Sunday Sweep: The Automation Platform, The Dead Router, and The Meeting App

Three Gaps, Three Shovels

Our Sunday morning sweep found holes in our coverage. Time to fill them.

1. n8n: Two CVSS 10.0s Walk Into a Webhook

If you run n8n for workflow automation, stop reading and patch first.

CVE-2026-21858: The Content-Type Confusion

CVSS: 10.0 - It doesn't get worse than this.

The Attack Chain:

1. Send HTTP request with crafted Content-Type header

2. Override req.body.files object (no actual file upload needed)

3. Read arbitrary local files from server

4. Extract SQLite database: /home/node/.n8n/database.sqlite

5. Harvest admin credentials

6. Retrieve encryption secrets from /home/node/.n8n/config

7. Forge valid admin session cookies

8. Create malicious workflow with "Execute Command" node

9. Full system compromise

Security researcher Dor Attias: "Since this function is called without verifying the content type is 'multipart/form-data,' we control the entire req.body.files object."

The n8n webhook doesn't verify Content-Type headers match the parser being used. Classic confusion bug, catastrophic impact.

CVE-2026-21877: The Git Node Gambit

CVSS: 10.0 - Yes, another one.

"Under certain conditions, an authenticated user may be able to cause untrusted code to be executed by the n8n service."

If you give users access to n8n workflows, any of them can pop the box.

Why n8n Matters

• OAuth tokens for every connected service

• Database credentials

• API keys

• Webhook secrets

• The keys to your entire automation kingdom

One compromised n8n instance = lateral movement buffet.

Patch Now

• Disable the Git node

• Restrict access to trusted users only

• Put it behind a VPN

2. D-Link: The Routers That Won't Die (But Should)

CVE-2026-0625: Command Injection in Dead Hardware

CVSS: 9.3 - Actively exploited in the wild.

• 2020: D-Link EOLs these routers

• Nov 27, 2025: Shadowserver detects exploitation

• Dec 16, 2025: VulnCheck reports active attacks

• Jan 2026: Still being exploited

The Attack

POST /dnscfg.cgi HTTP/1.1
Host: <router_ip>
Content-Type: application/x-www-form-urlencoded

dns1=8.8.8.8;whoami;&dns2=8.8.4.4 ```

DNS configuration parameters aren't sanitized. Semicolon = shell command execution.

What Attackers Do With Your Router

The GhostDNS Connection

This vulnerability is in the same family as GhostDNS and DNSChanger campaigns that compromised millions of routers from 2016-2019. The PyPhp variant operated across 100+ C2 servers with scripts targeting routers on both public internet and internal networks.

History is rhyming.

The Only Fix

Replace the router.

There is no patch. There will never be a patch. D-Link stopped supporting these devices in 2020.

• DSL-526B ≤ 2.01

• DSL-2640B ≤ 1.07

• DSL-2740R < 1.17

• DSL-2780B ≤ 1.01.14

Unplug it. Today.

3. Zoom: The DLL That Wasn't There

CVE-2025-49457: Privilege Escalation via DLL Hijacking

CVSS: 9.6 - Windows only. Patched. No active exploitation.

The Attack

1. Application directory

2. System directories

3. PATH directories

4. Network shares

An attacker places malicious DLL on a network share. User triggers Zoom to load that DLL. Attacker's code runs with user's permissions.

Affected Products

• Zoom Workplace for Windows < 6.3.10

• Zoom Workplace VDI for Windows < 6.3.10

• Zoom Rooms for Windows < 6.3.10

• Zoom Rooms Controller for Windows < 6.3.10

• Zoom Meeting SDK for Windows < 6.3.10

Credit Where Due

Zoom's internal Offensive Security team found this proactively. That's how it should work.

Patch Status

Fixed in version 6.3.10. Update and move on.

The Pattern

Three of four have patches. One never will.

The D-Link routers are the real story. They've been dead since 2020, but they're still on networks, still internet-facing, still being exploited. Every one is a ticking time bomb.

Detection

n8n Exploitation Indicators

• Unusual webhook traffic patterns

• Access to /home/node/.n8n/database.sqlite

• Unexpected workflow creation

• "Execute Command" nodes you didn't create

• Session cookie anomalies

D-Link Exploitation Indicators

• DNS settings changed without authorization

• Traffic redirected to unknown servers

• Outbound connections to C2 infrastructure

• Unusual bandwidth consumption

Zoom DLL Hijacking

• Zoom processes loading DLLs from network shares

• Unexpected DLL files in Zoom directories

• Privilege escalation attempts post-Zoom launch

Recommendations

Immediate (Today)

1. Patch n8n to 1.121.3 or later

2. Replace D-Link DSL routers - no exceptions

3. Update Zoom to 6.3.10 or later

This Week

1. Audit network for EOL devices

2. Review n8n workflow permissions

3. Enable auto-update for Zoom clients

Ongoing

1. Maintain inventory of network devices with EOL dates

2. Establish replacement timeline before EOL hits

3. Monitor threat intel for active exploitation

STIX Feed Updated

These CVEs are now tracked in our feed:

curl https://analytics.dugganusa.com/api/v1/stix-feed

OTX Pulse: https://otx.alienvault.com/user/pduggusa

The Uncomfortable Truth

The n8n vulnerabilities will get patched. The Zoom vulnerability already is.

But those D-Link routers? They're still out there. In homes. In small businesses. In places where "it still works" trumps "it's a security risk."

Six years after EOL. Still exploited. Still no fix coming.

The lesson isn't about any single CVE. It's about the infrastructure we forget exists until someone else remembers it for us.

• n8n CVE-2026-21877 Advisory

• n8n CVE-2026-21858 Technical Analysis

• D-Link CVE-2026-0625 Active Exploitation

• D-Link Security Announcement

• Zoom CVE-2025-49457 Analysis

• Shadowserver Foundation

• VulnCheck Advisory

Her name is Renee Nicole Good.