Svoboda Cybersecurity Brief January 28, 2026

FortiCloud SSO Zero-Day Exploited for Administrative Access

Fortinet confirmed CVE-2026-24858, a critical authentication bypass flaw in FortiCloud SSO, allowing attackers to gain administrative access to FortiOS, FortiManager, and FortiAnalyzer devices. Exploits observed in the wild created rogue admin accounts and exfiltrated configurations.
Impact: Full device compromise via SAML SSO bypass.
Mitigation: Disable FortiCloud SSO (admin-forticloud-sso-login disable) or apply server-side restrictions until patches are released.
Source: BleepingComputer

WinRAR Path Traversal Flaw Actively Exploited by Multiple Threat Actors

CVE-2025-8088, a WinRAR vulnerability, is being exploited by state-sponsored and criminal groups to deploy malware via malicious archives. Attackers use Alternate Data Streams (ADS) to hide payloads in decoy files (e.g., PDFs) and execute them via LNK/HTA files in Startup folders.
Impact: Initial access leading to malware like NESTPACKER, AsyncRAT, and banking trojans.
Mitigation: Update WinRAR or block archive execution from untrusted sources.
Source: BleepingComputer

Mustang Panda Deploys Upgraded CoolClient Backdoor with Infostealers

The Chinese APT group Mustang Panda updated its CoolClient backdoor to steal browser credentials, clipboard data, and deploy a rootkit. Targets include government entities in Myanmar, Mongolia, and Russia, leveraging DLL side-loading via legitimate software like Sangfor.
Impact: Data theft (Chrome/Edge credentials) and persistent access via VBScript/UAC bypass.
Mitigation: Monitor for unusual scheduled tasks/registry changes and block malicious IPs (e.g., 47.238.184[.]9).
Source: BleepingComputer

SmarterMail Servers Vulnerable to RCE via Authentication Bypass

Over 6,000 SmarterMail servers exposed to CVE-2026-23760, allowing unauthenticated attackers to reset admin passwords and gain RCE. Exploits observed in automated attacks since January 21.
Impact: Full server compromise via admin account takeover.
Mitigation: Update to build 9511+ or set GRIST_SANDBOX_FLAVOR=gvisor.
Source: BleepingComputer

ShinyHunters Targets 100+ Organizations in SSO Phishing Campaign

ShinyHunters launched vishing attacks against SSO accounts (Okta, Microsoft) at companies like Atlassian, Moderna, and ZoomInfo. Phishing kits intercept MFA tokens via real-time browser manipulation.
Impact: Credential theft and potential SaaS environment breaches.
Mitigation: Enforce phishing-resistant MFA (FIDO2/passkeys) and monitor for anomalous API activity.
Source: SecurityWeek

GNU Telnetd Authentication Bypass Exploited in Wild (CVE-2026-24061)

CISA added CVE-2026-24061 to its KEV catalog after attackers exploited the GNU telnetd flaw to gain root access via crafted USER environment variables. Over 200,000 Telnet-exposed systems potentially vulnerable.
Impact: Remote root access via Telnet protocol manipulation.
Mitigation: Disable telnetd or upgrade GNU Inetutils beyond v2.7.
Source: SecurityWeek

Microsoft Office Zero-Day (CVE-2026-21509) Patched After Active Exploitation

Microsoft patched a security feature bypass in Office allowing attackers to evade OLE protections via malicious documents. Exploits likely limited to targeted attacks.
Impact: Local privilege escalation via COM/OLE control bypass.
Mitigation: Apply patches (e.g., Office 2019 v16.0.10417.20095) or registry edits to restrict COM compatibility.
Source: TheHackerNews

Chrome/Edge Extensions Steal ChatGPT Sessions via MAIN-World Scripts

16 malicious extensions (900+ downloads) injected scripts into chatgpt.com to exfiltrate session tokens and user data. Extensions abused MAIN-world execution to evade detection.
Impact: Unauthorized access to ChatGPT history and third-party services.
Mitigation: Remove suspicious extensions and audit token usage.
Source: SecurityWeek

SoundCloud Breach Exposes 29.8M Accounts via ShinyHunters

ShinyHunters leaked emails, usernames, and profile stats from SoundCloud after a December 2025 breach. Data used in extortion attempts via email flooding.
Source: BleepingComputer

US Charges 31 in ATM Jackpotting Scheme Using Ploutus Malware

Tren de Aragua gang members charged for deploying Ploutus malware to force ATMs to dispense cash. Attacks involved physical access to machines and hard drive replacement.
Source: BleepingComputer

Share this brief: https://svo.bz/FeZJ