zero-day

The Clop ransomware group weaponized CVE-2025-61882 and CVE-2025-61884 to breach nearly 100 organizations including Allianz UK, GlobalLogic, Envoy Air, Harvard, and Washington Post, with ransom demands reaching $50 million.

Russia's APT28 weaponized CVE-2026-21509 within three days of Microsoft's disclosure, deploying MiniDoor email stealers and PixyNetLoader against Ukraine, Slovakia, and Romania.

Two chained Ivanti EPMM vulnerabilities (CVE-2026-1281 and CVE-2026-1340, both CVSS 9.8) allow unauthenticated RCE via Bash command injection. CISA gave federal agencies only 3 days to patch.

CVE-2026-24858 allows attackers with any FortiCloud account to authenticate to other customers' devices. Arctic Wolf observed automated exploitation creating backdoor admin accounts within seconds.

CVE-2026-21509 bypasses OLE security mitigations in Microsoft Office. Russia-linked APT28 is exploiting it against targets in Ukraine and the EU. Emergency patches available.

CVE-2026-20045, a CVSS 9.8 RCE flaw in Cisco Unified CM, is being actively exploited. No workaround exists—organizations must upgrade to 14SU5 or 15SU4 immediately.

Arctic Wolf detected automated attacks on FortiGate devices starting January 15, exploiting CVE-2026-24858 (CVSS 9.8) to create backdoor admin accounts. Fortinet temporarily suspended FortiCloud SSO globally to contain the threat.

Monthly security update addresses 114 CVEs including CVE-2026-20805, a Windows Desktop Window Manager flaw under active exploitation enabling ASLR bypass. Eight critical RCE and privilege escalation flaws patched.

Huntress discovered a Chinese-linked exploit toolkit (MAESTRO) targeting VMware ESXi that was built in February 2024—a year before VMware disclosed CVE-2025-22224. Over 30,000 instances remain exposed.

The Cl0p ransomware group exploited a zero-day vulnerability in Progress Software's MOVEit Transfer, compromising over 2,700 organizations and exposing data of 95+ million individuals in one of the largest mass exploitation events ever.