Threat Advisories

A critical remote authentication bypass vulnerability (CVE-2026-24061, CVSS 9.8) has been discovered in the GNU InetUtils telnetd service, affecting all versions from 1.9.3 through 2.7. The flaw allows unauthenticated attackers to instantly obtain root access on affected systems by leveraging improper handling of the USER environment variable. The issue remained undetected for nearly 11 years and is now being actively probed by malicious actors. 

CrashFix is an active and highly deceptive browser-based malware campaign that abuses a malicious Google Chrome extension to deliberately crash users’ browsers and socially engineer them into executing attacker-supplied commands. The campaign ultimately delivers a previously undocumented Windows remote access trojan known as ModeloRAT. The activity has been attributed to a traffic distribution and access-brokering operation tracked as KongTuke, also known by aliases such as TAG-124 and 404 TDS. Publicly documented in January 2026 by Huntress, this campaign represents an evolution of ClickFix-style attacks, weaponizing user frustration and trust in legitimate platforms to gain execution on corporate systems.

VoidLink is a newly disclosed, highly advanced, cloud-native Linux malware framework designed for stealthy, long-term access to modern cloud and containerized environments. First identified in December 2025 and publicly documented in January 2026 by Check Point Research, VoidLink represents a significant evolution in Linux-focused post-exploitation tooling. Its modular design, deep cloud awareness, and adaptive stealth mechanisms suggest use in cyber espionage and potentially supply chain compromise, with attribution pointing toward China-affiliated threat actors. 

Veeam has disclosed multiple security flaws in its Backup & Replication (VBR) software that expose backup infrastructure to remote code execution (RCE) attacks. The critical vulnerability CVE202559470 and two additional issues were patched on January 6, 2026. 

The chained zero-day exploit against SonicWall SMA1000 appliances (CVE-2025-40602 & CVE-2025-23006) enables unauthenticated RCE as root via exposed management consoles.  

This is a high severity, actively exploited zero-day targeting Cisco AsyncOS appliances exposed to the internet. Immediate access restrictions, segmentation, threat monitoring, and preparation for incident response and patch deployment are critical defenses until an official fix is released. 

Following the critical “React2Shell” disclosure earlier this month, three additional vulnerabilities were identified in React Server Components (RSC). These new flaws, carry high severity and widespread impact, requiring immediate developer action. As these new flaws allow an attacker to cause Denial of Service (DoS) or leak server-side source code. 

Ivanti has released urgent patches for a critical code execution vulnerability in its Endpoint Manager (EPM) platform, tracked as CVE‑2025‑10573 (CVSS 9.6). The flaw allows unauthenticated, remote attackers to perform low-complexity cross-site scripting (XSS) attacks that require minimal user interaction, potentially compromising administrative sessions and leading to code execution. 

Fortinet has disclosed two critical authentication bypass vulnerabilities in its FortiCloud SSO feature—affecting FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager. An attacker could gain unfettered administrative access using crafted SAML assertions when FortiCloud SSO is enabled. 

Two critical vulnerabilities have been disclosed in React Server Components (RSC) and Next.js App Router, enabling unauthenticated remote code execution (RCE). These flaws stem from unsafe deserialization of RSC payloads, allowing attackers to execute arbitrary JavaScript code on the server.