Bulletin — January 2026

January 2026 opens with two anniversaries and one closure. DORA turns one on the 17th: national authorities wind down the informal grace period and start active inspection, with 19 CTPPs designated since November pending the first binding recommendations. DeepSeek-R1 turns one on the 20th: V4 doesn’t arrive as expected, but the lab ships Engram and an updated R1 paper, and Moonshot AI closes the month with Kimi K2.5 multimodal plus agent swarm. In between: Patch Tuesday with a DWM zero-day, two pre-auth RCEs in Ivanti EPMM exploited from 29 January, and Trump opening litigation against state AI laws with the AI Litigation Task Force.

Six notes and a handful of bullets.

DORA — one year of applicability, end of the grace period

17 January. The Regulation (EU) 2022/2554 — DORA hits its first anniversary of applicability. National authorities (Banco de España, CNMV, DGSFP in Spain; equivalents in each member state) confirm during the month the end of the informal 2025 grace period and start active inspection, with the expectation of first sanctions for reporting failures and deficient Register of Information during 2026. The first formal enforcement actions are expected within the year’s supervisory cycle.

The year-one balance is in the dedicated technical. Worth keeping from here: three loose ends from last year closed — final RTS TLPT (July 2025), NIS2 transposition in Spain (second half of 2025), official CTPP list (18 Nov 2025). Two new items pending for 2026: first cycle of JOC binding recommendations to CTPPs designated during H2-2026, and first cycle of TLPTs executed with final deadline 17 January 2028.

What changes operationally: national authorities move from document review to automated cross-check of the Register of Information across entities, with the second submission due in April 2026 (reference date 31 March 2026). An entity whose Register hasn’t materially improved against the 2025 submission gets a supervisory flag.

Source: https://eur-lex.europa.eu/eli/reg/2022/2554/oj

DeepSeek — Engram, updated R1 and the wait for V4

January. Three releases that shift the end-of-year DeepSeek arc anticipated in December’s bulletin:

• 7 January. Updated R1 paper (arxiv 2501.12948). Updated version with refined evaluation methodology, comparisons against Claude 4.5 Opus, GPT-5.5 and Qwen3.5, clarifications on the RL pipeline with Group Relative Policy Optimization (GRPO) and on the cold start with supervised fine-tuning.

• 12 January. Engram paper (arxiv 2601.07372). Conditional Memory via Scalable Lookup: A New Axis of Sparsity for Large Language Models. Repo at github.com/deepseek-ai/Engram under Apache 2.0. Introduces a conditional memory module with O(1) N-gram-based lookup as an axis complementary to Mixture-of-Experts. Scales to 27B parameters with gains over the MoE baseline: MMLU +3.4, BBH +5.0, HumanEval +3.0, MATH +2.4. Operational reading: DeepSeek separates static retrieval from dynamic computation — a pattern with implications for both attack surface (memory poisoning, adversarial knowledge sanitization) and defensive sanitization.

• MODEL1 in the repo. Developers spot internal references to “MODEL1” in code and commits after Engram. It’s the V4 preview. DeepSeek had hinted at a release around Lunar New Year (17 February) but it ends up slipping to 24 April.

Full analysis of the open-weights frontier in the month’s extra. Worth keeping from here: a year after R1, the pattern frontier model accessible in weights is no longer exceptional — it’s a category. What changes is the architectural ambition (Engram, agent swarm via PARL, native multimodal) and the release cadence.

Sources: https://arxiv.org/abs/2601.07372 · https://github.com/deepseek-ai/Engram · https://arxiv.org/abs/2501.12948

Kimi K2.5 — Moonshot AI opens the multimodal + agent swarm front in open weights

27 January. Moonshot AI releases Kimi K2.5 under MIT licence on Hugging Face. Mixture-of-Experts with 1T total parameters, 32B activated per token, 256K context, natively multimodal with its own encoder MoonViT (400M parameters), continued pretraining over 15T text+vision tokens on top of Kimi-K2-Base.

The methodological novelty is PARL — Parallel Agent Reinforcement Learning. Moonshot trains the model to break a task into parallel sub-tasks and delegate to up to 100 coordinated sub-agents. They report reductions of up to 4.5× in execution time on long-horizon workflows (research, long-form writing, batch downloads).

For AI security, two immediate consequences:

1. Multimodal frontier in open weights. Until January, frontier open-weights models were text-only or limited text+image. K2.5 is natively multimodal with capability comparable to GPT-4o or Gemini in vision, with weights available. Adversarial visual prompt injection moves from black-box research against APIs to white-box research against the weights.
2. Agent swarm in open weights. Until January, agents with parallel orchestration were a closed capability (ChatGPT Agents, Claude with tools, Operator). K2.5 carries the swarm inside the model and with weights. Sub-agent prompt injection, confused deputy in swarms, adversarial persistence via shared planning — they all become reproducible research.

Hugging Face describes the release as “another DeepSeek moment”. The pattern: Chinese open-weights with capabilities close to frontier, MIT licence, explosive downloads. December’s bulletin closed with the argument that open-weights frontier was already a category; K2.5 confirms it.

Technical detail in this month’s extra.

Sources: https://huggingface.co/moonshotai · https://www.kimi.com/ai-models/kimi-k2-5 · https://www.infoq.com/news/2026/02/kimi-k25-swarm/

Ivanti EPMM — pre-auth RCE (CVE-2026-1281, CVE-2026-1340) exploited on 29 January

29 January. Ivanti publishes a security advisory on CVE-2026-1281 and CVE-2026-1340 in Endpoint Manager Mobile (EPMM, formerly MobileIron Core). Two pre-authentication RCEs, CVSS 9.8 each, exploited as zero-day before disclosure. Publicly confirmed compromises include the European Commission, the Dutch Data Protection Authority, the Council for the Judiciary (Rvdr) and Valtori (the Finnish government’s central ICT service).

Technical vector: both are command injection via Apache RewriteMap configurations in legacy bash scripts that process HTTP GET parameters on specific endpoints:

• CVE-2026-1281 — /mifs/c/appstore/fob/... (In-House Application Distribution feature, script map-appstore-url)
• CVE-2026-1340 — /mifs/c/aftstore/fob/... (Android File Transfer Configuration feature, script map-aft-store-url)

Both use bash arithmetic expansion — manipulating the st and h parameters that the script evaluates via array index syntax — to inject commands. No authentication required, no user interaction, just a GET request with crafted parameters.

What incident responders (Unit 42, Horizon3.ai, watchTowr, Tenable, Rapid7) observe about payloads deployed during mass exploitation:

• Reverse shells from the host.
• JSP web shells in /mi/tomcat/webapps/mifs/ (typically 401.jsp, 403.jsp, 1.jsp).
• Nezha monitoring agent — an open-source server monitoring utility — configured to fetch from Gitee on China-located victims and GitHub elsewhere. It’s the operational tool the attacker uses to keep visibility.
• Sleep injection to verify vulnerability without a final payload — pre-recon.
• Dormant backdoors designed for post-patch persistence.

The patch is version-specific, not vulnerability-specific — Ivanti emits RPM 12.x.0.x or 12.x.1.x depending on the customer version, with no declared downtime. Standard operational guidance: apply the patch immediately, review logs for prior exploitation indicators (POSTs to the /fob/ endpoints, unexpected .jsp files in /mi/tomcat/webapps/mifs/, outbound connections to unexpected IPs).

Continuity: Ivanti repeats the pattern from January 2024 with Connect Secure. Same vendor, same calendar month, same bug category (pre-auth auth bypass / command injection on an administrative interface), same victim profile (European governments, financial institutions, MSSPs).

Sources: https://unit42.paloaltonetworks.com/ivanti-cve-2026-1281-cve-2026-1340/ · https://horizon3.ai/attack-research/vulnerabilities/cve-2026-1281-cve-2026-1340/ · https://watchtowr.com/resources/ivanti-epmm-in-the-wild-exploitation-cve-2026-1281-cve-2026-1340/ · https://www.helpnetsecurity.com/2026/01/30/ivanti-epmm-cve-2026-1281-cve-2026-1340/

Patch Tuesday — 114 CVEs and a DWM zero-day (CVE-2026-20805)

13 January (second Tuesday of the month). Microsoft’s Patch Tuesday covers 114 CVEs including one zero-day actively exploited and two zero-days publicly disclosed beforehand.

CVE-2026-20805 — Windows Desktop Window Manager (DWM). Local pre-auth information disclosure. Allows an attacker with low local privileges to read remote memory information from an ALPC port supporting a bypass of Address Space Layout Randomization (ASLR). The bug isn’t direct RCE; it’s the first step in a chain: memory leak + separate RCE bug → reliable exploit against ASLR. Exploitation needs local access with low privileges and zero user interaction; viable for attackers already on the system.

The two zero-days disclosed but not exploited at the time of the patch are elevation of privilege bugs in native Windows soft modem drivers: CVE-2023-31096 (Agere Soft Modem Driver) and CVE-2024-55414 (Windows Motorola Soft Modem Driver). Notable for the age of CVE-2023-31096 — a legacy driver vulnerability that didn’t get patched until three years after publication.

CISA adds CVE-2026-20805 to KEV the same day with a 3 February due date for federal entities.

Sources: https://www.bleepingcomputer.com/news/microsoft/microsoft-january-2026-patch-tuesday-fixes-3-zero-days-114-flaws/ · https://www.tenable.com/blog/microsofts-january-2026-patch-tuesday-addresses-113-cves-cve-2026-20805 · https://www.csoonline.com/article/4116437/january-2026-microsoft-patch-tuesday-actively-exploited-zero-day-needs-attention.html

Trump — AI Litigation Task Force operational on 10 January

10 January. The AI Litigation Task Force within the Department of Justice, established by the 11 December 2025 Executive Order Ensuring a National Policy Framework for Artificial Intelligence, becomes operational. The Task Force has a mandate to challenge state AI laws in federal court under Commerce Clause, federal preemption and Spending Clause arguments.

Context: on 1 January 2026 several substantial state AI laws come into force, particularly Colorado AI Act (sec. 6-1-1701 et seq.), California SB 1047 replaced by SB 53 (Frontier AI Transparency Act), Texas TRAIGA and Utah AI Policy Act. These laws impose bias audit, impact assessment, disclosure and transparency obligations that the Trump federal legislator considers incompatible with federal AI policy.

For deployers operating in the US, the operational consequence: multi-state compliance calculations in 2026 turn volatile. An entity can find itself with contradictory obligations between the Colorado AI Act (aligned with OECD AI Principles) and the federal Removing Barriers policy from January 2025. The Task Force will look for test cases that generate federal precedent.

In parallel, the National Policy Framework for Artificial Intelligence — programmatic content complementary to the EO — is published on 20 March 2026 with specific recommendations on data infrastructure buildout, intellectual property and explicit preemption of “undue state burdens”.

For European entities with US presence, the operational follow-up: monitor litigation timelines in federal courts (particularly Ninth Circuit and Fifth Circuit), evaluate how it affects the operational calendar of DORA-style compliance for US deployments, and consider whether EU AI Act GPAI obligations will diverge further from the US framework during 2026.

Sources: https://www.whitehouse.gov/presidential-actions/2025/12/eliminating-state-law-obstruction-of-national-artificial-intelligence-policy/ · https://www.kslaw.com/news-and-insights/new-state-ai-laws-are-effective-on-january-1-2026-but-a-new-executive-order-signals-disruption

Rest of the month — bullets

• 5 January. BeyondTrust keeps echoing a year on. Greynoise reports reconnaissance activity against the /nw WebSocket path on port 443 from a Polish hosting provider — the same RCE + PostgreSQL SQLi chain that Silk Typhoon used against US Treasury in December 2024 (CVE-2024-12356 and CVE-2024-12686). Variant CVE-2026-1731 issued during the month. Initial victims aren’t published yet. Microsoft Threat Intelligence reports that Silk Typhoon keeps shifting target from US government to global IT supply chain, particularly RMM and MSPs. Source: https://www.greynoise.io/blog/reconnaissance-beyondtrust-rce-cve-2026-1731

• 7 January. CISA adds two vulnerabilities to KEV: CVE-2009-0556 (Microsoft Office PowerPoint Code Injection — a 17-year-old bug still seen in phishing chains) and CVE-2025-37164 (HPE OneView Code Injection). The batch includes six additional adds during the month with a focus on legacy software. Source: https://www.cisa.gov/news-events/alerts/2026/01/07/cisa-adds-two-known-exploited-vulnerabilities-catalog

• 7-10 January. CES 2026 in Las Vegas. Security-relevant announcements: Automotive CIS (Cybersecurity Infrastructure Standard) launched by a consortium of manufacturers with Autocrypt leading — the first unified standard for software-defined vehicles, AI mobility and post-quantum readiness. NVIDIA announces availability of the Vera Rubin NVL72 system focused on large model inference. Samsung presents an AI Trust and Security framework for consumer devices. Source: https://www.ces.tech/press-releases/ces-2026-the-future-is-here

• 20 January. Hugging Face publishes One Year Since the DeepSeek Moment — a retrospective of the open-weights year. Key data: Qwen accumulates 700M+ downloads on HF (the most downloaded open-weights family on the platform), DeepSeek-R1 is the most-liked model in history, Baidu goes from 0 to 100+ releases in 2025, ByteDance and Tencent multiply their releases x8-x9, 15% of the global model ecosystem already comes from Chinese labs (vs 1% at the end of 2024).

• During the month. AESIA (Spain’s AI Supervisory Agency) starts the first cycle of exploratory market surveillance on Annex III high-risk products planned for the 2 August 2026 date. No sanctions yet — exploratory cycle. The GPAI providers who signed the Code of Practice (Amazon, Anthropic, Google, IBM, Microsoft, OpenAI, xAI partially) coordinate with the AI Office of the Commission via the Signatory Taskforce.

• 22 January. CISA adds four more vulnerabilities to KEV focused on network appliances. The aggregated KEV directory for January closes the month with +14 entries over the start.

• During the month. Banco de España publishes technical notes on TIBER-ES updated to DORA. Announces that during 2026 the first systemic Spanish entities (BBVA, Santander, CaixaBank and a restricted group) will execute their first TLPT tests under the updated framework. The Test Authority coordinates the exercises without individual public attribution.

Cross-cutting pattern — what January closes and what it opens

The month closes several arcs:

• DORA: end of the informal grace period, CTPP list published, final RTS TLPT, NIS2 transposition in Spain. Everything missing on 17 January 2025 is covered by 17 January 2026.
• Open-weights frontier one year after R1: the pattern normalises. Chinese labs dominate rankings, multimodal and agent swarm appear in open weights, the white-box / black-box gap closes for both sides (attacker and defender).
• Ivanti EPMM in January: third anniversary of the “Ivanti zero-day in January” category. 2024 Connect Secure, 2025 CSA chain, 2026 EPMM. A sectoral pattern.

And opens two:

• 2026 as the first year of active DORA enforcement. Sanctions that haven’t arrived by January are expected during the year. The first fined entity will set the operational tone for the rest of the sector.
• US litigation timeline on state AI laws. The AI Litigation Task Force will produce federal precedent during 2026 that will clarify (or complicate) multi-state compliance calculations for deployers operating in the US.

February brings the anniversary of AI Act Art. 5 (2 February) and the anniversary of ByBit (21 February). Both turn one.