01/21/2026-01/28/2026 CISA Adds Four Critical Vulnerabilities, Critical VMware RCE Flaw, Fortinet Patches CVE-2026-24858 And More

1. CISA Adds Four Critical Vulnerabilities to KEV Catalog Following Active Exploitation

CISA added four critical vulnerabilities to its KEV catalog on January 22, 2026, confirming active exploitation in the wild. The flaws affect development tools, SD-WAN infrastructure, email platforms, and package managers, highlighting a broad and urgent threat landscape. All four vulnerabilities carry a February 12, 2026, remediation deadline under Binding Operational Directive (BOD) 22-01 for federal systems and critical infrastructure operators. One vulnerability involves embedded malicious code in Prettier’s eslint-config-prettier package (CVE-2025-54313), enabling a supply-chain attack during installation. Vite’s dev server (CVE-2025-31125) allows unauthorized file access when exposed to networks. Versa Concerto’s SD-WAN platform (CVE-2025-34026) contains an authentication bypass that exposes administrative functions. Synacor Zimbra (CVE-2025-68645) is vulnerable to PHP remote file inclusion, a common initial access vector. Organizations should immediately inventory affected systems, prioritize network-exposed assets, and apply vendor patches or mitigations to reduce risk.

2. CISA Says Critical VMware RCE Flaw Now Actively Exploited

CISA has flagged a critical VMware vCenter Server vulnerability as actively exploited, ordering federal agencies to secure affected systems within three weeks. The flaw, CVE-2024-37079, was patched in June 2024 and stems from a heap overflow in vCenter Server’s DCERPC protocol implementation.

Attackers with network access can exploit the vulnerability using specially crafted packets to achieve remote code execution without authentication or user interaction, making it a low-complexity but high-impact threat. There are no workarounds or mitigations, and Broadcom has urged customers to immediately apply the latest vCenter Server and Cloud Foundation patches. CISA added the vulnerability to its KEV catalog, setting a February 13 remediation deadline under Binding Operational Directive 22-01 for Federal Civilian Executive Branch agencies. Broadcom separately confirmed in-the-wild exploitation.

CISA warned that such flaws are frequently abused and advised agencies to follow vendor guidance, apply required mitigations, or discontinue use if protections are unavailable.

3. Fortinet Patches CVE-2026-24858 After Active FortiOS SSO Exploitation Detected

Fortinet has begun releasing security updates to address a critical FortiOS authentication bypass vulnerability that is being actively exploited in the wild. Tracked as CVE-2026-24858 (CVSS 9.4), the flaw affects FortiOS, FortiManager, and FortiAnalyzer and is tied to FortiCloud single sign-on (SSO). The vulnerability allows an attacker with a FortiCloud account and registered device to gain administrative access to other customers’ devices when FortiCloud SSO is enabled, bypassing authentication through an alternate access path. While FortiCloud SSO is disabled by default, it may be enabled when devices are registered through the GUI. Fortinet confirmed threat actors abused a new attack path to create local admin accounts, modify VPN access, and exfiltrate firewall configurations. In response, Fortinet disabled and re-enabled FortiCloud SSO with added protections and locked malicious accounts. CISA has added the flaw to its Known Exploited Vulnerabilities catalog, requiring Federal Civilian Executive Branch agencies to remediate by January 30, 2026.

4. Critical Grist-Core Vulnerability Allows RCE Attacks via Spreadsheet Formulas

A critical remote code execution flaw has been disclosed in Grist-Core, the open-source, self-hosted version of the Grist spreadsheet-database platform. Tracked as CVE-2026-24002 (CVSS 9.1) and codenamed Cellbreak, the vulnerability allows a single malicious formula to escape Grist’s Python sandbox and execute commands on the host system. The issue stems from Grist’s use of Pyodide to run untrusted Python formulas in a WebAssembly sandbox. Researchers found that a blocklist-based design allows traversal of Python internals and access to runtime functions, enabling OS command execution and host-level JavaScript execution. Successful exploitation could expose files, database credentials, API keys, and enable lateral movement.

The flaw was fixed in Grist version 1.7.9, released January 9, 2026. Instances using the “gvisor” sandbox are not affected, while those running Pyodide must upgrade immediately. As a temporary mitigation, operators can switch the GRIST_SANDBOX_FLAVOR setting to “gvisor” and avoid disabling Deno-based protections when handling untrusted formulas.

5. Malicious AI Extensions On VSCode Marketplace Steal Developer Data

Two malicious extensions in Microsoft’s Visual Studio Code Marketplace, installed a combined 1.5 million times, were found exfiltrating developer data to servers in China. Marketed as AI-powered coding assistants, the extensions provide expected functionality but fail to disclose extensive data collection or obtain user consent. Researchers at Koi Security identified the campaign, dubbed MaliciousCorgi, noting both extensions share the same data-stealing code and backend infrastructure. The affected extensions—ChatGPT – 中文版 (1.34 million installs) and ChatMoss (CodeMoss) (150,000 installs)—remain available at the time of reporting. The extensions employ multiple spyware techniques, including monitoring files opened in VS Code and transmitting entire file contents in real time, executing server-controlled commands to harvest workspace files, and embedding analytics SDKs to profile users and fingerprint devices. Koi warned this activity risks exposing source code, configuration files, credentials, and API keys. Microsoft confirmed it is investigating the report and will take action in accordance with its policies.

01/14/2026-01/21/2026 Critical Flaw in Modular DS WordPress Plugin, Binary-parser Bug Allows Node.js Privilege-Level Code Execution, Hackers Target Developers via Malicious VS Code Projects And More.

1. Actively Exploited Critical Flaw in Modular DS WordPress Plugin Enables Admin Takeover

A critical vulnerability in the Modular DS WordPress plugin (CVE-2026-23550, CVSS 10.0) is being actively exploited, allowing unauthenticated attackers to escalate privileges. Modular DS, installed on over 40,000 sites, enables centralized monitoring, updates, and remote administration of WordPress installations. In versions 2.5.1 and earlier, the flaw allows attackers to bypass authentication by abusing exposed API routes under /api/modular-connector/. A flawed isDirectRequest() check treats requests containing simple parameters (origin=mo&type=xxx) as trusted “direct” requests, without validating signatures, secrets, IPs, or User-Agent headers. If a site is already connected to Modular, attackers can access sensitive routes such as /login, /system, and /backup, leading to admin takeover and data theft. Exploitation began on January 13, 2026, with attackers targeting the login API to create new admin users. The issue was fixed in version 2.5.2 by tightening route handling and validation. Users should update immediately to mitigate risk.

2. CERT/CC Warns Binary-parser Bug Allows Node.js Privilege-Level Code Execution

A security vulnerability has been disclosed in the popular binary-parser npm library that could allow attackers to execute arbitrary JavaScript. Tracked as CVE-2026-1245, the flaw affects all versions prior to 2.3.0, which was released on November 26, 2025 to address the issue. Binary-parser is a widely used JavaScript parser builder for binary data, supporting multiple data types and receiving roughly 13,000 weekly downloads. According to CERT/CC, the vulnerability stems from insufficient sanitization of user-supplied values—such as parser field names and encoding parameters—when generating parser code dynamically at runtime using the Function constructor. Because the library builds JavaScript source code as a string and compiles it for execution, attacker-controlled input can be injected into the generated code, leading to arbitrary code execution within the Node.js process. Applications using only static, hard-coded parser definitions are not affected. Users are strongly advised to upgrade to version 2.3.0 and avoid passing untrusted input into parser definitions.

3. Hackers Exploiting Critical Fortinet FortiSIEM Flaw in Attacks

A critical Fortinet FortiSIEM vulnerability (CVE-2025-64155) with publicly available proof-of-concept exploit code is now being actively exploited in the wild. Reported by Horizon3.ai researcher Zach Hanley, the flaw combines multiple issues that allow unauthenticated attackers to perform arbitrary file writes, escalate privileges, and ultimately gain root-level code execution. Fortinet described the issue as an OS command injection vulnerability that can be triggered via crafted TCP requests. Horizon3.ai’s analysis revealed that dozens of command handlers exposed through the phMonitor service can be accessed remotely without authentication. By abusing argument injection, attackers can overwrite system files such as /opt/charting/redishb.sh to execute code as root. The vulnerability affects FortiSIEM versions 6.7 through 7.5. Patches are available in newer releases, while administrators unable to update immediately are advised to restrict access to the phMonitor port (7900). Threat intelligence firm Defused has confirmed active exploitation, urging defenders to check phMonitor logs for signs of compromise.

4. North Korea-Linked Hackers Target Developers via Malicious VS Code Projects

North Korean threat actors behind the long-running Contagious Interview campaign are using malicious Visual Studio Code (VS Code) projects to distribute backdoors. The tactic targets software developers through fake job assessments that instruct victims to clone GitHub, GitLab, or Bitbucket repositories and open them in VS Code. When a victim trusts the repository, malicious tasks.json files are automatically executed, abusing the runOn: folderOpen option to fetch and run obfuscated JavaScript payloads hosted on Vercel. On macOS, the attack uses background shell commands to pipe remote JavaScript directly into Node.js, enabling persistent execution even after VS Code closes. The payload deploys backdoors such as BeaverTail and InvisibleFerret, enabling remote code execution, system profiling, and continuous command-and-control communication. Later stages may introduce fallback infection methods, malicious npm packages, credential theft, crypto mining, and remote access tools. Developers are urged to carefully vet repositories, review task configurations, and avoid untrusted coding tests.

5. AWS CodeBuild Misconfiguration Exposed GitHub Repos to Potential Supply Chain Attacks

A critical misconfiguration in AWS CodeBuild, dubbed CodeBreach by Wiz, could have enabled attackers to take over several AWS-managed GitHub repositories, including the AWS JavaScript SDK, creating a severe supply chain risk. The issue was responsibly disclosed on August 25, 2025, and fixed by AWS in September. The flaw stemmed from improperly configured CI webhook filters intended to restrict which GitHub users could trigger builds. Four AWS repositories used regex-based actor ID filters that lacked start (^) and end ($) anchors, allowing attackers to bypass restrictions by registering GitHub accounts with numeric IDs containing a trusted maintainer’s ID as a substring. Because GitHub user IDs are sequential, these IDs could be predicted and generated using automated bot accounts. By triggering a build, an attacker could access privileged GitHub tokens with admin rights, enabling direct code pushes, pull request approvals, and secret exfiltration. AWS confirmed the issue was limited to specific projects, implemented mitigations, rotated credentials, and found no evidence of exploitation in the wild.

01/07/2026-01/14/2026 Gogs Vulnerability, Microsoft Fixes 114 Windows Flaws, Critical Node.js Vulnerability And More

1. CISA Flags Actively Exploited Gogs Vulnerability With No Patch

A high-severity vulnerability in the self-hosted Git service Gogs is being actively exploited, prompting an alert from CISA. The flaw is tracked as CVE-2025-8110 and carries a CVSS v4.0 score of 8.7. The issue stems from improper handling of symbolic links in Gogs’ PutContents API, allowing authenticated attackers to overwrite files outside a repository and achieve remote code execution. Wiz researchers uncovered the flaw while investigating malware infections and found it was exploited as a zero-day, bypassing earlier protections. More than 700 Gogs instances have already been compromised, and about 1,600 servers remain internet-exposed. No official patch is available yet, though fixes are pending. Until updates are released, organizations are urged to restrict access, disable open registration, and closely monitor for suspicious activity.

2. Microsoft Fixes 114 Windows Flaws in January 2026 Patch, One Actively Exploited

Microsoft has released its first Patch Tuesday update of 2026, fixing 114 security vulnerabilities, including one actively exploited in the wild. Eight flaws are rated Critical and 106 Important, with privilege escalation issues making up the largest category. The update ranks as the third-largest January Patch Tuesday on record.

The actively exploited flaw, CVE-2026-20805 (CVSS 5.5), is an information disclosure vulnerability in the Desktop Window Manager (DWM) that could help attackers undermine protections like ASLR. While exploitation details remain limited, CISA has added it to its KEV catalog, requiring U.S. federal agencies to patch by February 3, 2026.

Microsoft also addressed Edge browser flaws, removed vulnerable legacy Agere modem drivers, and fixed a Secure Boot certificate expiration bypass that could weaken firmware trust. Another high-priority issue is a privilege escalation flaw in Windows Virtualization-Based Security Enclave that could allow attackers to compromise core system protections.

3. Critical Node.js Vulnerability Can Cause Server Crashes via async_hooks Stack Overflow

Node.js has released security updates to fix a critical denial-of-service (DoS) issue that could impact “virtually every production Node.js app.” Tracked as CVE-2025-59466 (CVSS 7.5), the flaw occurs when stack space is exhausted in user code while async_hooks is enabled. Instead of throwing a catchable error, Node.js may abruptly exit with code 7, allowing attackers to crash applications using unsanitized, recursion-based input. The issue affects many popular frameworks and monitoring tools that rely on AsyncLocalStorage, including React Server Components, Next.js, and major APM platforms such as Datadog and New Relic. All Node.js versions from 8.x through 18.x are impacted, though only supported releases have been patched.

Fixes are available in Node.js 20.20.0, 22.22.0, 24.13.0, and 25.3.0. Node.js also addressed three additional high-severity vulnerabilities involving data leakage, file access via symlinks, and remote DoS. Users are strongly urged to update promptly.

4. Trend Micro Fixed a Remote Code Execution in Apex Central

Trend Micro has patched three security vulnerabilities in its Apex Central on-premise management console that could enable remote code execution (RCE) or denial-of-service (DoS) attacks. The flaws, discovered by Tenable in August 2025 and tracked as CVE-2025-69258, CVE-2025-69259, and CVE-2025-69260, affect Windows installations running Apex Central versions prior to Build 7190.

The most critical issue, CVE-2025-69258 (CVSS 9.8), is a LoadLibraryEx RCE vulnerability that allows an unauthenticated attacker to load a malicious DLL and execute code with SYSTEM privileges. Tenable released proof-of-concept exploit code demonstrating the attack. The other two flaws, both rated 7.5, are DoS vulnerabilities caused by an unchecked NULL return value and an out-of-bounds read, respectively.
Trend Micro addressed all three issues in Critical Patch Build 7190 and urges customers to apply updates promptly and restrict remote access.