic patterns, such as multipart requests with unusual or mixed character set declarations, to detect novel bypass techniques.
• Schedule and conduct regular incident response tabletop exercises that simulate a WAF bypass and subsequent web application compromise to test and improve your team's detection and response procedures.

---

CVE-2026-21858 aka Ni8mare: Critical Unauthenticated Remote Code Execution Vulnerability in n8n Platform

A critical unauthenticated remote code execution vulnerability, tracked as CVE-2026-21858 and dubbed Ni8mare, has been identified in the n8n AI workflow automation platform, carrying a maximum CVSS score of 10.0. This flaw, affecting all n8n versions up to and including 1.65.0, stems from a weakness in the platform's webhook request parsing and file handling logic. Specifically, when a crafted HTTP request is sent to a Forms Webhook node with a deliberately misstated "Content-Type" header (other than `multipart/form-data`), the `parseBody()` function can be exploited to overwrite the `req.body.files` variable with attacker-controlled data. This allows an attacker to specify arbitrary file paths on the local system, leading to the `copyBinaryFile()` function copying these specified local files into persistent storage without verifying their origin. Exploitation of Ni8mare can grant unauthenticated attackers full control over exposed n8n instances, potentially leading to sensitive data exposure, workflow manipulation, and credential compromise. With over 26,500 internet-accessible n8n hosts reported globally, the potential attack surface is substantial. The vulnerability was reported on November 9, 2025, and addressed in version 1.121.0, released on November 18, 2025; users are strongly advised to upgrade immediately, and temporary mitigations include restricting or disabling publicly accessible webhook and form endpoints.

Severity: Critical

Sources

• https://arcticwolf.com/resources/blog/cve-2026-21858/
• https://buaq.net/go-386499.html
• https://buaq.net/go-386542.html
• https://buaq.net/go-387142.html
• https://cyberpress.org/ni8mare-vulnerability/
• https://cyberscoop.com/n8n-critical-vulnerability-massive-risk/
• https://horizon3.ai/attack-research/attack-blogs/the-ni8mare-test-n8n-rce-under-the-microscope-cve-2026-21858/
• https://infosecwriteups.com/critical-n8n-security-vulnerability-cve-2026-21858-demands-immediate-action-c4bd95b5d93c?source=rss----7b722bfd1b8d---4
• https://orca.security/resources/blog/cve-2026-21858-n8n-rce-vulnerability/
• https://securityonline.info/public-exploit-released-critical-n8n-flaw-cve-2026-21858-exposes-100k-servers/
• https://socprime.com/blog/cve-2026-21858-vulnerability/
• https://socradar.io/blog/ni8mare-flaw-n8n-cve-2026-21858/
• https://sploitus.com/exploit?id=329E5BE3-360F-5C2E-8422-B4D96C9C6E68
• https://thecyberexpress.com/cve-2026-21858-n8n-webhook-vulnerability/
• https://thehackernews.com/2026/01/critical-n8n-vulnerability-cvss-100.html
• https://www.bleepingcomputer.com/news/security/max-severity-ni8mare-flaw-lets-hackers-hijack-n8n-servers/
• https://www.cyberkendra.com/2026/01/how-100000-automation-servers-became.html
• https://www.hendryadrian.com/max-severity-ni8mare-flaw-lets-hackers-hijack-n8n-servers/
• https://www.infosecurity-magazine.com/news/maximum-severity-ni8mare-bug/
• https://www.securityweek.com/critical-vulnerability-exposes-n8n-instances-to-takeover-attacks/
• https://www.techzine.eu/news/security/137741/ni8mare-vulnerability-affects-n8n-platform-with-a-score-of-10-0/
• https://www.thehackerwire.com/n8n-unauth-file-read-via-workflow-execution/
• https://www.theregister.com/2026/01/08/n8n_rce_bug/

Threat Details and IOCs

Mitigation Advice

• Immediately upgrade all n8n instances to version 1.121.0 or later to patch the CVE-2026-21858 vulnerability.
• Immediately scan the network and review software inventories to identify all instances of the n8n platform in use within the organization.
• If you cannot immediately upgrade n8n, restrict access to or disable all publicly accessible webhook and form endpoints to prevent unauthenticated exploitation.
• Hunt for exploitation attempts by reviewing web server and application logs for requests to n8n webhook endpoints where the 'Content-Type' header is not 'multipart/form-data' but the request body contains file path definitions.

Compliance Best Practices

• Develop and enforce a policy to place internal services like n8n behind a VPN or other authenticated access controls, and formally review all requests for public internet exposure.
• Implement network segmentation to isolate servers running workflow automation platforms like n8n from other critical internal network segments, limiting the potential impact of a successful compromise.
• Deploy or configure a Web Application Firewall (WAF) to inspect and block anomalous HTTP requests to web applications, including rules that detect mismatched 'Content-Type' headers and body content.
• Review and strengthen the vulnerability management program to ensure timely identification, prioritization, and patching of critical vulnerabilities in all third-party software, with specific focus on internet-facing applications.

---

Trend Micro Apex Central RCE Flaw Scores 9.8 CVSS in On-Prem Windows Versions

Trend Micro has issued security updates for multiple vulnerabilities affecting on-premise versions of Apex Central for Windows, specifically those below Build 7190. The most severe, CVE-2025-69258, is a Remote Code Execution (RCE) flaw with a CVSS score of 9.8. This LoadLibraryEX vulnerability enables an unauthenticated remote attacker to load a controlled DLL into the MsgReceiver.exe component by sending a specific message (0x0a8d, `"SC_INSTALL_HANDLER_REQUEST"),` resulting in code execution with SYSTEM privileges. Two additional Denial-of-Service (DoS) vulnerabilities, CVE-2025-69259 and CVE-2025-69260, both rated 7.5 CVSS, were also patched. These DoS flaws, stemming from a message unchecked NULL return value and a message out-of-bounds read, respectively, can be exploited by an unauthenticated remote attacker sending a specially crafted message (0x1b5b, `"SC_CMD_CGI_LOG_REQUEST")` to the MsgReceiver.exe process on TCP port 20001. Tenable is credited with discovering and reporting these vulnerabilities in August 2025. Organizations are advised to apply the necessary security updates and to review remote access to critical systems, ensuring that security policies and perimeter defenses are current.

Severity: Critical

Sources

• https://buaq.net/go-386777.html
• https://cyberpress.org/trend-micro-apex-central-vulnerabilities-enable-remote-code-execution-attacks/
• https://cyberveille.esante.gouv.fr/alertes/trendmicro-cve-2025-69258-2026-01-09
• https://gbhackers.com/trend-micro-apex-central-flaw/
• https://securityonline.info/public-exploit-released-critical-trend-micro-flaw-grants-system-access/
• https://thehackernews.com/2026/01/trend-micro-apex-central-rce-flaw.html
• https://www.esecurityplanet.com/threats/trend-micro-apex-central-flaws-enable-remote-code-execution/
• https://www.helpnetsecurity.com/2026/01/08/trend-micro-apex-central-cve-2025-69258-rce-poc/
• https://www.techzine.eu/news/security/137798/trend-micro-closes-critical-vulnerabilities-in-apex-central/
• https://www.thehackerwire.com/trend-micro-apex-central-rce-via-loadlibraryex/

Threat Details and IOCs

Mitigation Advice

• Identify all on-premise Trend Micro Apex Central for Windows instances and immediately apply the security updates to upgrade them to Build 7190 or a later version.
• Implement a firewall rule to block all inbound traffic to TCP port 20001 on Trend Micro Apex Central servers from untrusted networks and allow access only from required endpoints and management stations.
• On Trend Micro Apex Central servers, use endpoint security tools to monitor the `MsgReceiver.exe` process for the loading of unusual or unsigned DLLs and for spawning unexpected child processes.
• Scan network traffic logs for connection attempts to TCP port 20001 on Apex Central servers, investigating any connections from unexpected or external IP addresses.

Compliance Best Practices

• Establish and enforce a formal patch management policy that defines specific timelines for applying security updates based on their severity, ensuring critical vulnerabilities are addressed within 72 hours.
• Implement network segmentation to create a secure management zone for critical infrastructure servers, including Trend Micro Apex Central, restricting all inbound and outbound traffic to only what is explicitly authorized.
• Develop and maintain a comprehensive software asset inventory that includes application names, versions, and owners, enabling rapid identification of systems vulnerable to newly disclosed threats.
• Conduct quarterly reviews of firewall rules and access control lists for critical servers to ensure they adhere to the principle of least privilege and that all access is documented and approved.

---

ZDI-26-034 / CVE-2026-0768: 0-Day Code Injection RCE Vulnerability in Langflow

A critical code injection remote code execution vulnerability, identified as ZDI-26-034 and CVE-2026-0768, affects installations of Langflow. This flaw, assigned a CVSS score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), allows unauthenticated remote attackers to execute arbitrary code. The vulnerability stems from insufficient validation of a user-supplied string within the `code` parameter provided to the `validate` endpoint, which is subsequently used to execute Python code. Successful exploitation grants an attacker the ability to execute code in the context of root. The vulnerability was reported on July 18, 2025, and publicly disclosed as a 0-day on January 9, 2026. The only salient mitigation strategy is to restrict interaction with the product. This vulnerability was discovered by Peter Girnus, William Gamazo Sanchez, and Alfredo Oliveira.

Severity: High

Sources

• https://www.zerodayinitiative.com/advisories/ZDI-26-034/

Threat Details and IOCs

Mitigation Advice

• Immediately conduct an inventory of all assets to identify any running instances of the Langflow application.
• Configure perimeter firewalls to deny all inbound internet traffic to any identified Langflow instances.
• Hunt for compromise by searching web server and application logs for requests to the '/validate' endpoint, particularly any requests containing a 'code' parameter.
• If Langflow must remain accessible, configure a Web Application Firewall (WAF) to block any HTTP requests targeting the '/validate' URI path.

Compliance Best Practices

• Enforce the principle of least privilege by reconfiguring all production and development services, including Langflow, to run using dedicated, unprivileged service accounts instead of as the 'root' user.
• Implement a comprehensive software asset management program to maintain a real-time inventory of all applications deployed in the environment.
• Adopt a network segmentation strategy that isolates internal-facing tools and development environments from the public internet, requiring VPN access for remote users.
• Incorporate CVE-2026-0768 into the vulnerability management watchlist and ensure the official patch from the Langflow vendor is applied to all affected systems as soon as it is released.

---