January 2026 CVE Landscape: 23 Critical Vulnerabilities Mark 5% Increase, APT28 Exploits Microsoft Office Zero-Day January 2026 saw a modest 5% increase in high-impact vulnerabilities, with Recorded Future's Insikt Group® identifying 23 vulnerabilities requiring immediate remediation, up from 22 in December 2025. Noteworthy trends last month included Russian state-sponsored exploitation of a Microsoft Office zero-day and critical authentication bypass flaws affecting enterprise infrastructure.
What security teams need to know: APT28's Operation Neusploit: Russian state-sponsored actors exploited CVE-2026-21509 (Microsoft Office) via weaponized RTF files, delivering MiniDoor, PixyNetLoader, and Covenant Grunt implants Microsoft and SmarterTools lead concerns: These vendors accounted for 30% of January's vulnerabilities, with multiple critical authentication bypass and RCE flaws Public exploits proliferate: Fourteen of the 23 vulnerabilities reported have public proof-of-concept exploit code available Code Injection dominates: CWE-94 (Code Injection) was the most common weakness type, followed by CWE-288 (Authentication Bypass Using an Alternate Path or Channel) and CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) Bottom line: The slight increase masks significant threats.
APT28's zero-day exploitation and multiple critical authentication bypass flaws demonstrate that threat actors continue targeting enterprise communication and management platforms for initial access and persistence. Quick Reference Table All 23 vulnerabilities below were actively exploited in January 2026. Vulnerability Risk Score Affected Vendor/Product Vulnerability Type/Component Public PoC CVE-2026-20029 Cisco Identity Services Engine Software CWE-611 (Improper Restriction of XML External Entity Reference) CVE-2026-20805 Microsoft Windows CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) CVE-2026-20931 CWE-73 (External Control of File Name or Path) CVE-2026-23550 Modular DS Plugin CWE-266 (Incorrect Privilege Assignment) CVE-2026-24061 GNU InetUtils CWE-88 (Argument Injection) CVE-2026-20045 Cisco Unified Communications Manager CWE-94 (Code Injection) CVE-2026-23760 SmarterTools SmarterMail CWE-288 (Authentication Bypass Using an Alternate Path or Channel) CVE-2026-24423 CWE-306 (Missing Authentication for Critical Function) CVE-2026-21509 Microsoft Office CWE-807 (Reliance on Untrusted Inputs in a Security Decision) CVE-2026-24858 Fortinet Multiple Products CVE-2025-40551 SolarWinds Web Help Desk CWE-502 (Deserialization of Untrusted Data) CVE-2026-1281 Ivanti Endpoint Manager Mobile (EPMM) CVE-2026-1340 CVE-2018-14634 Linux Kernel CWE-190 (Integer Overflow or Wraparound) CVE-2025-52691 CWE-434 (Unrestricted Upload of File with Dangerous Type) CVE-2024-37079 Broadcom VMware vCenter Server CWE-787 (Out-of-bounds Write) CVE-2025-68645 Synacor Zimbra Collaboration Suite (ZCS) CWE-98 (PHP Remote File Inclusion) CVE-2025-34026 Versa Concerto CVE-2025-31125 Vite Vitejs CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), CWE-284 (Improper Access Control) CVE-2025-54313 Prettier eslint-config-prettier CWE-506 (Embedded Malicious Code) CVE-2025-8110 Gogs CWE-22 (Path Traversal) CVE-2009-0556 CVE-2025-37164 Hewlett Packard Enterprise OneView Table 1: List of vulnerabilities that were actively exploited in January based on Recorded Future data (Source: Recorded Future) Key Trends in January 2026 Affected Vendors Microsoft faced four critical vulnerabilities across Windows and Office products, including APT28's zero-day exploitation of CVE-2026-21509 SmarterTools accounted for three critical vulnerabilities affecting SmarterMail, all enabling authentication bypass or RCE Cisco saw two critical flaws in Identity Services Engine and Unified Communications Manager Ivanti dealt with two pre-authentication RCE vulnerabilities in Endpoint Manager Mobile Additional affected vendors/projects: Fortinet, SolarWinds, Broadcom, Synacor, Versa, Hewlett Packard Enterprise, GNU, Linux, Vite, Prettier, Gogs, and Modular DS Most Common Weakness Types CWE-94 – Code Injection CWE-288 – Authentication Bypass Using an Alternate Path or Channel CWE-200 – Exposure of Sensitive Information to an Unauthorized Actor Threat Actor Activity APT28's Operation Neusploit marked January's most sophisticated campaign: Exploited CVE-2026-21509 (Microsoft Office) via weaponized RTF files Deployed MiniDoor, a malicious Outlook VBA project designed to collect and forward victim emails to hardcoded addresses Deployed PixyNetLoader, which staged additional components and culminated in a Covenant Grunt implant Abused Filen API as a C2 bridge between the implant and actor-controlled Covenant listener Priority Alert: Active Exploitation These vulnerabilities demand immediate attention due to confirmed exploitation in the wild.
CVE-2026-21509 | Microsoft Office Risk Score: 99 (Very Critical) | Active exploitation by APT28 Why this matters: Zero-day exploitation by Russian state-sponsored actors bypasses Office security features, enabling delivery of email collection implants and backdoors. The vulnerability stems from reliance on untrusted inputs in security decisions, allowing unauthorized attackers to bypass OLE mitigations.
Affected versions: Microsoft 365 and Microsoft Office (versions not specified in advisory) Immediate actions: Install Microsoft's out-of-band update released January 26, 2026 Search email systems for RTF attachments with embedded malicious droppers Check for modifications to %appdata%\Microsoft\Outlook\VbaProject.OTM Review registry keys: HKCU\Software\Microsoft\Office\16.0\Outlook\Security\Level, Software\Microsoft\Office\16.0\Outlook\Options\General\PONT_STRING, and Software\Microsoft\Office\16.0\Outlook\LoadMacroProviderOnBoot Monitor for connections to 213[.]155[.]157[.]123:443 and remote connectivity to Microsoft Office CDN endpoints Hunt for scheduled tasks named "OneDriveHealth" and suspicious files in %programdata%\Microsoft\OneDrive\setup\Cache\SplashScreen.png Block email addresses: ahmeclaw2002@outlook[.]com and ahmeclaw@proton[.]me Figure 1: Vulnerability Intelligence Card® for CVE-2026-21509 in Recorded Future (Source: Recorded Future) CVE-2026-23760 | SmarterTools SmarterMail | CISA KEV: Added January 26, 2026 Unauthenticated attackers can reset system administrator passwords without any credentials or prior access, enabling complete administrative takeover and potential RCE through volume mount command injection.
SmarterTools SmarterMail prior to build 9511 Upgrade to build 9511 or later immediately Review administrator account activity logs for unauthorized password resets Check Volume Mounts configuration for suspicious command entries (this one IS correct for SmarterMail) Review administrator access patterns and session logs Audit system for unauthorized changes made with compromised admin access CVE-2026-1281 & CVE-2026-1340 | Ivanti Endpoint Manager Mobile | CISA KEV: CVE-2026-1281 added January 29, 2026 Pre-authentication RCE vulnerabilities in EPMM enable unauthenticated attackers to execute arbitrary code by exploiting Apache RewriteMap helper scripts that pass attacker-controlled strings to Bash.
Ivanti EPMM 12.5.0.0 and earlier, 12.5.1.0 and earlier, 12.6.0.0 and earlier, 12.6.1.0 and earlier, and 12.7.0.0 and earlier Install temporary fixes via RPM packages: EPMM_RPM_12.x.0 - Security Update - 1761642-1.0.0S-5.noarch.rpm and EPMM_RPM_12.x.1 - Security Update - 1761642-1.0.0L-5.noarch.rpm Plan migration to EPMM 12.8.0.0 (scheduled for Q1 2026 release) Monitor for unusual Apache RewriteMap activity Review logs for crafted HTTP parameters to app store retrieval routes Check for unauthorized code execution attempts via RewriteRule handling Exposure: EPMM instances accessible over corporate networks or VPN connections Figure 2: Risk Rules History from Card® for CVE-2026-1340 in Recorded Future (Source: Recorded Future) Technical Deep Dive: Exploitation Analysis APT28's Operation Neusploit (CVE-2026-21509) The multi-stage attack chain: CVE-2026-21509 enables bypass of Office OLE mitigations through weaponized RTF files: Initial delivery Specially-crafted RTF file exploits CVE-2026-21509 Server-side evasion Malicious DLL returned only for requests from targeted geographies with an expected HTTP User-Agent Dropper variants Two distinct infection paths deployed based on targeting: Variant 1 (MiniDoor): Writes VBA project to Outlook, modifies registry settings to enable macro execution, forwards emails to hardcoded recipient addresses Variant 2 (PixyNetLoader): Creates mutex asagdugughi41, decrypts embedded payloads using rolling XOR key, establishes persistence via COM hijacking APT28 demonstrates sophisticated exploitation combining zero-day vulnerabilities with anti-analysis techniques, targeting government and business users for email collection and persistent access.
Modular DS WordPress Plugin Exploitation (CVE-2026-23550 & CVE-2026-23800) The authentication bypass chain: CVE-2026-23550 enables administrator-level access without authentication: Plugin treats requests as trusted based on request-supplied indicators rather than cryptographic verification /api/modular-connector/login flow grants access based on site connector enrollment state If no user identifier is supplied, the code selects an existing administrative user and establishes a privileged session CVE-2026-23800 represents the second exploitation path via REST API user creation: /?rest_route=/wp/v2/users&origin=mo&type=x Known IoCs associated with CVE-2026-23550: 45[.]11[.]89[.]19 185[.]196[.]0[.]11 64[.]188[.]91[.]37 Known IoCs associated with CVE-2026-23800: 62[.]60[.]131[.]161 185[.]102[.]115[.]27 backup[@]wordpress[.]com backup1[@]wordpress[.]com WordPress plugin vulnerabilities enable threat actors to compromise multiple sites from a single centralized management platform, amplifying attack impact.
SmarterMail Authentication Bypass (CVE-2026-23760) The password reset flaw: CVE-2026-23760 exposes privileged password reset to anonymous callers: ForceResetPassword controller attribute explicitly permits unauthenticated access Backend ForcePasswordReset routine branches on client-supplied IsSysAdmin boolean rather than deriving account type from server-side context System administrator branch performs basic checks, then sets Password directly from the supplied NewPassword Logic fails to validate OldPassword, lacks an authenticated session requirement, and omits authorization controls Complete administrative takeover without credentials enables threat actors to deploy web shells, modify configurations, and establish persistent access to mail server infrastructure.
Detection & Remediation Resources Nuclei Templates from Insikt Group® Recorded Future customers can access Nuclei templates for: CVE-2025-8110 (Gogs) - Version detection and fingerprinting check CVE-2026-23760 (SmarterMail) - Authentication bypass validation Recorded Future Product Integrations – Prioritize based on active exploitation data, including APT28 targeting Attack Surface Intelligence – Discover exposed SmarterMail, Ivanti EPMM, and Modular DS assets Third-Party Intelligence – Monitor vendor vulnerabilities across your supply chain January 2026 Summary State-sponsored zero-days return.
APT28's exploitation of CVE-2026-21509 demonstrates continued Russian interest in email collection and persistent access through Office vulnerabilities. Authentication bypass dominates enterprise risk. Multiple critical flaws in SmarterMail, Modular DS, and Cisco products enable complete administrative takeover without credentials. Legacy vulnerabilities persist. CVE-2009-0556 (Microsoft Office) highlights how threat actors continue targeting unretired systems where patching has lagged for over a decade.
Take Action Ready to see how Recorded Future can help your team detect state-sponsored exploitation, prioritize authentication bypass fixes, and reduce enterprise attack surface? Explore our demo center for live examples, or dive deeper with Insikt Group research for technical threat intelligence. About Insikt Group®: Recorded Future's Insikt Group® is a team of elite analysts, linguists, and security researchers providing actionable intelligence to protect organizations worldwide.
Our research combines human expertise with AI-powered analytics to deliver timely, relevant threat intelligence on emerging vulnerabilities and threat actor campaigns.