WEEKLY TOP TEN: February 02, 2025, 16:00 GMT
- Fortinet FortiGate SSO Zero-Day Actively Exploited
Fortinet confirmed active exploitation of CVE-2026-24858, a critical authentication bypass vulnerability affecting FortiOS, FortiManager, FortiWeb, FortiProxy, and FortiAnalyzer with FortiCloud SSO enabled. Arctic Wolf detected automated malicious activity starting January 15, with attackers creating backdoor admin accounts, exfiltrating configuration files, and modifying VPN settings within seconds of gaining access. Exploitation persisted on fully patched devices until Fortinet temporarily disabled FortiCloud SSO on January 26 and began rolling out patches. The vulnerability has a CVSS score of 9.4 and was added to CISA’s Known Exploited Vulnerabilities catalog with a January 30 remediation deadline for federal agencies. This represents a separate attack path from previously patched vulnerabilities. - Microsoft Office Zero-Day CVE-2026-21509 Exploited in Attacks
Microsoft released emergency out-of-band security updates to patch CVE-2026-21509, a high-severity Office zero-day vulnerability actively exploited in attacks. The security feature bypass flaw affects Microsoft Office 2016, 2019, LTSC 2021, LTSC 2024, and Microsoft 365 Apps for Enterprise, allowing unauthenticated local attackers to bypass OLE mitigations protecting users from vulnerable COM/OLE controls. Exploitation requires sending malicious Office files and convincing users to open them, though the preview pane is not an attack vector. Microsoft deployed service-side updates for Office 2021 and later versions, requiring only application restarts rather than manual patches. CISA added the vulnerability to its Known Exploited Vulnerabilities catalog on January 26 alongside four other actively exploited flaws. - CISA Adds Five Vulnerabilities to Known Exploited Catalog
CISA added five new vulnerabilities to its Known Exploited Vulnerabilities catalog on January 26 based on evidence of active exploitation: CVE-2018-14634 (Linux Kernel Integer Overflow), CVE-2025-52691 (SmarterTools SmarterMail Unrestricted Upload), CVE-2026-21509 (Microsoft Office Security Feature Bypass), CVE-2026-23760 (SmarterTools SmarterMail Authentication Bypass), and CVE-2026-24061 (GNU InetUtils Argument Injection). The SmarterMail vulnerabilities allow unauthenticated attackers to upload arbitrary files enabling remote code execution and bypass authentication through alternate channels. The Linux Kernel flaw permits unprivileged local users to cause denial of service or potentially execute code. GNU InetUtils vulnerability enables remote authentication bypass via argument injection in telnetd. Federal agencies must remediate by specified deadlines per Binding Operational Directive 22-01. - Critical n8n Vulnerability Allows Unauthenticated Server Takeover
A critical-severity vulnerability in the n8n workflow automation platform allows attackers to take over vulnerable instances. Tracked as CVE-2026-21858 with a CVSS score of 10.0, the flaw affects the platform’s webhook and file-handling logic and could lead to unauthenticated access to arbitrary files. The vulnerability is a Content-Type confusion affecting n8n’s form-based workflows, granting access to unauthenticated remote attackers. Security firm Cyera, which discovered the flaw dubbed Ni8mare, found it allows attackers to execute arbitrary code on vulnerable devices. With n8n having over 100 million Docker pulls and being used by thousands of enterprises, Censys observed 26,512 exposed n8n hosts, with the vast majority located in the U.S., Germany, and France. - Cloudflare Outage Linked to Emergency React Vulnerability Patching
Cloudflare blamed a widespread outage on January 26 on emergency patching of CVE-2026-23864, a critical React remote code execution vulnerability that was being actively exploited in attacks. The vulnerability affects react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack packages. Attackers can send crafted HTTP requests to Server Function endpoints, causing server crashes, out-of-memory exceptions, or excessive CPU usage. Cloudflare deployed new WAF rules to protect customers, with the default action set to Block, but the emergency change caused approximately 28 percent of applications behind its network to experience service disruption for roughly 25 minutes. The incident highlights the severity of the vulnerability and the urgent need for organizations to patch their React-based applications. - Ivanti EPMM Zero-Days Exploited in Wild Before Disclosure
Ivanti disclosed two critical code injection vulnerabilities in Endpoint Manager Mobile (CVE-2026-1281 and CVE-2026-1340) that were exploited as zero-days before patches became available. Both flaws, rated CVSS 9.8, allow unauthenticated remote attackers to execute arbitrary code on affected on-premises EPMM installations through the In-House Application Distribution and Android File Transfer Configuration features. Successful exploitation provides attackers access to personally identifiable information including admin usernames, email addresses, phone numbers, GPS locations, and device identifiers. CISA added CVE-2026-1281 to its Known Exploited Vulnerabilities catalog with an unusually short February 1 remediation deadline for federal agencies. Ivanti released provisional RPM script patches while working on a permanent fix for version 12.8.0.0 scheduled for Q1 2026. - Two Million Android Devices Infected by Kimwolf Botnet
A massive global network of infected gadgets known as Kimwolf, the Android variant of Aisuru DDoS Botnet, has grown to over 2 million devices since August 2025. Hackers are targeting Android-powered smart TVs and cheap streaming boxes to build a botnet for launching Distributed Denial-of-Service attacks. Security firm Synthient revealed that many of these devices are compromised before they even reach consumers’ homes. The combined power of these infected devices has been used to flood and crash major websites with traffic, reaching a record-breaking 29.7 Terabits per second according to Cloudflare. The botnet operates by hijacking vulnerable Android devices through pre-installed malware in supply chain attacks, highlighting the ongoing risk of compromised consumer electronics distributed through unverified channels. - Microsoft Announces NTLM Authentication Protocol Deprecation
Microsoft announced plans to disable the 30-year-old NTLM authentication protocol by default in upcoming Windows releases due to persistent security vulnerabilities exposing organizations to cyberattacks. NTLM has been exploited in pass-the-hash attacks, credential relay attacks, and brute-force campaigns for decades, making it a prime target for threat actors seeking lateral movement within enterprise networks. The deprecation represents a significant shift in Windows authentication architecture, with Microsoft recommending organizations transition to Kerberos and modern authentication protocols. Organizations must audit applications and services still relying on NTLM and develop migration plans before the protocol is disabled. The company plans a phased rollout with warnings and grace periods to minimize disruption while improving overall Windows security posture. - Google Disrupts IPIDEA Residential Proxy Network
Google Threat Intelligence Group disrupted IPIDEA, one of the largest residential proxy networks used by cybercriminals, in collaboration with industry partners. IPIDEA facilitated threat actor operations by providing access to millions of residential IP addresses, enabling attackers to bypass geographical restrictions, evade detection, and conduct malicious activities while masquerading as legitimate users. The proxy network was extensively used for credential stuffing attacks, web scraping, account takeover operations, ad fraud, and distributed denial-of-service campaigns. Security researchers estimate IPIDEA’s network comprised over 2 million compromised devices globally, primarily consisting of insecure Android TV boxes and digital photo frames exploited without owner knowledge. The takedown demonstrates increased cooperation between technology companies and law enforcement to dismantle cybercrime-as-a-service platforms. - Malicious VS Code Extensions Exfiltrate Developer Data
Cybersecurity researchers discovered two malicious Microsoft Visual Studio Code extensions with 1.5 million combined installations that secretly exfiltrate developer data to China-based servers. The extensions advertise themselves as AI-powered coding assistants while establishing persistent backdoor access to steal source code, proprietary algorithms, API keys, and intellectual property from development environments during active coding sessions. The malicious extensions remain available in the official Visual Studio Code Marketplace despite harboring covert functionality. This supply chain attack targets the software development lifecycle by compromising trusted developer tools, representing a significant escalation in attacks against the technology sector. Security researchers warn this campaign could enable industrial espionage, intellectual property theft, and compromise of software supply chains across multiple organizations.
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The previous 10 stories were determined to be most significant during the course of the week, ranked by highest risk, and using multiple sources when available.