Fortinet Patches Actively Exploited FortiCloud SSO Zero-Day (CVE-2026-24858)
Fortinet has begun releasing security updates to address CVE-2026-24858, a critical zero-day vulnerability that allowed attackers to bypass FortiCloud single sign-on (SSO) authentication and gain administrative access to FortiGate firewalls. The flaw, rated CVSS 9.4, was actively exploited in the wild by two malicious FortiCloud accounts before being blocked on January 22, 2026. Attackers created unauthorized admin accounts and modified VPN configurations on fully patched devices, indicating this was a new vulnerability separate from previously patched CVE-2025-59718. Fortinet temporarily disabled FortiCloud SSO on January 26 and restored it the next day only for devices running patched versions. CISA has added CVE-2026-24858 to its Known Exploited Vulnerabilities catalog with a remediation deadline of January 30, 2026.
Google Warns WinRAR Vulnerability Still Being Exploited by State-Sponsored Hackers
Google’s Threat Intelligence Group has identified widespread active exploitation of CVE-2025-8088, a critical path traversal vulnerability in WinRAR, by both nation-state actors and financially motivated cybercriminals. Despite being patched in July 2025, Russian APT groups including Sandworm, Turla, and TEMP.Armageddon continue targeting Ukrainian government and military entities, while a Chinese-nexus actor is deploying PoisonIvy malware through the exploit. The attack chain involves malicious RAR archives that use Windows Alternate Data Streams (ADS) to drop payloads into the Startup folder for persistence. Google linked the exploit to “zeroplayer,” an underground seller who advertised a WinRAR zero-day for $80,000 in June 2025 and continues to offer other high-value exploits including a Microsoft Office sandbox escape RCE for $300,000.
Chinese Mustang Panda APT Deploys Updated COOLCLIENT Backdoor Against Government Targets
The Chinese state-sponsored hacking group Mustang Panda has updated its COOLCLIENT backdoor with new infostealing capabilities, including the ability to harvest login credentials from Chromium-based browsers and monitor clipboard activity. According to Kaspersky researchers, the updated malware has been deployed against government entities in Myanmar, Mongolia, Malaysia, Russia, and Pakistan via DLL side-loading through legitimate Sangfor cybersecurity software. New features include HTTP proxy credential sniffing through raw packet inspection, active window title tracking, and an expanded plugin ecosystem with dedicated remote shell, service management, and file management capabilities. COOLCLIENT has been part of Mustang Panda’s arsenal since 2022, typically used alongside PlugX and ToneShell backdoors in cyber espionage campaigns targeting government organizations across Southeast and East Asia.
SolarWinds Patches Six Critical Web Help Desk Vulnerabilities
SolarWinds has released security updates addressing six vulnerabilities in its Web Help Desk IT ticketing and asset management solution, including four rated critical that allow unauthenticated remote code execution or authentication bypass. CVE-2025-40551 and CVE-2025-40553 are deserialization flaws enabling RCE, while CVE-2025-40552 and CVE-2025-40554 are authentication bypass vulnerabilities discovered by watchTowr’s Piotr Bazydlo. Additionally, Horizon3.ai’s Jimi Sebree found CVE-2025-40536 (access control bypass) and CVE-2025-40537 (hardcoded credentials). The vulnerabilities affect all versions through 12.8.8 Hotfix 1 and have been fixed in version 2026.1. While no active exploitation has been detected yet, Web Help Desk has twice appeared on CISA’s Known Exploited Vulnerabilities catalog, making urgent patching essential.
Two n8n Workflow Automation Vulnerabilities Allow Authenticated Remote Code Execution
Cybersecurity researchers have disclosed two critical vulnerabilities in n8n, the popular open-source workflow automation platform with over 100 million Docker pulls. CVE-2025-68668 (CVSS 9.9), dubbed “N8scape,” is a sandbox bypass flaw in the Python Code Node that allows authenticated users with workflow permissions to execute arbitrary system commands on the host running n8n. The vulnerability stems from an incomplete blocklist approach in the Pyodide sandbox that fails to prevent access to dangerous Python capabilities. Additionally, CVE-2026-21877 (CVSS 10.0) enables authenticated attackers to execute untrusted code through unrestricted file uploads. Both vulnerabilities could lead to full system compromise, and organizations using n8n are urged to upgrade to version 2.0.0 or later, which implements a more secure task runner-based Python sandbox.
