Threat Advisories

Ivanti has disclosed and patched two critical security vulnerabilities affecting Ivanti Endpoint Manager Mobile (EPMM) that have been actively exploited in zero-day attacks. The flaws, tracked as CVE-2026-1281 and CVE-2026-1340, allow unauthenticated remote code execution and carry CVSS scores of 9.8, placing them among the most severe vulnerability classes. One of the vulnerabilities has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, significantly increasing the urgency for remediation, particularly across U.S. federal environments. 

Microsoft has issued an out of band emergency patch addressing an actively exploited Microsoft Office zero day vulnerability, tracked as CVE202621509. The flaw is a security feature bypass that allows attackers to circumvent core COM/OLE-based mitigations in Microsoft 365 and Microsoft Office. 

Over the past few weeks and mentioned in our earlier advisory-

A critical remote authentication bypass vulnerability (CVE-2026-24061, CVSS 9.8) has been discovered in the GNU InetUtils telnetd service, affecting all versions from 1.9.3 through 2.7. The flaw allows unauthenticated attackers to instantly obtain root access on affected systems by leveraging improper handling of the USER environment variable. The issue remained undetected for nearly 11 years and is now being actively probed by malicious actors. 

CrashFix is an active and highly deceptive browser-based malware campaign that abuses a malicious Google Chrome extension to deliberately crash users’ browsers and socially engineer them into executing attacker-supplied commands. The campaign ultimately delivers a previously undocumented Windows remote access trojan known as ModeloRAT. The activity has been attributed to a traffic distribution and access-brokering operation tracked as KongTuke, also known by aliases such as TAG-124 and 404 TDS. Publicly documented in January 2026 by Huntress, this campaign represents an evolution of ClickFix-style attacks, weaponizing user frustration and trust in legitimate platforms to gain execution on corporate systems.

VoidLink is a newly disclosed, highly advanced, cloud-native Linux malware framework designed for stealthy, long-term access to modern cloud and containerized environments. First identified in December 2025 and publicly documented in January 2026 by Check Point Research, VoidLink represents a significant evolution in Linux-focused post-exploitation tooling. Its modular design, deep cloud awareness, and adaptive stealth mechanisms suggest use in cyber espionage and potentially supply chain compromise, with attribution pointing toward China-affiliated threat actors. 

Veeam has disclosed multiple security flaws in its Backup & Replication (VBR) software that expose backup infrastructure to remote code execution (RCE) attacks. The critical vulnerability CVE202559470 and two additional issues were patched on January 6, 2026. 

The chained zero-day exploit against SonicWall SMA1000 appliances (CVE-2025-40602 & CVE-2025-23006) enables unauthenticated RCE as root via exposed management consoles.  

This is a high severity, actively exploited zero-day targeting Cisco AsyncOS appliances exposed to the internet. Immediate access restrictions, segmentation, threat monitoring, and preparation for incident response and patch deployment are critical defenses until an official fix is released. 

Following the critical “React2Shell” disclosure earlier this month, three additional vulnerabilities were identified in React Server Components (RSC). These new flaws, carry high severity and widespread impact, requiring immediate developer action. As these new flaws allow an attacker to cause Denial of Service (DoS) or leak server-side source code.