Today’s roundup
Fortinet patches actively exploited FortiOS SSO auth bypass (CVE-2026-24858)
Nation-state and criminal actors leverage WinRAR flaw in attacks
OpenSSL issued security updates to fix 12 flaws, including Remote Code Execution
eScan confirms update server breached to push malicious update
SolarWinds Fixes Four Critical Web Help Desk Flaws With Unauthenticated RCE and Auth Bypass
Russian ELECTRUM Tied to December 2025 Cyber Attack on Polish Power Grid
FBI seizes RAMP cybercrime forum used by ransomware gangs
Google Disrupts IPIDEA — One of the World’s Largest Residential Proxy Networks
New sandbox escape flaw exposes n8n instances to RCE attacks
Initial access hackers switch to Tsundere Bot for ransomware attacks
Summary
Fortinet patched CVE-2026-24858 (CVSS 9.4), a critical, actively exploited authentication bypass in FortiOS, FortiManager, and FortiAnalyzer via FortiCloud SSO. CISA added it to its KEV catalog, mandating federal agencies to patch by January 30, 2026. Exploitation involved automated firewall changes and config theft.
The critical WinRAR vulnerability CVE-2025-8088, patched in July 2025, is actively exploited by Russian and Chinese nation-state groups and cybercriminals for initial access and malware delivery. Google Threat Intelligence Group highlights how exploits on underground markets accelerate adoption across diverse campaigns.
OpenSSL released security updates for 12 vulnerabilities, including high-severity Remote Code Execution (RCE) flaws such as CVE-2025-15467 (stack overflow in CMS/PKCS#7 AEAD parsing) and CVE-2025-11187 (PKCS#12 PBMAC1 validation flaw), both capable of DoS or RCE. These were discovered by Aisle.
MicroWorld Technologies confirmed its eScan antivirus update server was breached, used by attackers to distribute a malicious, unauthorized update. This signifies a critical supply chain attack on security software.
SolarWinds issued updates for four critical RCE and authentication bypass flaws in its Web Help Desk software, including CVE-2025-40536 (CVSS 8.1). These enable unauthenticated attackers to compromise instances, access data, and execute arbitrary code.
The December 2025 cyberattack on Poland's distributed energy resource (DER) sites is attributed with medium confidence to ELECTRUM, a Russian state-sponsored hacking group. A Dragos brief describes it as the first major cyberattack targeting DER.
The FBI seized the RAMP cybercrime forum, a notorious online platform used by ransomware gangs to advertise malware and hacking services. This action significantly disrupts a key part of the cybercriminal ecosystem.
Google and partners disrupted IPIDEA, one of the world’s largest residential proxy networks, via legal action to dismantle control domains. This impacts a service frequently used by cybercriminals, rendering IPIDEA's website inaccessible.
Two critical sandbox escape vulnerabilities in the n8n workflow automation platform enable remote code execution (RCE). These flaws could lead to full compromise of affected instances and sensitive data access on the host.
Initial access broker TA584 is employing the Tsundere Bot alongside the XWorm remote access trojan to gain network access, facilitating early stages of ransomware attacks.
Want to dig deeper?
Vulnerabilities
Cyber Groups
| Sandworm Team | ELECTRUM, Telebots, IRON VIKING, BlackEnergy (Group), Quedagh, Voodoo Bear, IRIDIUM, Seashell Blizzard, FROZENBARENTS, APT44 |
Malware Families