January 2026 was a reminder that foundational security failures are still driving real-world compromises. This month’s disclosures cut across firewalls, identity systems, collaboration platforms, and operating system internals, with several flaws already being used to gain persistent access inside enterprise networks. What stands out is not just the volume of critical vulnerabilities, but how many of them break basic trust assumptions, especially around authentication, tenant isolation, and input handling. For security teams, January was less about theoretical risk and more about responding to issues that attackers were actively abusing or clearly preparing to exploit.
What We'll Cover
Fortinet FortiCloud SSO Authentication Bypass (CVE-2026-24858)
Overview
This vulnerability affects the FortiCloud administrative Single Sign-On implementation used to manage Fortinet devices across customer environments. The root cause lies in improper access control enforcement within the FortiCloud SSO GUI component, where identity assertions are not reliably bound to a specific tenant. An attacker who owns a valid FortiCloud account and has a registered device can craft authentication requests that bypass tenant isolation. This allows unauthorized administrative access to FortiGate firewalls and other Fortinet products belonging to different organizations, effectively breaking the cloud trust model.
Severity and Score
Critical | 9.4
Type
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
Disclosure
January 27, 2026
Included in the CISA Known Exploited Vulnerabilities catalog
Exploitation Status
Actively exploited. Observed activity includes configuration exfiltration, creation of persistent administrator accounts, and VPN configuration changes to retain long-term access.
Mitigation Strategies
Upgrade FortiOS, FortiManager, and FortiAnalyzer to patched versions immediately. If patching is delayed, disable FortiCloud SSO login entirely. Audit all administrative accounts created or modified in January 2026.
n8n Expression Sandbox Escape (CVE-2026-1470)
Overview
The n8n workflow automation platform contains a critical flaw in its JavaScript expression evaluation engine. Although n8n executes user-supplied expressions inside a sandbox, researchers demonstrated that crafted expressions can escape this restricted context. Because n8n commonly runs with elevated privileges to support automation and data movement, a successful escape grants attackers the ability to execute operating system commands on the host. This effectively converts workflow access into full server compromise.
Severity and Score
Critical | 9.9
Type
Improper Neutralization of Directives in Dynamically Evaluated Code (CWE-95)
Disclosure
January 27, 2026
Exploitation Status
Proof of concept publicly available. Exploitation is expected to increase as attackers target internal automation servers and CI/CD environments.
Mitigation Strategies
Upgrade to n8n versions 1.123.17, 2.4.5, 2.5.1, or later. Implement strict network egress controls on n8n hosts to limit post-exploitation communication.
Ivanti EPMM Unauthenticated Remote Code Execution (CVE-2026-1281)
Overview
Ivanti Endpoint Manager Mobile was impacted by a zero-day vulnerability affecting in-house application distribution and Android file transfer functionality. The flaw allows unauthenticated attackers to inject Bash commands via crafted HTTP GET requests. Due to missing authentication and inadequate input sanitization, these commands are executed directly by the web server. The result is full remote code execution without valid credentials, making exposed systems trivial to compromise.
Severity and Score
Critical | 9.8
Type
Improper Control of Generation of Code (CWE-94)
Disclosure
January 29, 2026
Exploitation Status
Actively exploited zero-day. CISA mandated federal agencies to patch or decommission affected systems by February 1, 2026.
Mitigation Strategies
Apply Ivanti RPM fixes for supported versions immediately. Monitor /var/log/httpd/https_access_log for suspicious requests targeting /mifs/c/appstore/fob/. A permanent fix is expected in version 12.8.0.0.
Microsoft Office OLE Security Bypass “Ni8mare” (CVE-2026-21509)
Overview
This vulnerability bypasses Object Linking and Embedding protections in Microsoft Office applications. The flaw allows Office to load restricted COM or OLE controls that should be blocked by Protected View and related security mechanisms. Attackers leverage this weakness as a loader technique, commonly delivering secondary malware through malicious RTF documents. Once triggered, the exploit enables arbitrary code execution under the context of the user.
Severity and Score
High | 7.8
Type
Reliance on Untrusted Inputs in a Security Decision (CWE-807)
Disclosure
January 26, 2026
Out-of-band emergency patch
Exploitation Status
Actively exploited. APT28 campaigns observed delivering MiniDoor and PixyNetLoader via weaponized documents.
Mitigation Strategies
Apply the January 26 emergency security update. Block RTF files from untrusted sources using Office Trust Center File Block settings in high-risk environments.
SmarterMail Authentication Bypass (CVE-2026-23760)
Overview
SmarterMail was found to contain a flaw in its force-reset-password API that enables attackers to reset the system administrator password without valid credentials. The issue is caused by an alternate logic path that improperly validates reset requests. By abusing this path, attackers can gain full administrative access to the mail server. Once compromised, email data, credentials, and internal communications are fully exposed.
Severity and Score
Critical | 9.8
Type
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
Disclosure
January 22, 2026
Exploitation Status
Actively exploited and included in the CISA KEV catalog.
Mitigation Strategies
Upgrade to SmarterMail Build 9511 or later immediately. Review all Super Admin accounts and rotate credentials for all privileged users after patching.
Oracle January CPU Information Disclosure Zero-Day (CVE-2026-20805)
Overview
Oracle’s January 2026 Critical Patch Update addressed an information disclosure vulnerability affecting database and middleware components. While the base CVSS score appears moderate, the vulnerability leaks sensitive memory layout information. Attackers use this data to bypass Address Space Layout Randomization and chain additional vulnerabilities. In complex attack scenarios, this flaw serves as a key enabler for full remote code execution.
Severity and Score
Medium to High | 5.5
Contextually critical
Type
Information Exposure (CWE-200)
Disclosure
January 13, 2026
Exploitation Status
Actively exploited in targeted multi-stage attacks against large Oracle deployments.
Mitigation Strategies
Apply the January 2026 Oracle CPU patches. Restrict database listener access and secure the TNS Listener with authentication.
Microsoft SharePoint Server Deserialization RCE (CVE-2026-20963)
Overview
This vulnerability centers on a breakdown in how Microsoft SharePoint Server handles the deserialization of untrusted data during network request processing. The flaw exists in internal object handling logic where serialized object graphs are not sufficiently validated before execution. An authenticated attacker can inject a malicious payload that triggers arbitrary code execution when deserialized. Historically, this vulnerability class has been used to deploy ASPX web shells, providing attackers with persistent server access.
Severity and Score
High | 8.8
Type
Deserialization of Untrusted Data (CWE-502)
Disclosure
January 13, 2026
Exploitation Status
Exploitation more likely. Low privilege authentication is sufficient to escalate to full server control.
Mitigation Strategies
Apply the January 13, 2026 SharePoint security updates immediately. Monitor IIS worker processes for suspicious child processes such as cmd.exe or powershell.exe. Isolate SharePoint servers through network segmentation.
SAP S/4HANA SQL Injection (CVE-2026-0501)
Overview
Disclosed during the January 2026 SAP Security Patch Day, this vulnerability affects SAP S/4HANA Private Cloud and On-Premise deployments. The flaw resides in an RFC-enabled function within the Financials General Ledger module that uses ABAP Database Connectivity. Insufficient input validation allows authenticated attackers to inject native SQL commands. This bypasses ABAP application layer controls and enables direct database interaction.
Severity and Score
Critical | 9.9
Type
SQL Injection (CWE-89)
Disclosure
January 12, 2026
SAP Security Patch Day January 13, 2026
Exploitation Status
Highly targeted. Attractive for financial fraud and corporate espionage due to direct access to financial records.
Mitigation Strategies
Apply SAP Security Note 3687749 immediately. Review all custom ABAP code using native SQL for similar unsafe patterns.
GNU InetUtils telnetd Authentication Bypass (CVE-2026-24061)
Overview
This vulnerability affects the telnetd service in the GNU InetUtils suite and represents a classic argument injection flaw. During the NEW-ENVIRON negotiation phase, attacker-controlled environment variables are passed directly to the system login program. By manipulating the USER variable, attackers can bypass authentication entirely. Successful exploitation grants an unauthenticated root shell over the network.
Severity and Score
Critical | 9.8
Type
Argument Injection and Authentication Bypass (CWE-88)
Disclosure
January 22, 2026
Exploitation Status
Actively exploited and added to the CISA KEV catalog. Internet-wide scanning activity observed.
Mitigation Strategies
Upgrade GNU InetUtils to version 2.8 or later. If upgrading is not possible, disable telnetd immediately and migrate to SSH.
Windows LSASS Use-After-Free Remote Code Execution (CVE-2026-20854)
Overview
The Local Security Authority Subsystem Service is responsible for authentication and security policy enforcement in Windows. This vulnerability is a use-after-free memory corruption flaw that can be triggered remotely by an authenticated attacker. By sending crafted directory attribute modifications, LSASS is forced to reference freed memory. Successful exploitation results in arbitrary code execution with SYSTEM privileges.
Severity and Score
High | 7.5
Type
Remote Code Execution via Use-After-Free (CWE-416)
Disclosure
January 13, 2026
Microsoft Patch Tuesday
Exploitation Status
Patch available. High impact despite higher attack complexity due to potential domain-wide compromise.
Mitigation Strategies
Apply January 2026 Windows cumulative updates across all systems. Enable Windows Defender Credential Guard to isolate LSASS using virtualization-based security.
The vulnerabilities disclosed in January 2026 reinforce a pattern security teams have seen repeatedly: attackers continue to favor flaws that give reliable access with minimal friction. Authentication bypasses, unsafe deserialization, and low-privilege paths to full system control dominated this month’s disclosures, and several of these issues moved from advisory to active exploitation in a matter of days. Organizations that treat patching as a routine maintenance task rather than a risk decision are likely already behind. The priority going forward is clear: close exposed management interfaces, reduce unnecessary trust between systems, and assume that any widely deployed enterprise platform will be tested aggressively once a weakness becomes public. January’s roundup is less a snapshot of isolated bugs and more a signal of where attackers are consistently finding leverage.
Organizations must prioritise immediate remediation of critical exposures, enforce strict authentication controls, and maintain continuous visibility into their systems. Failure to address these vulnerabilities promptly can result in full system compromise, data loss, or persistent adversary access.
Ready to secure your systems against these risks? Our cybersecurity service can help identify vulnerabilities, close gaps, and strengthen your defenses before attackers exploit them.
