Weekly Threat Landscape Digest – Week 5

1. Critical Security Patch Advisory – GitLab CE/EE

GitLab has released urgent security updates for both Community Edition (CE) and Enterprise Edition (EE) to address multiple high- and medium-severity vulnerabilities. These flaws could allow attackers to conduct denial-of-service (DoS) attacks and, in some cases, bypass two-factor authentication (2FA). Affected systems may experience service disruption, unauthorized access, and security control bypass if not patched promptly.

Key Vulnerabilities:

• CVE-2025-13927 – DoS in Jira Connect Integration (CVSS: 7.5)
  • CVE-2025-13928 – Incorrect Authorization in Releases API (CVSS: 7.5)
  • CVE-2026-0723 – Two-Factor Authentication Bypass (CVSS: 7.4)
  • CVE-2025-13335 – Infinite Loop in Wiki Redirects (CVSS: 6.5)
  • CVE-2026-1102 – DoS via SSH Authentication Requests (CVSS: 5.3)

Impacted Versions:
GitLab CE/EE versions prior to 18.6.4, 18.7.2, and 18.8.2 (varies by vulnerability).

Remediation:
Organizations are strongly advised to upgrade immediately to GitLab versions 18.8.2, 18.7.2, or 18.6.4, especially for internet-facing and critical environments.

Reference:
https://about.gitlab.com/releases/2026/01/21/patch-release-gitlab-18-8-2-released/

2. Denial-of-Service Vulnerability in Apache Karaf Decanter

A security vulnerability has been identified in Apache Karaf Decanter that could allow unauthenticated remote attackers to trigger a denial-of-service (DoS) condition. The issue arises from unsafe deserialization in the Decanter log socket collector component, which processes incoming log events without authentication by default. Successful exploitation may cause the Decanter service to crash, resulting in disruption of monitoring and logging operations.

Key Vulnerability:

• CVE-2026-24656 – Unsafe Deserialization Leading to DoS

Technical Details:

• Affects the Decanter log socket collector listening on TCP port 4560
  • Port is exposed without authentication by default
  • Validation bypass allows attackers to send crafted serialized objects
  • Causes deserialization of untrusted data and service crash
  • Does not enable remote code execution but impacts system availability

Impacted Versions:
Apache Karaf Decanter versions prior to 2.12.0

Remediation:
Upgrade immediately to Apache Karaf Decanter version 2.12.0 or later to mitigate the vulnerability and restore secure logging operations.

Reference:
https://seclists.org/oss-sec/2026/q1/112

3. Actively Exploited Zero-Day Vulnerability in Microsoft Office

Microsoft has released emergency out-of-band security updates to address an actively exploited high-severity security feature bypass vulnerability in Microsoft Office. The flaw allows attackers to bypass Object Linking and Embedding (OLE) security mitigations designed to block unsafe COM/OLE controls in malicious documents. Successful exploitation requires user interaction but has low attack complexity and may result in significant impact on system confidentiality, integrity, and availability.

Key Vulnerability:

• CVE-2026-21509 – Microsoft Office Security Feature Bypass (CVSS: 7.8)

Technical Details:

• Bypasses OLE protections against unsafe COM/OLE controls
  • Exploited through malicious Office documents
  • Requires user interaction to open crafted files
  • Relies on social engineering for delivery
  • Classified under CWE-807 (Reliance on Untrusted Inputs)
  • Confirmed active exploitation in the wild

Affected Products:

• Microsoft Office 2016
  • Microsoft Office 2019
  • Microsoft Office LTSC 2021
  • Microsoft Office LTSC 2024
  • Microsoft 365 Apps for Enterprise

Remediation:

• Apply Microsoft security updates immediately
  • Restart Office applications to activate service-side protections
  • Use registry-based mitigation only if patching is delayed
  • Prioritize legacy Office installations (2016/2019)

Reference:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509

4. Security Updates – Google Chrome

Google has released security updates to address a high-severity vulnerability in the Chrome browser related to an inappropriate implementation in the Background Fetch API. Successful exploitation could allow attackers to trigger unintended background network activity, potentially impacting browser security, user data integrity, and overall system stability.

Key Vulnerability:

• CVE-2026-1504 – Inappropriate Implementation in Background Fetch API (High Severity)

Technical Details:

• Affects the Background Fetch API functionality
  • Can be exploited through a crafted malicious web page
  • May result in unexpected background network operations
  • Could impact data integrity and browser security controls

Affected Versions:
Unpatched versions of Google Chrome prior to the January 2026 stable updates

Fixed Versions:

• Chrome 144.0.7559.109/.110 (Windows/Mac)
  • Chrome 144.0.7559.109 (Linux)
  • Chrome 144.0.7559.109 (Android)

Remediation:

• Update Google Chrome immediately to the latest stable version
  • Enable automatic browser updates where possible
  • Verify browser versions across enterprise environments
  • Prioritize updates on user endpoints and shared systems

Reference:
https://chromereleases.googleblog.com/2026/01/stable-channel-update-fordesktop_27.html

5. Actively Exploited Critical Vulnerability in GNU telnetd

A critical authentication bypass vulnerability has been disclosed in the GNU Inetutils telnetd daemon and is being actively exploited in the wild. The flaw allows unauthenticated remote attackers to gain root-level access without valid credentials by exploiting improper handling of environment variables during Telnet session negotiation. Successful exploitation results in full remote code execution with maximum system compromise.

Key Vulnerability:

• CVE-2026-24061 – Authentication Bypass and Argument Injection (CVSS: 9.8 – Critical)

Technical Details:

• Affects GNU Inetutils telnetd versions 1.9.3 through 2.7
  • Exploited by injecting the -f root flag via the USER environment variable
  • Occurs during Telnet authentication negotiation
  • Results in remote code execution with root privileges
  • Classified under CWE-88 (Argument Injection)
  • Confirmed active exploitation in the wild

Affected Products:

• Vendor: GNU
  • Product: Inetutils – telnetd
  • Versions: 1.9.3 to 2.7

Remediation:

• Apply vendor patches or updated packages immediately
  • Remove GNU Inetutils telnetd if no patch is available
  • Disable Telnet services on all systems
  • Replace Telnet with SSH or secure remote access protocols
  • Conduct system audits to detect potential compromise

Reference:
https://www.cve.org/CVERecord?id=CVE-2026-24061

6. Actively Exploited Critical Vulnerability in Fortinet Products

Fortinet has disclosed a critical authentication bypass vulnerability affecting multiple Fortinet products when FortiCloud Single Sign-On (SSO) is enabled. The flaw allows attackers with valid FortiCloud accounts to authenticate as administrators on other registered Fortinet devices. The vulnerability has been actively exploited in the wild, enabling threat actors to gain unauthorized administrative access, exfiltrate configuration data, and establish persistent access.

Key Vulnerability:

• CVE-2026-24858 – Authentication Bypass via Alternate Path (CVSS: 9.4 – Critical)

Technical Details:

• Caused by improper access control in FortiCloud SSO authentication paths
  • Classified under CWE-288 (Authentication Bypass Using Alternate Path)
  • Allows cross-account administrative access
  • Enables full device compromise and persistence
  • Confirmed active exploitation

Affected Products and Fixed Versions:

FortiAnalyzer
• 7.6.0–7.6.5 → Upgrade to 7.6.6+
• 7.4.0–7.4.9 → Upgrade to 7.4.10+
• 7.2.0–7.2.11 → Upgrade to 7.2.12+
• 7.0.0–7.0.15 → Upgrade to 7.0.16+

FortiManager
• 7.6.0–7.6.5 → Upgrade to 7.6.6+
• 7.4.0–7.4.9 → Upgrade to 7.4.10+
• 7.2.0–7.2.11 → Upgrade to 7.2.13+
• 7.0.0–7.0.15 → Upgrade to 7.0.16+

FortiOS
• 7.6.0–7.6.5 → Upgrade to 7.6.6+
• 7.4.0–7.4.10 → Upgrade to 7.4.11+
• 7.2.0–7.2.12 → Upgrade to 7.2.13+
• 7.0.0–7.0.18 → Upgrade to 7.0.19+

FortiProxy
• 7.6.0–7.6.4 → Upgrade to 7.6.6+
• 7.4.0–7.4.12 → Upgrade to 7.4.13+
• 7.2.x / 7.0.x → Migrate to fixed releases

Threat Activity Observed:

• Unauthorized FortiCloud SSO authentication
  • Configuration file exfiltration
  • Creation of rogue administrative accounts
  • Establishment of persistent access

Indicators of Compromise (Selected):

• 104.28.244.115
  • 104.28.212.114
  • 104.28.212.115
  • 104.28.195.105
  • 104.28.227.105
  • 37.1.209.19
  • 217.119.139.50

Remediation:

• Upgrade all affected Fortinet products immediately
  • Audit and remove unauthorized admin accounts
  • Review FortiCloud SSO authentication logs
  • Rotate all administrative credentials
  • Monitor for abnormal configuration exports
  • Disable FortiCloud SSO if patching is delayed

Reference:
https://fortiguard.fortinet.com/psirt/FG-IR-26-060

7. Multiple Vulnerabilities in HPE Aruba Networking Fabric Composer

Multiple security vulnerabilities have been identified in HPE Aruba Networking Fabric Composer that could lead to remote code execution, arbitrary file modification, information disclosure, and memory corruption. Successful exploitation may allow attackers to compromise system integrity, access sensitive data, and disrupt network management operations.

Key Vulnerabilities:

• CVE-2024-4741 – Use-After-Free in OpenSSL Buffer Handling (CVSS: 7.5 – High)
  • CVE-2026-23592 – Insecure File Handling Leading to Remote Code Execution (CVSS: 7.2 – High)
  • CVE-2026-23593 – Unauthenticated Limited File Read via Web Interface (CVSS: 5.3 – Medium)

Technical Details:

• Memory corruption due to improper OpenSSL buffer handling
  • Insecure backup file operations enabling command execution
  • Web interface flaw allowing limited unauthenticated file access
  • Potential exposure of sensitive system and configuration data

Affected Versions:
HPE Aruba Networking Fabric Composer 7.x.x versions 7.2.3 and below

Fixed Versions:
HPE Aruba Networking Fabric Composer 7.x.x version 7.2.3 and later

Remediation:

• Upgrade immediately to the latest patched release provided by HPE
  • Restrict administrative access to management interfaces
  • Monitor systems for unauthorized file access and abnormal activity
  • Apply network segmentation for management systems

Reference:
https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04996en_us&docLocale=en_US

8. OpenSSL Security Updates – January 2026

The OpenSSL Project has released security updates to address multiple vulnerabilities affecting supported OpenSSL versions. The most critical issue is a pre-authentication stack buffer overflow that could allow remote code execution (RCE) or denial-of-service (DoS) attacks. Due to the widespread use of OpenSSL in secure communications and cryptographic services, unpatched systems may be exposed to significant security risks.

Key Vulnerabilities:

• CVE-2025-15467 – Stack Buffer Overflow in CMS AuthEnvelopedData (High Severity)
  • CVE-2025-11187 – PKCS#12 MAC Verification Flaw (Moderate Severity)
  • CVE-2025-15469 – Data Truncation in openssl dgst (Low)
  • CVE-2025-66199 – TLS 1.3 Memory Exhaustion (Low)
  • CVE-2025-15468 – NULL Pointer Dereference in QUIC (Low)

Technical Details:

• CVE-2025-15467 can be exploited without authentication
  • May result in remote code execution or service disruption
  • Affects TLS, CMS, PKCS#12, and QUIC processing components
  • Particularly risky for internet-facing systems

Affected Versions:

• OpenSSL 3.6.x
  • OpenSSL 3.5.x
  • OpenSSL 3.4.x
  • OpenSSL 3.3.x
  • OpenSSL 3.0.x
  • Legacy 1.1.1 and 1.0.2 (premium support)

Fixed Versions:

• OpenSSL 3.6.1
  • OpenSSL 3.5.5
  • OpenSSL 3.4.4
  • OpenSSL 3.3.6
  • OpenSSL 3.0.19
  • Vendor-patched builds for legacy versions

Remediation:

• Upgrade OpenSSL immediately on all affected systems
  • Prioritize externally exposed services
  • Validate application compatibility after updates
  • Monitor for abnormal TLS or cryptographic failures

Reference:
https://openssl-library.org/news/secadv/20260127.txt

 

9. Critical Remote Code Execution Vulnerability in Laravel Reverb

A critical security vulnerability has been identified in Laravel Reverb, the real-time WebSocket backend for Laravel applications. The flaw allows unauthenticated remote attackers to execute arbitrary code under specific deployment conditions, potentially leading to full system compromise and data breaches.

Key Vulnerability:

• CVE-2026-23524 – Unsafe PHP Deserialization Leading to RCE (CVSS: 9.8 – Critical)

Technical Details:

• Affects Laravel Reverb versions prior to v1.7.0
  • Caused by unsafe PHP object deserialization
  • Allows unauthenticated remote code execution
  • Exploitable over network without user interaction
  • Results in full compromise of affected servers

Affected Versions:
Laravel Reverb versions earlier than v1.7.0

Fixed Version:
Laravel Reverb v1.7.0 and later

Remediation:

• Upgrade Laravel Reverb immediately to v1.7.0 or later
  • Review WebSocket exposure to the internet
  • Restrict access to backend services where possible
  • Monitor application logs for suspicious activity
  • Conduct post-patch security validation

Reference:
https://github.com/advisories/GHSA-m27r-m6rx-mhm4

10. High-Severity Vulnerability in Juniper Networks Junos OS

A high-severity vulnerability has been identified in Juniper Networks Junos OS and Junos OS Evolved that could allow a malicious DHCP client to exhaust IP address pools across multiple subnets. Successful exploitation may lead to denial-of-service (DoS) conditions on downstream DHCP servers, resulting in network disruption and service unavailability.

Key Vulnerability:

• CVE-2025-59960 – DHCP Option 82 Handling Flaw (CVSS: 7.4 – High)

Technical Details:

• Affects the Juniper DHCP service (jdhcpd)
  • Occurs when DHCP relay is configured in forward-only mode
  • Forwards client-supplied Option 82 data without validation
  • Bypasses trust-option82 security setting
  • Enables cross-subnet IP lease exhaustion

Affected Products:

Junos OS

• Versions before 21.2R3-S10
  • 21.4 before 21.4R3-S12
  • All versions of 22.2
  • 22.4 before 22.4R3-S8
  • 23.2 before 23.2R2-S5
  • 23.4 before 23.4R2-S6
  • 24.2 before 24.2R2-S2
  • 24.4 before 24.4R2
  • 25.2 before 25.2R1-S1 / 25.2R2

Junos OS Evolved

• Versions before 21.4R3-S12-EVO
  • All versions of 22.2-EVO
  • 22.4 before 22.4R3-S8-EVO
  • 23.2 before 23.2R2-S5-EVO
  • 23.4 before 23.4R2-S6-EVO
  • 24.2 before 24.2R2-S2-EVO
  • 24.4 before 24.4R2-EVO
  • 25.2 before 25.2R1-S1-EVO / 25.2R2-EVO

Fixed Versions:

• Junos OS: 21.2R3-S10, 21.4R3-S12, 22.4R3-S8, 23.2R2-S5, 23.4R2-S6, 24.2R2-S2, 24.4R2, 25.2R1-S1, 25.2R2, 25.4R1, and later
  • Junos OS Evolved: Corresponding EVO fixed releases and later

Remediation:

• Upgrade all affected Junos OS and Junos OS Evolved systems immediately
  • Review DHCP relay configurations
  • Restrict untrusted DHCP clients
  • Monitor for abnormal IP lease consumption
  • Validate Option 82 handling settings

Reference:
https://supportportal.juniper.net/s/article/2026-01-Security-Bulletin-Junos-OS-and-JunosOS-Evolved-DHCP-Option-82-messages-from-clients-being-passed-unmodified-to-theDHCP-server-CVE-2025-59960

 

11. Privilege Escalation Vulnerability in Rufus

A high-severity local privilege escalation vulnerability has been identified in Rufus, a widely used utility for creating bootable USB drives. The flaw allows low-privileged users to escalate their access to Administrator level by exploiting a race condition in temporary file handling during Windows ISO downloads. Successful exploitation may result in full system compromise.

Key Vulnerability:

• CVE-2026-23988 – TOCTOU Race Condition Leading to Privilege Escalation (CVSS: 7.3 – High)

Technical Details:

• Caused by unsafe handling of temporary files in the %TEMP% directory
  • Occurs during execution of the Fido PowerShell script
  • Exploits Time-of-Check Time-of-Use (TOCTOU) race condition
  • Enables bypass of Windows User Account Control (UAC)
  • Allows execution of arbitrary code with Administrator privileges

Affected Versions:
Rufus versions prior to 4.12

Fixed Version:
Rufus version 4.12

Impact:

• Local privilege escalation from standard user to Administrator
  • Installation of malware and persistence mechanisms
  • Creation of backdoors
  • Compromise of system integrity

Remediation:

• Upgrade Rufus immediately to version 4.12
  • Restrict installation and execution of unauthorized tools
  • Monitor endpoints for abnormal privilege escalation activity
  • Apply endpoint security controls and patch management

Reference:
https://github.com/pbatard/rufus/security/advisories/GHSA-hcx5-hrhj-xhq9

 

12. Denial-of-Service Vulnerability in React Server Components

A high-severity denial-of-service (DoS) vulnerability has been identified in React Server Components that could allow remote attackers to exhaust system resources and disrupt application availability. The flaw arises from incomplete fixes in previous updates and can be exploited through specially crafted HTTP requests targeting Server Function endpoints.

Key Vulnerability:

• CVE-2026-23864 – Resource Exhaustion Leading to DoS (CVSS: 7.5 – High)

Technical Details:

• Affects server-side processing in React Server Components
  • Exploited via crafted requests to Server Function endpoints
  • Triggers excessive memory and CPU consumption
  • May cause server crashes and out-of-memory (OOM) conditions
  • Results in application service disruption

Affected Components:

• react-server-dom-webpack
  • react-server-dom-parcel
  • react-server-dom-turbopack

Affected Versions:
19.0.0–19.0.3, 19.1.0–19.1.4, 19.2.0–19.2.3

Fixed Versions:
19.0.4, 19.1.5, 19.2.4 and later

Remediation:

• Upgrade all affected React Server Components immediately
  • Implement rate limiting on server endpoints
  • Monitor server resource utilization
  • Apply Web Application Firewall (WAF) protections
  • Conduct post-update stability testing

References:
https://github.com/facebook/react/security/advisories/GHSA-83fc-fqcc-2hmg
https://www.cve.org/CVERecord?id=CVE-2026-23864

 

13. High-Severity Vulnerability in HPE ONMS Adapter

A high-severity security vulnerability has been identified in the HPE ONMS Adapter component used within HPE Telco IP Mediation. The flaw allows remote, unauthenticated attackers to trigger a stack overflow condition through specially crafted network input, potentially leading to service disruption or system compromise.

Key Vulnerability:

• CVE-2024-7254 – Remote Stack Overflow (CVSS: 7.5 – High)

Technical Details:

• Caused by improper handling of crafted network input
  • Triggers stack overflow in ONMS Adapter service
  • Exploitable remotely without authentication
  • May result in denial-of-service or further compromise

Affected Products:

• HPE Telco IP Mediation 8.5.1
  • HPE ONMS Adapter versions ≤ 4.4.0-0C patch 00001

Fixed Version:
HPE ONMS Adapter 4.4.0-0C patch 00002 or later

Remediation:

• Upgrade HPE ONMS Adapter immediately to the patched version
  • Validate service stability after upgrade
  • Restrict external access to mediation services
  • Monitor logs for abnormal crashes or memory faults
  • Apply network-level access controls

Reference:
https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04990en_us&docLocale=en_US

 

14. Multiple High-Severity Vulnerabilities in Dell CloudBoost Virtual Appliance

Dell Technologies has released security updates to address multiple high-severity vulnerabilities affecting the Dell CloudBoost Virtual Appliance. The issues originate from both third-party components and proprietary Dell code, potentially exposing systems to security risks including credential compromise and exploitation within virtualized environments.

Key Vulnerabilities:

• CVE-2025-48384 – Git Component Vulnerability
  • CVE-2025-41244 – Open VM Tools Vulnerability
  • CVE-2026-21417 – Plaintext Storage of Password (CVSS: 7.0 – High)

Technical Details:

• Third-party components introduce known security weaknesses
  • Proprietary flaw stores credentials in plaintext format
  • May lead to unauthorized access and data exposure
  • Increases attack surface in virtualized deployments

Affected Versions:
Dell CloudBoost Virtual Appliance versions prior to 19.14.0.0

Fixed Version:
Dell CloudBoost Virtual Appliance version 19.14.0.0 and later

Remediation:

• Upgrade all CloudBoost Virtual Appliance instances immediately
  • Rotate credentials after patching
  • Review system configurations for insecure storage practices
  • Restrict administrative access
  • Monitor for suspicious authentication activity

Reference:
https://www.dell.com/support/kbdoc/en-us/000419894/dsa-2026-025-securityupdate-for-dell-cloudboost-virtual-appliance-multiple-vulnerabilities

15. Multiple Critical Vulnerabilities in HPE Telco Universal SLA Management

Hewlett Packard Enterprise (HPE) has disclosed multiple security vulnerabilities affecting HPE Telco Universal SLA Management (USLAM) that could lead to remote code execution, privilege escalation, insecure deserialization, XML External Entity (XXE) injection, sensitive information disclosure, and arbitrary file modification. Successful exploitation may result in full system compromise and significant operational impact.

Key Vulnerabilities:

Critical Severity:

• CVE-2015-7501
  • CVE-2018-20433
  • CVE-2020-10683
  • CVE-2022-46680

High Severity:

• CVE-2018-1000056
  • CVE-2019-1003033
  • CVE-2020-13936
  • CVE-2021-39144
  • CVE-2021-39146
  • CVE-2022-1415

Technical Details:

• Vulnerabilities include RCE, privilege escalation, XXE injection, and insecure deserialization
  • Enables unauthorized access and arbitrary file modification
  • May expose sensitive operational and customer data
  • Affects core SLA monitoring and reporting functions

Affected Versions:
HPE Telco Universal SLA Management (USLAM) versions 4.6 and earlier

Fixed Version:
HPE Telco Universal SLA Management v4.6 Patch 09 and later

Remediation:

• Upgrade USLAM systems immediately to the patched version
  • Restrict administrative access to management interfaces
  • Review system logs for indicators of compromise
  • Apply network segmentation for telco management systems
  • Conduct security hardening and vulnerability assessments

Reference:
https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04997en_us&docLocale=en_US

 

16. Actively Exploited Critical Vulnerability in SmarterTools SmarterMail

A critical authentication bypass vulnerability has been identified in SmarterTools SmarterMail and is being actively exploited in the wild. The flaw allows unauthenticated attackers to reset system administrator passwords through an exposed API endpoint, resulting in full administrative takeover and potential compromise of the underlying server.

Key Vulnerability:

• CVE-2026-23760 – Authentication Bypass via Password Reset API (CVSS v4.0: 9.3 – Critical)

Technical Details:

• Affects SmarterMail versions prior to build 9511
  • Exposed force-reset-password API accepts anonymous requests
  • Bypasses OldPassword and authentication checks
  • Exploits privileged IsSysAdmin parameter
  • Enables administrator password reset without validation
  • Allows OS-level command execution via Volume Mount feature
  • Listed in the Known Exploited Vulnerabilities (KEV) Catalog
  • Confirmed active exploitation

Affected Versions:
All SmarterMail versions prior to build 9511

Fixed Versions:
Build 9511 and later (latest: Build 9518)

Impact:

• Immediate takeover of administrator accounts
  • Full control over mail servers and domains
  • Manipulation of mail flow and user settings
  • Potential host-level compromise

Remediation:

• Upgrade immediately to the latest SmarterMail build
  • Prioritize internet-facing mail servers
  • Review administrator accounts and reset credentials
  • Audit access logs for suspicious API usage
  • Restrict access to management interfaces
  • Implement network-level protections

References:
https://www.smartertools.com/smartermail/release-notes/current
https://www.cve.org/CVERecord?id=CVE-2026-23760

 

17. Critical Sandbox Escape Vulnerability in vm2

A critical security vulnerability has been identified in vm2, a widely used Node.js sandbox library designed to execute untrusted JavaScript code. The flaw allows attackers to bypass sandbox restrictions and execute arbitrary code on the host system, resulting in full sandbox escape and potential system compromise.

Key Vulnerability:

• CVE-2026-22709 – Sandbox Escape and Remote Code Execution (CVSS: 9.8 – Critical)

Technical Details:

• Caused by incomplete sanitization of Promise callbacks
  • Global Promise object methods remain unsanitized
  • Exploitable via async functions and prototype chain traversal
  • Enables execution of arbitrary code outside the sandbox
  • Results in full host-level compromise

Affected Versions:
vm2 versions 3.10.0 and earlier

Fixed Versions:
vm2 version 3.10.2 and later

Impact:

• Escape from sandbox environment
  • Execution of system commands with application privileges
  • Access to sensitive data
  • Potential lateral movement within the environment

Remediation:

• Upgrade vm2 immediately to version 3.10.2 or later
  • Review applications executing untrusted code
  • Restrict sandbox privileges where possible
  • Monitor for abnormal script execution behavior
  • Apply application-level security controls

Reference:
https://www.tenable.com/cve/CVE-2026-22709

 

18. High-Severity Denial-of-Service Vulnerability in ISC BIND 9

A high-severity vulnerability has been identified in ISC BIND 9 that could allow remote attackers to crash DNS servers through specially crafted DNS packets. Successful exploitation may result in denial-of-service (DoS) conditions affecting both authoritative and recursive DNS infrastructure, potentially disrupting critical network services.

Key Vulnerability:

• CVE-2025-13878 – Malformed DNS Record Handling Leading to DoS (CVSS: 7.5 – High)

Technical Details:

• Affects the named DNS process
  • Caused by improper handling of malformed BRID and HHIT records
  • Single malicious DNS request can trigger server crash
  • Impacts authoritative servers and recursive resolvers
  • Results in unexpected process termination

Affected Versions:

BIND 9

• 9.18.40 to 9.18.43
  • 9.20.13 to 9.20.17
  • 9.21.12 to 9.21.16

BIND Supported Preview Edition

• 9.18.40-S1 to 9.18.43-S1
  • 9.20.13-S1 to 9.20.17-S1

Fixed Versions:

BIND 9

• 9.18.44
  • 9.20.18
  • 9.21.17

BIND Supported Preview Edition

• 9.18.44-S1
  • 9.20.18-S1

Remediation:

• Upgrade all affected BIND installations immediately
  • Prioritize public-facing DNS servers
  • Monitor for abnormal DNS traffic patterns
  • Implement rate limiting and DDoS protections
  • Review DNS service availability regularly

Reference:
https://kb.isc.org/docs/cve-2025-13878

 

19. ClickFix Phishing Campaign Hijacks Facebook Sessions via Fake Verification Pages

A widespread phishing campaign known as ClickFix has been observed targeting Facebook content creators, business page owners, and monetized accounts. The campaign relies on social engineering techniques to trick victims into manually providing their session authentication tokens, resulting in full account takeover without deploying traditional malware.

Threat Overview:

• Targets users seeking Facebook verification badges
  • Impersonates official Facebook help and verification portals
  • Uses urgency and trust-based messaging
  • Tricks users into extracting and submitting session tokens
  • Enables immediate account compromise

Attack Technique:

• Victims receive messages offering free verification or warning of policy violations
  • Links redirect users to fake Facebook-branded pages
  • Pages display animations, warnings, and countdown timers
  • Users are guided to open browser developer tools
  • Victims copy and submit c_user and xs session cookies
  • Tokens are validated in real time by attacker scripts
  • Users are instructed not to log out to preserve session validity

Technical Details:

• Manual token theft via browser developer tools
  • JavaScript validation of stolen cookies
  • Multi-stage credential harvesting process
  • Backup codes and passwords collected as fallback
  • Data exfiltration via Formspark and submit-form.com endpoints
  • Phishing pages hosted on Netlify, Vercel, GitHub Pages, Wasmer, Surge, and similar platforms
  • At least 115 phishing pages and 8 data collection endpoints identified

Impact:

• Complete takeover of Facebook accounts
  • Unauthorized password changes
  • Theft of payment and monetization data
  • Impersonation of victims
  • Abuse of business and advertising accounts

Threat Activity:

• Active since January 2025
  • Expanded significantly in 2026
  • Initially reported by Unit42 and Hunt.io
  • Infrastructure designed for rapid redeployment

Remediation:

• Educate users to never share session cookies or tokens
  • Disable suspicious browser extensions
  • Enable multi-factor authentication
  • Monitor for unusual login and session activity
  • Reset credentials if compromise is suspected
  • Implement phishing awareness training
  • Block known phishing domains and hosting providers

Reference:
https://www.cryptika.com/new-clickfix-campaign-hijacks-facebook-sessions-using-fake-verification-pages/

 

20. Okta Vishing Campaign Linked to ShinyHunters Bypasses Multi-Factor Authentication

A sophisticated voice phishing (vishing) campaign targeting Okta users has been observed leveraging custom real-time phishing kits to bypass traditional multi-factor authentication (MFA) controls. The campaign involves attackers impersonating IT or security staff and guiding victims through fake login portals during live phone calls, resulting in credential theft and account compromise.

Threat Overview:

• Attackers pose as internal IT/security personnel
  • Victims are guided verbally to fake login pages
  • Phishing kits operate in real time
  • Pages impersonate Okta, Microsoft, and Google portals
  • Enables coordinated credential harvesting

Attack Technique:

• Victims receive phone calls claiming urgent security issues
  • Users are directed to malicious authentication portals
  • Credentials are relayed instantly to attackers
  • MFA challenges are observed and relayed in real time
  • Victims are instructed to approve push requests or enter OTPs
  • Even number-matching MFA can be bypassed through social engineering
  • Session orchestration adapts dynamically to authentication flow

Technical Details:

• Real-time phishing infrastructure
  • Live synchronization between attacker and victim
  • Dynamic manipulation of login workflows
  • Relay-based MFA bypass
  • Ineffective against phishing-resistant authentication

Threat Attribution:

• Campaign allegedly linked to ShinyHunters
  • Responsibility claimed after public disclosure
  • Associated data leaks reported
  • Victims reportedly include Betterment, Crunchbase, and SoundCloud
  • Leaked data includes PII and corporate records

Impact:

• Compromise of corporate identity systems
  • Unauthorized access to cloud services
  • Data exfiltration and extortion attempts
  • Increased risk of business email compromise (BEC)

Remediation:

• Enforce phishing-resistant authentication (FIDO2, Passkeys, FastPass)
  • Restrict access by network zones and trusted IP ranges
  • Block logins from anonymization services
  • Increase awareness of phone-based social engineering
  • Implement caller verification mechanisms
  • Monitor authentication logs for abnormal patterns

Reference:
https://socradar.io/blog/okta-vishing-campaign-shinyhunters/

 

21. Microsoft Warns of Multi-Stage AitM Phishing and BEC Attacks Targeting Energy Sector

Microsoft has disclosed a sophisticated multi-stage adversary-in-the-middle (AitM) phishing and business email compromise (BEC) campaign targeting multiple organizations in the energy sector. The campaign abuses trusted cloud services and compromised email accounts to deliver phishing payloads, steal credentials, hijack session cookies, and maintain long-term persistence.

Threat Overview:

• Targets organizations in the energy sector
  • Uses adversary-in-the-middle (AitM) phishing techniques
  • Transitions from credential theft to BEC operations
  • Abuses trusted internal identities
  • Enables large-scale intra- and inter-organizational phishing

Attack Technique:

• Initial compromise via phishing emails sent from trusted accounts
  • Abuse of SharePoint document-sharing workflows
  • Redirection to fake credential portals
  • Theft of credentials and session cookies
  • Creation of malicious inbox rules
  • Deletion and manipulation of incoming emails
  • Use of compromised accounts for secondary phishing waves
  • Expansion to over 600 phishing emails in observed cases

Technical Details:

• Living-off-Trusted-Sites (LOTS) technique using SharePoint and OneDrive
  • AitM infrastructure for session interception
  • Persistent mailbox manipulation
  • Active session cookie abuse
  • MFA bypass through real-time credential relay

Impact:

• Unauthorized access to corporate email systems
  • Business email compromise and fraud
  • Data exfiltration
  • Financial and reputational losses
  • Long-term persistence within victim environments

Remediation:

• Enforce phishing-resistant MFA (FIDO2, Passkeys)
  • Revoke active session tokens after incidents
  • Audit and remove suspicious inbox rules
  • Implement conditional access policies
  • Enable continuous access evaluation
  • Deploy advanced email security solutions
  • Monitor cloud identity logs continuously

Reference:
https://thehackernews.com/2026/01/microsoft-flags-multi-stage-aitm.html

22. Wiper Attack on Polish Power Grid Linked to Russia’s Sandworm APT

A destructive cyber-attack targeting Poland’s energy infrastructure in late December 2025 has been attributed to the Russia-aligned Sandworm advanced persistent threat (APT) group. The campaign involved the deployment of data-wiping malware designed to disrupt critical energy operations and undermine national infrastructure resilience.

Threat Overview:

• Targets national energy and power infrastructure
  • Linked to Russian state-backed Sandworm (APT44 / UAC-0113 / Seashell Blizzard)
  • Focused on operational disruption and sabotage
  • Part of a long-running critical infrastructure campaign

Attack Technique:

• Deployment of wiper malware named DynoWiper
  • Targeted combined heat and power (CHP) plants
  • Attacked renewable energy systems
  • Coordinated multi-site intrusion
  • Designed to erase data and disable systems

Technical Details:

• Malware analyzed and attributed by ESET
  • Strong overlap with previous Sandworm wiper operations
  • Similar tactics to earlier BlackEnergy, Zerolot, and Sting campaigns
  • Associated with long-term OT/ICS targeting

Impact:

• No confirmed large-scale service outage reported
  • Attempted disruption of power transmission systems
  • Elevated national cyber alert status
  • Accelerated implementation of NIS2 regulations

Threat Context:

• Coincides with anniversary of 2015 Ukraine blackout
  • Continues pattern of targeting Eastern European energy sectors
  • Supports geopolitical pressure campaigns
  • Aims to weaken economic and public resilience

Remediation:

• Strengthen OT/ICS security controls
  • Segment IT and OT networks
  • Deploy anomaly detection in industrial systems
  • Conduct regular incident response exercises
  • Enhance national-level cyber defense coordination
  • Monitor for wiper malware indicators

Reference:
https://www.infosecurity-magazine.com/news/wiper-attack-polish-power-grid/

23. Google Disrupts World’s Largest Residential Proxy Network (IPIDEA)

Google Threat Intelligence Group (GTIG), in collaboration with industry partners and law enforcement, has disrupted one of the world’s largest residential proxy networks, known as IPIDEA, which was widely abused by cybercriminal and nation-state threat actors to conceal malicious activities.

Threat Overview:

• Global residential proxy infrastructure used for cybercrime and espionage
  • Enabled anonymization of malicious traffic using infected consumer devices
  • Used by over 550 tracked threat groups in January 2026
  • Facilitated botnet operations and credential attacks

Attack Infrastructure:

• Embedded proxy SDKs in legitimate-looking applications
  • Infected Android, Windows, iOS, and IoT devices
  • Devices converted into proxy exit nodes without clear consent
  • Monetization through “bandwidth sharing” schemes

Associated Brands and Networks:

• IPIDEA (ipidea.io)
  • PacketSDK / PacketShare
  • EarnSDK / HexSDK / CastarSDK
  • 360 Proxy, 922 Proxy, Luna Proxy, Cherry Proxy
  • Radish VPN, Galleon VPN, ABC Proxy, PIA S5

Technical Architecture:

• Two-tier Command-and-Control (C2) model
  o Tier 1: Domain-based coordination servers
  o Tier 2: IP-based tasking and traffic routing nodes
  • Over 7,400 active proxy servers observed globally
  • Encrypted JSON-based control communications

Threat Activity:

• Obfuscation of APT, ransomware, and fraud operations
  • Used for password spraying and SaaS compromise
  • Enabled botnets including BadBox2.0, Aisuru, Kimwolf
  • Supported operations linked to China, Russia, Iran, DPRK

Impact:

• Millions of compromised consumer devices
  • Exposure of home networks to external attackers
  • Increased difficulty in attribution and blocking
  • Abuse of legitimate ISP-assigned IP addresses

Disruption Actions:

• Legal takedown of C2 and marketing domains
  • Google Play Protect enforcement
  • Removal of infected applications
  • Collaboration with Cloudflare, Lumen, Spur

Indicators of Compromise (Selected):

• packetsdk[.]io
  • hexsdk[.]com
  • castarsdk[.]com
  • v46wd6uramzkmeeo[.]in
  • 0aa0cf0637d66c0d[.]com

Recommendations:

• Block known proxy-related domains
  • Audit third-party SDK integrations
  • Restrict “bandwidth sharing” applications
  • Monitor for abnormal outbound proxy traffic
  • Enforce mobile application security reviews
  • Educate users on proxy abuse risks

Reference:
https://cloud.google.com/blog/topics/threat-intelligence/disrupting-largest-residential-proxy-network