TOP STORY: Microsoft’s First 2026 Patch Tuesday Ships 114 Fixes and a KEV-Listed Windows Zero-Day Microsoft’s January 2026 Patch Tuesday delivered fixes for 114 vulnerabilities across Windows, Office, Azure, Edge, SharePoint, SQL Server, and related components, including eight Critical bugs and one actively exploited flaw now in CISA’s Known Exploited Vulnerabilities (KEV) catalog. The KEV-listed Windows vulnerability, tracked as CVE-2026-20805, and a high‑priority VBS Enclave privilege escalation bug (CVE-2026-20876) give attackers powerful options for privilege escalation and deep persistence on enterprise fleets if left unpatched. The Threat: Unpatched endpoints and servers are exposed to privilege escalation, information disclosure, and remote code execution paths that can be chained with phishing or browser exploits to obtain domain-level access and evade EDR controls.
The Status: Patches are available via Windows Update, WSUS, Intune, and manual download; CISA has added CVE-2026-20805 to KEV with a mandated remediation deadline for U.S. federal agencies, effectively setting an urgency benchmark for all enterprises.
Mitigation: Prioritise rapid rollout of January 2026 updates to admin workstations, domain controllers, virtualization hosts, and high-value servers, and verify that Secure Boot–related updates and VBS Enclave fixes are successfully deployed and reported as compliant in your patch management tools.
CRITICAL PATCHES (CVE WATCH)
Microsoft Windows (https://cvedatabase.com/cve/CVE-2026-20805) - CVSS 8.7 Issue: A Windows vulnerability tracked as CVE-2026-20805 is being actively exploited and has been added to CISA’s KEV catalog; successful exploitation can allow attackers to elevate privileges and support chained attacks against Windows environments.
Action: Treat this as an emergency; deploy the January 2026 cumulative update to all supported Windows versions, validate installation status via WSUS/Intune/Defender for Endpoint reports, and prioritise internet-facing systems and privileged admin devices.
Windows VBS Enclave (https://cvedatabase.com/cve/CVE-2026-20876) - CVSS 6.7 Issue: CVE-2026-20876 is a privilege escalation flaw in Windows Virtualization-Based Security (VBS) Enclave that can grant attackers VTL2-level privileges, enabling subversion of security controls and long-term stealthy persistence.
Action: Include this in your first wave of January patching for all VBS-enabled workloads, especially virtualized infrastructure and high-value servers, and confirm that virtualization hosts and hardened admin jump boxes receive and apply the fix.
Microsoft Office (https://cvedatabase.com/cve/CVE-2026-20952) - CVSS 8.8 Issue: CVE-2026-20952 is one of at least two Critical remote code execution vulnerabilities in Microsoft Office that can be triggered via malicious content, potentially allowing code execution in the context of the user opening crafted documents.
Action: Patch Office desktop and server workloads (including RDS/VDI images) as soon as possible and reinforce macro and attachment controls in email gateways and Defender/third‑party EPP while updates roll out.
Microsoft Office (https://cvedatabase.com/cve/CVE-2026-20953) - CVSS 8.8 Issue: CVE-2026-20953 is another Critical Office remote code execution issue highlighted by Cisco Talos, increasing the attack surface for document-based phishing and malspam campaigns.
Action: Ensure all Office channels (Monthly/Current/Enterprise) are updated, rebaseline gold images, and monitor for malicious document execution via EDR rules and mail flow reports.
SAP S/4HANA (https://cvedatabase.com/cve/CVE-2026-XXXX) - CVSS 9.9 Issue: SAP’s January Security Patch Day included a critical SQL injection vulnerability in S/4HANA Private Cloud and On‑Premise (Financials – General Ledger) with a CVSS score of 9.9, which could allow low‑privileged users to fully compromise affected systems.
Action: Apply the relevant SAP HotNews note to all S/4HANA Financials instances, restrict direct database access, and review ABAP and application logs for suspicious queries originating from low-privilege accounts.
BREACH BRIEFING
NordVPN (Third-Party Test Environment Disclosure Claims): A threat actor claimed to have stolen databases containing API keys and Jira tokens allegedly tied to NordVPN, but the company stated that the leaked data originated from a temporary third-party automated testing environment using dummy information and never touched production systems or real customer data. NordVPN reported that the environment had already been decommissioned and emphasised that no live credentials, business data, or source code were exposed, highlighting the ongoing risks of SaaS test environments and CI/CD integrations.
TRENDS & ANALYSIS
1. KEV Growth and Patch Tuesday Convergence CISA’s decision to add CVE-2026-20805 to the KEV catalog during the same week as Microsoft’s January Patch Tuesday underscores how quickly newly disclosed Windows vulnerabilities move from patch notes to active exploitation. For defenders, KEV alignment plus Patch Tuesday triage is becoming a single workflow: if a Microsoft CVE appears in KEV, it should automatically jump to the top of the patch queue and be tracked as an SLA-backed issue rather than a routine update.
ONE ACTION ITEM
Align Patch Tuesday with CISA KEV
Why: This week’s addition of CVE-2026-20805 to KEV alongside the 114‑vulnerability Microsoft release shows that attackers are exploiting Windows flaws almost immediately, and KEV entries now function as an external “must patch now” flag for critical infrastructure and enterprise environments.
Action:
- Inventory all January 2026 Microsoft CVEs in your environment and cross‑check them against the current CISA KEV catalog, tagging overlapping assets as top-priority in your vulnerability management tool.
- Implement an operational runbook so that every future Patch Tuesday includes an automatic KEV comparison, with clear SLAs (for example 7 days) for remediating any KEV‑listed Microsoft vulnerabilities on internet-facing and privileged systems.
Stay safe and patch often https://www.cvedatabase.com