Developments in the APT landscape, new campaigns and previously unseen malware, multiple data breaches reported

Critical vulnerabilities in n8n, Italy in the crosshairs of phishing and ransomware activity, the latest from China

 View all
Threat Intelligence, News

Critical vulnerabilities in n8n, Italy in the crosshairs of phishing and ransomware activity, the latest from China

Weekly Threats hor Telsy

n8n: critical vulnerabilities with high operational impact

In recent days, the open-source workflow automation platform n8n has been in the spotlight following the disclosure and analysis of multiple critical vulnerabilities, with potential security impacts on exposed cloud and on-premise instances. The focus has centered in particular on CVE-2026-21858 (CVSS 10.0), nicknamed Ni8mare, an Improper Input Validation issue exploitable even without authentication that, through incorrect handling of the “Content-Type” header, can enable arbitrary file reading and remote code execution scenarios. Alongside it are CVE-2026-21877 (CVSS 10.0) and CVE-2025-68668 (CVSS 9.9) named N8scape, respectively an Unrestricted Upload of File with Dangerous Type that enables remote code execution (RCE) and a Protection Mechanism Failure fixed in December 2025, which allows sandbox bypass and execution of arbitrary commands under specific conditions. Both exploitable by authenticated users, they affect workflow execution mechanisms and sandboxing, significantly expanding the platform’s attack surface. Rounding out the picture is CVE-2025-68613 (CVSS 9.9), an Improper Control of Dynamically-Managed Code Resources also disclosed and fixed in December 2025, which confirms a recent trend of high-impact vulnerabilities capable of leading to full compromise of n8n instances that are not adequately updated or are exposed. Finally, it is noted that a Proof-of-Concept (PoC) exploit is publicly available demonstrating the chainability of CVE-2026-21858 with CVE-2025-68613, enabling unauthenticated Remote Code Execution (RCE). On January 7, 2026, attack surface management platform Censys stated it had identified 26,512 exposed n8n hosts, most of which are located in the United States (7,079), Germany (4,280), France (2,655), Brazil (1,347) and Singapore (1,129).

 

Italy: new phishing campaigns and ransomware claims

In the past week, several phishing operations have been detected in Italy. A new Agenzia delle Entrate-themed campaign induces potential victims to fill out a “Cryptocurrency Tax Return” on a fraudulent page in order to exfiltrate crypto wallets. A fake Ministry of the Interior portal has been used in a residence permit-themed operation to steal victim data useful for identity theft or fraud targeting foreigners. Students and staff of the University of Brescia (UNIBS) are the target of a campaign aiming to steal their institutional credentials via a page that reproduces the university’s Single Sign-On (SSO). Health card renewal-themed emails exploiting the logos and names of the Sistema Tessera Sanitaria and the Ministry of Health direct victims to a fake portal designed to collect personal information, including full name, date of birth, residential address, phone number and email address. Finally, an INPS-themed smishing campaign aimed at stealing personal data has been tracked. Added to these is news of the cyber attack on the digital health reporting system of Area 3 (formerly Asl3 Genoa), managed by an external provider, which caused temporary limitations to the affected services. There are reportedly no public indications regarding any potential compromise of health data, nor technical details on how the attack was carried out. Turning to the ransomware landscape, 6 Italian entities are the subject of claims: Nova stated it compromised Saplog, operating in national and international freight transport; Brotherhood claimed Italgrafica Sistemi, a company within the Konig Print Group specialized in the design and printing of adhesive labels and tags; Akira Team claimed Labeltex Group S.r.l., active in the production of textile and printed labels for the fashion and industrial sectors; Qilin Team claimed Cressi, operating in the design and production of equipment for underwater activities, and Softlab S.p.A., listed on the Milan Stock Exchange and active internationally in Business Advisory, ICT Consulting and Digital Entertainment; TA505 claimed Mutti S.p.A., a historic Italian company headquartered in Parma, a leader in tomato processing and in the production of preserves and derivatives.

 

China: attacks detected against Taiwan, GhostEmperor compromises, and an intrusion based on alleged 0-day exploits

Over the course of 2025, Taiwanese intelligence authorities detected a systematic and continuous intensification of cyber operations conducted by China against the country’s critical infrastructure, with an average of 2.63 million intrusion attempts per day across nine strategic sectors, up 6% compared to 2024. The most impacted sector is energy (+1,000%), followed by emergency response and healthcare (+54%), while communications and broadcasting sectors recorded an increase of 6.7%. Attacks against administrative agencies are instead decreasing (albeit slightly), as are those against the financial and water resources sectors. The activities, which mainly include exploitation of hardware vulnerabilities, targeted social engineering campaigns, DDoS offensives and supply chain attacks, are attributed to five Chinese groups, including Radio Panda, Flax Typhoon, Mustang Panda, Axiom and UNC3886, each with a distinct but complementary sector focus. Also related to China, a well-known British financial newspaper reportedly learned from a person familiar with the matter that Beijing APT GhostEmperor (Salt Typhoon) had access to the email systems used by some staff members of the U.S. House of Representatives China committee, as well as by aides to the Foreign Affairs, Intelligence and Armed Services committees. The intrusions were reportedly detected in December 2025. The spokesperson for the Chinese embassy, Liu Pengyu, reportedly issued a public statement condemning what he reportedly called “speculation and unfounded accusations”. Finally, in December 2025 a sophisticated intrusion was identified culminating in the execution of alleged 0-day exploits against VMware ESXi hypervisors, which used a compromised SonicWall VPN as initial access. The adversary used the exploit.exe orchestrator named MAESTRO to prepare the environment and coordinate the hypervisor exploitation chain, including the deployment of drivers and auxiliary tools. Analysis of the identified toolkit reveals Simplified Chinese strings in development paths and evidence suggesting a likely 0-day design more than a year before VMware’s public disclosure, indicating a well-organized developer operating in a Sinophone region.

 

Weekly Threats is Telsy’s weekly update on the latest developments regarding cyberattacks and threat actors worldwide, produced by our Threat Intelligence & Response team.

The team is made up of security analysts and researchers with both technical and investigative expertise, as well as recognized international experience.

Through continuous monitoring of cyber threats and geopolitical events, it produces and provides organizations with valuable information to anticipate attacks and understand their impact, while ensuring a reliable partner in the event of a cyber incident.

Discover more about our Cyber Threat Intelligence solution.