Table of Contents
Classification: Public
Reporting Period: January 19-26, 2026
Distribution: Security Operations, IT Leadership, Executive Team
Prepared By: Tech Jacks Solutions Security Intelligence
TJS Weekly Security Intelligence Briefing – Week of Jan 26th 2026
1. Executive Summary
The week of January 19-26, 2026 presents an elevated risk posture driven by four actively exploited vulnerabilities requiring immediate action: Cisco Unified Communications zero-day (CVE-2026-20045), VMware vCenter heap overflow (CVE-2024-37079, patched June 2024 but exploitation now confirmed), renewed FortiGate SSO bypass attacks despite December patches, and GNU telnetd authentication bypass (CVE-2026-24061) exploited within 24 hours of disclosure.
Also disclosed this week: ESET attributed a December 2025 wiper attack on Poland’s power grid to Sandworm (medium confidence). ShinyHunters claimed responsibility for Okta vishing breaches, data volumes unverified.
Key Statistics:
- 4 CVEs under confirmed active exploitation affecting our stack
- ~11,000 FortiGate devices with FortiCloud SSO exposed (Shadowserver, Jan 2026)
- CVE-2026-24061: 18 attacker IPs observed over 60 sessions (GreyNoise, Jan 21-22)
2. Critical Action Items
| Priority | Item | Affected Product | Deadline | Action |
|---|---|---|---|---|
| 1 | CVE-2026-20045 – Cisco UC Zero-Day | Unified CM, Webex Calling | Feb 11, 2026 | Apply patches immediately; no workaround |
| 2 | CVE-2024-37079 – VMware vCenter RCE | vCenter Server 7.x, 8.x | Feb 13, 2026 | Upgrade to patched versions |
| 3 | CVE-2025-59718 – FortiGate SSO Bypass | FortiOS with FortiCloud SSO | Immediate | Disable FortiCloud SSO; monitor for IOCs |
| 4 | CVE-2026-24061 – GNU telnetd Root Bypass | GNU InetUtils 1.9.3-2.7 | Immediate | Disable telnetd; migrate to SSH |
| 5 | CVE-2025-34026 – Versa Concerto Auth Bypass | Concerto 12.1.2-12.2.0 | Feb 12, 2026 | Apply vendor hotfix |
| 6 | CVE-2025-68645 – Zimbra LFI | ZCS 10.0.x, 10.1.x | Feb 12, 2026 | Upgrade to 10.0.18+ or 10.1.13+ |
3. Key Security Stories
ACTIVE EXPLOITATION (This Week)
Story 1: Cisco Unified Communications Zero-Day (CVE-2026-20045)
On January 21, 2026, Cisco patched a critical code injection vulnerability (CVE-2026-20045, CVSS 8.2) affecting multiple Unified Communications products. The flaw stems from improper validation of user-supplied input in HTTP requests and allows unauthenticated attackers to execute arbitrary code with root privileges.
Cisco confirmed active exploitation in the wild, and CISA added this to the KEV catalog on January 22, 2026, with a remediation deadline of February 11, 2026. No workaround is available.
Affected Products: Unified CM, Unified CM SME, Unified CM IM&P, Unity Connection, Webex Calling Dedicated Instance
Remediation: Apply security updates from Cisco Security Advisory
Source: BleepingComputer, Help Net Security
Story 2: VMware vCenter Server (CVE-2024-37079), Now Actively Exploited
CISA added CVE-2024-37079 (CVSS 9.8) to its KEV catalog on January 23, 2026. This heap overflow vulnerability in the DCE/RPC protocol was originally patched in June 2024; its KEV addition indicates exploitation has now been confirmed in the wild.
Organizations running unpatched vCenter instances face critical risk. The 18-month gap between patch availability and confirmed exploitation underscores the importance of timely patching.
Affected Versions: vCenter Server 7.x and 8.x prior to patched releases
Remediation Deadline: February 13, 2026
Source: CISA KEV, The Register
Story 3: FortiGate SSO Bypass, Patch May Be Incomplete
Arctic Wolf reported a new wave of automated attacks against FortiGate firewalls beginning January 15, 2026. Attackers are exploiting SSO authentication bypasses to create admin accounts and exfiltrate configuration files within seconds.
Despite Fortinet patching CVE-2025-59718 in December, administrators report compromises on fully patched systems (FortiOS 7.4.9+). Fortinet privately acknowledged that the patch may not fully remediate the issue, with FortiOS 7.4.10 in development.
Indicators of Compromise:
- SSO login from
cloud-init@mail.io - Source IP:
104.28.244.114 - Admin accounts created:
secadmin,itadmin,support,backup,remoteadmin,audit - Configuration exports via GUI interface
Immediate Actions:
- Disable FortiCloud SSO:
config system global→set admin-forticloud-sso-login disable - Audit admin accounts for unauthorized entries
- Reset credentials if config files were exported
Source: Help Net Security, BleepingComputer
Story 4: GNU telnetd Root Bypass (CVE-2026-24061), Exploited Within 24 Hours
A critical authentication bypass (CVE-2026-24061, CVSS 9.8) in GNU InetUtils telnetd was disclosed January 20, 2026. The flaw allows unauthenticated root access by setting USER environment variable to -f root during telnet negotiation.
Exploitation confirmed: GreyNoise observed 18 unique attacker IPs across 60 telnet sessions between January 21-22; 83% targeted root user. Activity appears largely automated with some manual follow-up.
Affected Versions: GNU InetUtils 1.9.3 through 2.7 (Debian, Ubuntu, Kali Linux, embedded systems)
Remediation: Disable telnetd immediately; migrate to SSH. Block TCP port 23 at firewall.
Source: BleepingComputer, Canadian Cyber Centre
DISCLOSED THIS WEEK (Older Incidents)
Story 5: Sandworm Attributed to December Poland Power Grid Attack (Medium Confidence)
Attribution caveat: ESET attributed this attack with “medium confidence” based on TTP overlap and timing, not definitive.
On January 23-24, 2026, ESET disclosed analysis of a December 29-30, 2025 cyberattack on Poland’s energy infrastructure. Attackers deployed novel wiper malware dubbed DynoWiper targeting heat-and-power plants and renewable energy systems. The attack was unsuccessful.
The timing coincided with the 10th anniversary of Sandworm’s 2015 BlackEnergy attack on Ukraine. Polish officials stated it could have affected 500,000 people if successful.
DynoWiper Detection: SHA-1: 4EC3C90846AF6B79EE1A5188EEFA3FD21F6D4CF6 | ESET: Win32/KillFiles.NMO
Source: ESET WeLiveSecurity, BleepingComputer
Story 6: Osiris Ransomware Disclosed, November 2025 Incident
Note: Attack occurred November 2025; Symantec published analysis January 22, 2026.
Symantec disclosed a new ransomware strain called Osiris that targeted a food service operator in Southeast Asia. The attack used POORTRY kernel driver in a BYOVD attack to disable EDR. Tactical overlaps with Inc ransomware were noted (RustDesk persistence, Wasabi exfiltration).
Actionable IOC: Monitor for unsigned drivers masquerading as security software; flag RustDesk in environments where not sanctioned.
Source: Security.com
THREAT ACTOR ACTIVITY
Story 7: ShinyHunters Claims Okta Vishing Breaches (Unverified)
Verification status: ShinyHunters claims responsibility; data volumes and victim list not independently confirmed.
On January 23, 2026, ShinyHunters claimed breaches of Crunchbase, Betterment, and SoundCloud via voice-phishing attacks targeting Okta SSO credentials. Alleged data volumes: 2M, 20M, and 30M records respectively. SoundCloud confirmed a December breach affecting ~20% of users; other victims have not confirmed.
Okta published a report describing custom phishing kits enabling real-time browser manipulation during calls, these kits are sold as-a-service.
Detection guidance:
- Monitor for unexpected SSO app authorizations
- Flag help desk calls requesting MFA resets, especially from VoIP sources
- Review Okta system logs for admin-initiated credential changes
Source: BleepingComputer, Okta Threat Intelligence
INDUSTRY EVENTS (Not Threat Intelligence)
Pwn2Own Automotive 2026 (Jan 21-23, Tokyo): Researchers earned $1,047,000 for 76 zero-day vulnerabilities in Tesla infotainment, EV chargers, and automotive systems. Vendors have 90 days to patch. No IOCs or active threats, this is coordinated disclosure research. ZDI Results
4. CISA KEV & Critical CVE Table (January 19-26, 2026)
| CVE | Product | CVSS | Status | CISA Deadline | Description |
|---|---|---|---|---|---|
| CVE-2026-20045 | Cisco UC Products | 8.2 | Actively Exploited | Feb 11, 2026 | Code injection enabling root access |
| CVE-2024-37079 | VMware vCenter | 9.8 | Actively Exploited | Feb 13, 2026 | Heap overflow RCE via DCE/RPC |
| CVE-2026-24061 | GNU InetUtils telnetd | 9.8 | Actively Exploited | N/A | Auth bypass via USER env injection |
| CVE-2025-34026 | Versa Concerto | 9.2 | Actively Exploited | Feb 12, 2026 | Auth bypass to admin endpoints |
| CVE-2025-68645 | Zimbra ZCS | 8.8 | Actively Exploited | Feb 12, 2026 | PHP remote file inclusion |
| CVE-2025-31125 | Vite.js | 7.5 | Actively Exploited | Feb 12, 2026 | Improper access control |
| CVE-2025-54313 | eslint-config-prettier | 7.5 | Supply Chain | Feb 12, 2026 | Embedded malicious code |
| CVE-2025-59718 | FortiOS | 9.8 | Actively Exploited | N/A | SSO auth bypass (patch bypass reported) |
5. Indicators of Compromise (Actionable Only)
FortiGate SSO Attack Campaign
Source IP: 104.28.244.114 (also DigitalOcean, Kaopu Cloud HK, Cloudflare ranges)
Email/User: cloud-init@mail.io
Rogue Admin Accounts: secadmin, itadmin, support, backup, remoteadmin, audit
Detection: GUI config export within seconds of SSO login
BRICKSTORM Malware
File Paths: /etc/sysconfig/, /etc/sysconfig/network/
C2: DNS-over-HTTPS (monitor outbound 443 to 8.8.8.8, 1.1.1.1)
Detection Rules: CISA YARA/SIGMA - MAR AR25-338A (updated Jan 20, 2026)
Note: No new BRICKSTORM activity this week; rules refreshed only.
DynoWiper (Sandworm)
SHA-1: 4EC3C90846AF6B79EE1A5188EEFA3FD21F6D4CF6
ESET Detection: Win32/KillFiles.NMO
Osiris Ransomware
Detection Indicators:
- Unsigned drivers masquerading as Malwarebytes anti-exploit (POORTRY)
- Unsanctioned RustDesk installations
- Outbound connections to Wasabi storage
File Extension: .Osiris
ShinyHunters Vishing
Detection Focus:
- Okta system logs: unexpected connected app authorizations
- Help desk tickets following VoIP calls requesting MFA changes
- Admin-initiated password resets without user request
6. Helpful 5: This Week’s Specific Mitigations
1. Disable telnetd (CVE-2026-24061)
Why this week: Exploited within 24 hours of disclosure; root bypass with no authentication.
How:
systemctl stop telnet.socket && systemctl disable telnet.socket
# Or remove package entirely:
apt remove inetutils-telnetd # Debian/Ubuntu
Verify: ss -tlnp | grep :23 should return nothing.
2. Disable FortiCloud SSO (CVE-2025-59718 bypass)
Why this week: Attackers compromising “patched” FortiGate devices via SSO; 11,000 exposed.
How:
config system global
set admin-forticloud-sso-login disable
end
Verify: Check for rogue admins: get system admin
3. Hunt for FortiGate IOCs
Why this week: If you have FortiGate with FortiCloud SSO enabled since December 2025, assume breach.
How: Search for accounts: secadmin, itadmin, support, backup, remoteadmin, audit. Check logs for cloud-init@mail.io and IP 104.28.244.114.
4. Audit Okta Connected Apps
Why this week: ShinyHunters vishing campaign targets SSO; breaches confirmed.
How: Okta Admin Console → Applications → Review connected apps added in last 30 days. Flag any you don’t recognize.
5. Check npm for Compromised eslint-config-prettier
Why this week: Versions 8.10.1, 9.1.1, 10.1.6, 10.1.7 contain malicious code.
How:
npm ls eslint-config-prettier
# If affected version found:
npm update eslint-config-prettier
7. Framework Alignment (Selective)
Only mappings with direct, actionable relevance are included:
| Threat | Control | Why It Applies |
|---|---|---|
| CVE-2026-24061 (telnetd) | CIS 4.8 – Uninstall unnecessary services | Telnet should not exist on modern systems |
| FortiGate SSO Bypass | CIS 4.1 – Secure admin access | SSO misconfiguration enabled account creation |
| ShinyHunters Vishing | NIST PR.AT-1 – Security awareness | Social engineering bypassed technical controls |
| BRICKSTORM | CIS 9.2 – DNS filtering | DoH evasion requires protocol-aware monitoring |
| Supply Chain (npm) | CIS 16.4 – Software integrity | Compromised package injected in build pipeline |
8. Upcoming Security Events
| Date | Event | Action Required |
|---|---|---|
| Feb 11, 2026 | CVE-2026-20045 (Cisco UC) CISA KEV Deadline | Apply patches |
| Feb 11, 2026 | February Patch Tuesday | Plan testing cycle |
| Feb 12, 2026 | CVE-2025-34026, CVE-2025-68645, CVE-2025-31125, CVE-2025-54313 Deadlines | Remediate all |
| Feb 13, 2026 | CVE-2024-37079 (VMware vCenter) CISA KEV Deadline | Complete upgrades |
9. Sources
CISA Advisories:
- CISA KEV Catalog
- CISA Alert: Cisco CVE-2026-20045
- CISA Alert: VMware CVE-2024-37079
- CISA Alert: Four KEV Additions
- BRICKSTORM MAR
Vendor & Government Advisories:
- Cisco Security Advisory
- Broadcom VMware Advisory
- Canadian Cyber Centre – CVE-2026-24061
- GNU InetUtils Advisory
Security Research:
- Arctic Wolf – FortiGate SSO Attacks
- ESET – Sandworm DynoWiper
- Security.com – Osiris Ransomware
- Zero Day Initiative – Pwn2Own Automotive
- Okta Threat Intelligence – Vishing Kits
- BleepingComputer
- Help Net Security
- The Hacker News
Document Version: 1.0
Last Updated: January 26, 2026, 14:00 EST
Next Briefing: February 2, 2026
