Acting CISA head got grilled on mass firings at the agency

Madhu Gottumukkala, the acting head of the Cybersecurity and Infrastructure Security Agency, faced pointed questions from lawmakers about CISA's personnel decisions and staffing level, with the most damaging questions focused on his slashing of employee headcounts at the agency.

The top Democrat on the panel, Mississippi’s Bennie Thompson, entered a chart into the hearing record that showed the number of personnel had fallen from 3,387 before President Donald Trump’s inauguration to 2,389 by the middle of December, or a loss of 998 people. Those figures aligned closely with the numbers Gottumukkala gave in testimony.

Under questioning from Thompson, Gottumukkala said CISA’s attrition rate was 7.5% last year, a figure he said was lower than most agencies. Gottumukkala said the agency has “the required staff” to do its work. However, Thompson said he was still awaiting an expected letter from Gottumukkala on workforce needs and wanted a more precise number on current vacancies.

Gottumukkala also wouldn’t say whether the agency had carried out a study to determine whether its staffing was sufficient. In response to questions from Garbarino, Gottumukkala noted there were no further planned organizational changes at CISA.

Democrats pressed Gottumukkala repeatedly on whether any CISA personnel had been reassigned to work on immigration enforcement, something he said hadn’t happened during his time at the agency, contradicting published reports to the contrary and a claim from Gottumukkala that Democrats said was false. The chart Thompson referenced showed 65 employees being reassigned out of CISA.

Responding to a report that Gottumukkala had tried to force out Robert Costello, the agency’s CIO, Gottumukkala said individual agency personnel's “decisions are not made in a vacuum. It is a leadership-level [decision] at the highest levels, and we work according to how we see the roles fit.”

Garbarino told reporters after the hearing that “ I don’t know whose decision it is making that personnel [move], but it was stopped, which is probably a good thing.” (Tim Starks / CyberScoop)

Related: NextGov/FCW

The Global CVE Allocation System, or GCVE, a European cybersecurity organization, has launched a decentralized system for identifying and numbering software security vulnerabilities, introducing a fundamental shift in how the global technology community could track and manage security flaws.

The system will be maintained by The Computer Incident Response Center Luxembourg (CIRCL) as an alternative to the traditional Common Vulnerabilities and Exposures program, which narrowly avoided shutdown last April when the Cybersecurity and Infrastructure Security Agency initially failed to renew its contract with MITRE, the nonprofit that operates the CVE system. A last-minute extension averted immediate collapse, but the near-miss exposed the 25-year-old program’s dependence on a single funding source and triggered development of competing models.

Unlike the traditional CVE system, which relies on a centralized structure for assigning vulnerability identifiers, GCVE introduces independent numbering authorities that can allocate identifiers without seeking pre-allocated blocks from a central body or adhering strictly to centrally enforced policies.

Each approved numbering authority receives a unique numeric identifier that becomes part of the vulnerability identification format, allowing organizations to assign identifiers at their own pace and define their own internal policies for vulnerability identification. (Greg Otto / CyberScoop)

Related: GCVE, IT Pro, SC Media, HackRead, Infosecurity Magazine, The Cyber Express

DeFi project Saga EVM was exploited, resulting in a loss of at least 2,000 ETH valued at around $6 million and the halting of the network.

The exploit originated in Saga’s own infrastructure, and did not come from the Oku or Uniswap exchanges, which carry some of Saga’s assets, per reports.

The Saga attack involved the unauthorized minting of Saga Dollar (D) tokens. The attacker bridged the tokens to Ethereum, managed to buy over 2,000 ETH, while trading the remaining stablecoins through Uniswap V4. 

The total losses are estimated at $6.8M, as new D stablecoins were minted without any real collateral. The ETH from the exploit is still held in a single address and has not been moved or mixed. The exploiter still holds a remaining D stablecoin balance of over $12M, in addition to smaller amounts of tokens. (Hristina Vasileva / Cryptopolitan)

Related: CoinCentral, MEXC, Decrypt, Forklog, Protos

Paid subscribers receive full access to Metacurity’s archives and selected analytical deep dives

Don't miss out on the full range of what Metacurity has to offer. Upgrade to a paid subscription, gain access to our archives and special content, and stay current while helping to keep independent media alive.

If you can't afford a paid subscription, donate what you can to keep this vital resource going.

Fortinet customers are seeing attackers exploiting a patch bypass for a previously fixed critical FortiGate authentication vulnerability (CVE-2025-59718) to hack patched firewalls.

Until Fortinet provides a fully patched FortiOS release, admins are advised to temporarily disable the vulnerable FortiCloud login feature (if enabled) to secure their systems against attacks.

To turn off FortiCloud login, admins have to navigate to System -> Settings and switch "Allow administrative login using FortiCloud SSO" to Off. However, you can also run the following commands from the command-line interface.

As Fortinet explains in its original advisory, the FortiCloud single sign-on (SSO) feature targeted in the attacks is not enabled by default when the device is not FortiCare-registered, which should reduce the total number of vulnerable devices.

However, Shadowserver still found over 25,000 Fortinet devices exposed online with FortiCloud SSO enabled in mid-December. At the moment, more than half have been secured, with Shadowserver now tracking just over 11,000 that are still reachable over the internet. (Sergiu Gatlan / Bleeping Computer)

Related: Fortinet, Arctic Wolf, Help Net Security, Cyber Press, Security Affairs, BankInfoSecurity, GBHackers, r/cybersecurity

Cisco fixed a critical Unified Communications and Webex Calling remote code execution vulnerability, tracked as CVE-2026-20045, that has been actively exploited as a zero-day in attacks.

Tracked as CVE-2026-20045, the flaw impacts Cisco Unified Communications Manager (Unified CM), Unified CM Session Management Edition (SME), Unified CM IM & Presence, Cisco Unity Connection, and Webex Calling Dedicated Instance.

"This vulnerability is due to improper validation of user-supplied input in HTTP requests. An attacker could exploit this vulnerability by sending a sequence of crafted HTTP requests to the web-based management interface of an affected device," warns Cisco's advisory.

"A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root."

While the vulnerability has a CVSS score of 8.2, Cisco assigned it a Critical severity rating, as exploitation leads to root access on servers. (Lawrence Abrams / Bleeping Computer)

Related: Cisco, Cyber Press, Security Affairs, GBHackers

People worldwide are being targeted by a massive spam wave originating from unsecured Zendesk support systems, with victims reporting receiving hundreds of emails with strange and sometimes alarming subject lines.

The wave of spam messages started on January 18th, with people reporting on social media that they received hundreds of emails.

While the messages do not appear to contain malicious links or blatant phishing attempts, the sheer volume and chaotic nature of the emails have made them highly confusing and potentially alarming for recipients.

The emails are being generated by support platforms run by companies that use Zendesk for customer service.

Attackers are abusing Zendesk's ability to allow unverified users to submit support tickets, which then automatically generate confirmation emails sent to the email address the attacker entered.

Because Zendesk sends automated replies confirming that a ticket was received, the attackers are able to turn these systems into a mass-spamming platform by iterating through large lists of email addresses when creating fake support tickets.

Companies whose Zendesk instances were seen impacted include: Discord, Tinder, Riot Games, Dropbox, CD Projekt (2k.com), Maya Mobile, NordVPN, Tennessee Department of Labor, Tennessee Department of Revenue, Lightspeed, CTL, Kahoot, Headspace, and Lime.

The emails have bizarre subjects, with some pretending to be law-enforcement requests or corporate takedowns, while others offer free Discord Nitro or say "Help Me!" Many are also written in Unicode fonts to bold or decorate the fonts in multiple languages. (Lawrence Abrams / Bleeping Computer)

Related: Darknetsearch

Researchers at pen testing company Pentera say that threat actors are exploiting misconfigured web applications used for security training and internal penetration testing, such as DVWA, OWASP Juice Shop, Hackazon, and bWAPP, to gain access to cloud environments of Fortune 500 companies and security vendors.

An investigation from automated penetration testing company Pentera found evidence that hackers are leveraging this attack vector to compromise systems and deploy crypto miners, plant webshells, or pivot to sensitive systems.

The testing web apps are intentionally vulnerable and represent a serious compromise risk when exposed on the public internet and executed from a privileged cloud account.

Pentera researchers found 1,926 live, vulnerable applications exposed on the public web, often linked to overly privileged IAM (Identity and Access Management) roles and deployed on AWS, GCP, and Azure cloud environments.

According to Pentera, the exposed apps belong to multiple Fortune 500 companies, including Cloudflare, F5, and Palo Alto Networks, which received the researchers' findings and have fixed the issues.

Many of those instances exposed cloud credential sets, did not follow ‘least-privilege’ recommended practices, and in more than half of the cases, still used default credentials, allowing for easy takeover.

The credentials Pentera discovered in the investigation could give attackers full access to S3 buckets, GCS, and Azure Blob Storage, read and write permission to Secrets Manager, interact with container registries, and gain admin access to the cloud environment. (Bill Toulas / Bleeping Computer)

Related: Pentera, Silicon Angle

Indian cybersecurity firm Seqrite discovered that hackers are targeting Afghan government employees with phishing emails disguised as official correspondence from the office of the country’s prime minister.

The campaign, first detected in December, uses a decoy document crafted to resemble a legitimate government letter sent to Afghan ministries and administrative offices.

The document opens with a religious greeting and contains what appear to be official instructions related to financial reporting, along with a forged signature of a senior official within the prime minister’s office — a tactic meant to lure victims into opening the file.

Once opened, the document delivers a strain of malware dubbed FalseCub, which is designed to collect and exfiltrate data from infected computers, Seqrite said in a report released Monday.

Researchers found that the attackers relied on GitHub as a temporary hosting service for the malicious payload. A GitHub account created in late December was used to distribute the malware before the files were quietly removed once the operation concluded.

The hackers behind the campaign appear to have carried out extensive research into Afghan government institutions and entities linked to the Taliban. Seqrite identified multiple legal and administrative documents uploaded by the threat actor to the Scribd library, including Afghan government directives, Ministry of Defense communications, and U.S. asylum and human rights documents related to Afghanistan. Those materials may serve as future phishing lures, the researchers said.

The alleged threat actor used an alias — “Afghan Khan” — shared on other platforms, including Pinterest and Dailymotion, with at least one account linked to Pakistan. A shortened link used in the campaign was also uploaded from Pakistan and redirected victims to the GitHub repository hosting the malware, according to the researchers. (Daryna Antoniuk / The Record)

Related: Seqrite, SC Media, TechNadu

PcComponentes, a significant technology retailer in Spain, denied claims of a data breach on its systems impacting 16 million customers, but confirmed it suffered a credential stuffing attack.

The Spanish e-commerce company specializes in the sale of computers, laptops, peripherals, and hardware, and has an estimated 75 million unique marketplace visitors per year.

Yesterday, a threat actor named ‘daghetiaw’ published what they claimed to be a customer database stolen from PcComponentes, containing 16.3 million records. The threat actor leaked 500,000 records and offered to sell the rest to the highest bidder.

The leaked data contains order details, physical addresses, full names, phone numbers, IP addresses, product wish-lists, and customer support messages exchanged with the firm via Zendesk. (Bill Toulas / Bleeping Computer)

Related: Hudson Rock, TechNadu

Security researchers have hacked the Tesla Infotainment System and earned $516,500 after exploiting 37 zero-days on the first day of the Pwn2Own Automotive 2026 competition.

Synacktiv Team took home $35,000 after successfully chaining an information leak and an out‑of‑bounds write flaw to get root permissions on the Tesla Infotainment System in the USB-based attack category. They also chained three vulnerabilities to gain root-level code execution on the Sony XAV-9500ES digital media receiver, earning an additional $20,000 cash award.

Teams Fuzzware.io collected another $118,000 after hacking an Alpitronic HYC50 Charging Station, an Autel charger, and a Kenwood DNR1007XR navigation receiver. At the same time, PetoWorks was awarded $50,000 for chaining three zero-day bugs to gain root privileges on a Phoenix Contact CHARX SEC-3150 charging controller.

Team DDOS also earned $72,500 for hacking the ChargePoint Home Flex, the Autel MaxiCharger, and the Grizzl-E Smart 40A vehicle charging station.

On the second day of Pwn2Own, the Grizzl-E Smart 40A will be targeted by four teams, the Autel MaxiCharger will be targeted three times, while two teams will attempt to root the ChargePoint Home Flex, each successful attempt bringing the hackers $50,000. (Sergiu Gatlan / Bleeping Computer)

Related: Zero Day Initiative, Zero Day Initiative, PCMag

AI agents arrived in Davos this week with the question of how to secure them - and prevent agents from becoming the ultimate insider threat - taking center stage during a panel discussion on cyber threats.

"We have enough difficulty getting the humans trained to be effective at preventing cyberattacks. Now I've got to do it for humans and agents in combination," Pearson Chief Technology Officer Dave Treat said.

Pearson's a global education and training company, and Treat was speaking during the question-and-answer part of the panel as an audience member, not a panelist. Like many companies, Pearson is introducing AI agents into its environments, Treat said.

This opens up a whole new set of challenges for organizations that don't want to miss out on the efficiency gains that AI agents can provide - but they also don't want these agents to access data and systems that should be off limits to them, or perform tasks that can harm the business or individuals.

AI agents, Treat said, "tend to want to please. How are we creating and tuning these agents to be suspicious and not be fooled by the same ploys and tactics that humans are fooled with?"

"With agents, you need to think about them as an extension of your team, an extension of your employee base," Cloudflare co-founder and president Michelle Zatlyn said, speaking on the Davos panel. "Organizations are adopting zero trust for their employees. The same thing will happen with agents."

Hatem Dowidar, group CEO of e&, an Emirati state-owned communications, technology, and investment group, suggested more guardrails and guard agents to monitor their AI minions. (Jessica Lyons / The Register)

Related: Business Insider, PYMNTS, Fortune, Time Magazine

Israeli cybersecurity unicorn Claroty, which develops technology to protect critical infrastructure, announced that it raised $150 million in a Series F venture funding round.

Golub Growth led the round with participation from existing investors. (Meir Orbach / CTech)

Related: FinSMEs, Claroty, Ynetnews

Best Thing of the Day: Always Listen to Eva

Eva Galperin, cybersecurity director of Electronic Frontier Foundation, explains how to use a process called “threat modeling” to protect your online privacy in a way that’s practical rather than paranoid.

Worst Thing of the Day: Musk Wins the Non-Consensual Porn Award

Elon Musk’s artificial intelligence chatbot, Grok, created and then publicly shared at least 1.8 million sexualized images of women, and 23,000 sexualized images of children, according to separate estimates of X data by The New York Times and the Center for Countering Digital Hate.

Closing Thought