What is Trusted Access for Cyber? 

Expanding Frontier AI Access for Cyber Defense 

How Trusted Access for Cyber Works 

Scaling the Cybersecurity Grant Program 

Ukraine's cyber defenders warn Russian hackers weaponized a Microsoft zero-day within 24 hours of public disclosure, targeting government agencies with malicious documents delivering Covenant framework backdoors.

Russian state-sponsored hacking group APT28 used a critical Microsoft Office zero-day vulnerability, tracked as CVE-2026-21509, in less than a day after the vendor publicly disclosed the flaw, launching targeted attacks against Ukrainian government agencies and European Union institutions.

Ukraine's Computer Emergency Response Team detected exploitation attempts that began on January 27—just one day after Microsoft published details about CVE-2026-21509.

Microsoft had acknowledged active exploitation when it disclosed the flaw on January 26, but details pertaining to the threat actors were withheld and it is still unclear if it is the same or some other exploitation campaign that the vendor meant. However, the speed at which APT28 deployed customized attacks shows the narrow window defenders have to patch critical vulnerabilities.

Also read: APT28’s Recent Campaign Combined Steganography, Cloud C2 into a Modular Infection Chain

CERT-UA discovered a malicious DOC file titled "Consultation_Topics_Ukraine(Final).doc" containing the CVE-2026-21509 exploit on January 29. Metadata revealed attackers created the document on January 27 at 07:43 UTC. The file masqueraded as materials related to Committee of Permanent Representatives to the European Union consultations on Ukraine's situation.

On the same day, attackers impersonated Ukraine's Ukrhydrometeorological Center, distributing emails with an attached DOC file named "BULLETEN_H.doc" to more than 60 email addresses. Recipients primarily included Ukrainian central executive government agencies, representing a coordinated campaign against critical government infrastructure.

The attack chain begins when victims open malicious documents using Microsoft Office. The exploit establishes network connections to external resources using the WebDAV protocol—a file sharing protocol that extends HTTP to enable collaborative editing. The connection downloads a shortcut file containing program code designed to retrieve and execute additional malicious payloads.

Successful execution creates a DLL file "EhStoreShell.dll" disguised as a legitimate "Enhanced Storage Shell Extension" library, along with an image file "SplashScreen.png" containing shellcode. Attackers implement COM hijacking by modifying Windows registry values for a specific CLSID identifier, a technique that allows malicious code to execute when legitimate Windows components load.

The malware creates a scheduled task named "OneDriveHealth" that executes periodically. When triggered, the task terminates and relaunches the Windows Explorer process. Because of the COM hijacking modification, Explorer automatically loads the malicious EhStoreShell.dll file, which then executes shellcode from the image file to deploy the Covenant framework on compromised systems.

Covenant is a post-exploitation framework similar to Cobalt Strike that provides attackers persistent command-and-control access. In this campaign, APT28 configured Covenant to use Filen.io, a legitimate cloud storage service, as command-and-control infrastructure. This technique, called living-off-the-land, makes malicious traffic appear legitimate and harder to detect.

CERT-UA discovered three additional malicious documents using similar exploits in late January 2026. Analysis of embedded URL structures and other technical indicators revealed these documents targeted organizations in EU countries. In one case, attackers registered a domain name on January 30, 2026—the same day they deployed it in attacks—demonstrating the operation's speed and agility.

"It is obvious that in the near future, including due to the inertia of the process or impossibility of users updating the Microsoft Office suite and/or using recommended protection mechanisms, the number of cyberattacks using the described vulnerability will begin to increase," CERT-UA warned in its advisory.

Microsoft released an emergency fix for CVE-2026-21509, but many organizations struggle to rapidly deploy patches across enterprise environments. The vulnerability affects multiple Microsoft Office products, creating a broad attack surface that threat actors will continue exploiting as long as unpatched systems remain accessible.

Read: Microsoft Releases Emergency Fix for Exploited Office Zero-Day

CERT-UA attributes the campaign to UAC-0001, the agency's designation for APT28, also known as Fancy Bear or Forest Blizzard. The group operates on behalf of Russia's GRU military intelligence agency and has conducted extensive operations targeting Ukraine since Russia's 2022 invasion. APT28 previously exploited Microsoft vulnerabilities within hours of disclosure, demonstrating consistent capability to rapidly weaponize newly discovered flaws.

CERT-UA recommends organizations immediately implement mitigation measures outlined in Microsoft's advisory, particularly Windows registry modifications that prevent exploitation. The agency specifically urges blocking or monitoring network connections to Filen cloud storage infrastructure, providing lists of domain names and IP addresses in its indicators of compromise section.

Two code injection vulnerabilities allowed unauthenticated attackers to execute arbitrary code and access sensitive device information across compromised networks.

Ivanti released emergency patches for two critical zero-day vulnerabilities in Endpoint Manager Mobile after discovering attackers exploited the flaws to compromise customer systems. The company confirmed a limited number of organizations fell victim to attacks leveraging CVE-2026-1281, which CISA added to its Known Exploited Vulnerabilities catalog with a February 1 remediation deadline for federal agencies.

The Code Injection Zero-Days

Both CVE-2026-1281 and CVE-2026-1340 are code injection flaws affecting EPMM's In-House Application Distribution and Android File Transfer Configuration features. Rated critical with CVSS scores of 9.8, the vulnerabilities allow unauthenticated remote attackers to execute arbitrary code on vulnerable on-premises EPMM installations without any prior authentication.

"We are aware of a very limited number of customers whose solution has been exploited at the time of disclosure," Ivanti stated in its security advisory released Thursday. The company acknowledged it lacks sufficient information about the threat actors or comprehensive indicators of compromise due to the sophistication of the attacks.

The vulnerabilities affect only on-premises EPMM deployments and do not impact cloud-hosted Ivanti Neurons for Mobile Device Management, Ivanti Endpoint Manager, the Ivanti Sentry secure mobile gateway or any other Ivanti products. However, the company recommends organizations review Sentry logs alongside EPMM systems for potential lateral movement.

What Attackers Can Siphon

Successful exploitation grants attackers access to mobile device management infrastructure. Compromised EPMM appliances expose administrator and user credentials, including usernames and email addresses. Attackers gain visibility into managed mobile devices, accessing phone numbers, IP addresses, installed applications and device identifiers like IMEI and MAC addresses.

Organizations with location tracking enabled face additional exposure. Attackers accessing compromised systems can retrieve device location data including GPS coordinates and cellular tower information. More critically, attackers can leverage EPMM's API or web console to modify device configurations, including authentication settings.

Urgent Remediation Called For

Ivanti released RPM scripts providing temporary mitigation for affected EPMM versions. Organizations running versions 12.5.0.x, 12.6.0.x and 12.7.0.x should deploy RPM 12.x.0.x, while those operating versions 12.5.1.0 and 12.6.1.0 require RPM 12.x.1.x. The company emphasized that applying patches requires no downtime and causes no functional impact.

"If after applying the RPM script to your appliance, you upgrade to a new version you will need to reinstall the RPM," Ivanti warned. The permanent fix for this vulnerability will be included in the next product release: 12.8.0.0," scheduled for release later in Q1 2026.

Also read: Ivanti Bugs Exploited Even After Three Months of Patch Availability

Organizations suspecting compromise should not attempt to clean affected systems. Ivanti recommends either restoring EPMM from known-good backups taken before exploitation occurred or rebuilding the appliance and migrating data to replacement systems. After restoration, administrators must reset passwords for local EPMM accounts, LDAP and KDC service accounts, revoke and replace public certificates, and reset passwords for all internal and external service accounts configured with EPMM.

The company's analysis guidance shows particular risks around Sentry integration. While EPMM can be restricted to demilitarized zones with minimal corporate network access, Sentry specifically tunnels traffic from mobile devices to internal network assets. Organizations should review systems accessible through Sentry for potential reconnaissance or lateral movement.

CISA Issues a Tight Two-Day Deadline

CISA's addition of CVE-2026-1281 to the KEV catalog triggers Binding Operational Directive 22-01 requirements. Federal civilian agencies must apply vendor mitigations or discontinue using vulnerable systems by February 1, 2026. CISA strongly urges all organizations, not just federal agencies, to prioritize remediation as part of vulnerability management practices.

Notably, CISA added only CVE-2026-1281 to the KEV catalog despite Ivanti confirming exploitation of both vulnerabilities. The agency has not explained this discrepancy.

Also read: CISA Warns of New Malware Campaign Exploiting Ivanti EPMM Vulnerabilities

The disclosure continues Ivanti's troubled 2025, which saw widespread exploitation of multiple zero-day vulnerabilities across its product portfolio. Security researchers previously linked EPMM attacks to sophisticated threat actors, with some incidents attributed to China-nexus advanced persistent threat groups.

Also read: Four Critical Ivanti CSA Vulnerabilities Exploited—CISA and FBI Urge Mitigation

These management platforms represent high-value targets because compromising them effectively transforms the system into enterprise-wide command-and-control infrastructure.

Organizations should apply patches immediately and conduct thorough security assessments of potentially compromised systems to prevent further damage from these actively exploited vulnerabilities.

Network administrators worldwide are scrambling this morning following credible reports that the critical Fortinet Single Sign-On (SSO) vulnerability, tracked as CVE-2025-59718, is being actively exploited on systems previously thought to be patched.

The vulnerability, originally disclosed in December 2025, allows unauthenticated attackers to bypass authentication on FortiGate firewalls by forging SAML assertions. At the time, Fortinet released FortiOS version 7.4.9 as the definitive fix for the 7.4 release branch. However, emerging data from the cybersecurity community suggests this update may have failed to close the door on attackers.

The "Zombie" FortiOS Vulnerability

Over the last 48 hours, a wave of reports has surfaced on community hubs like Reddit, where verified administrators have shared logs indicating successful breaches on devices running the supposedly secure FortiOS 7.4.9.

The attack pattern is distinct and alarming. Victims report observing unauthorized logins via the FortiCloud SSO mechanism—even when they do not actively use the feature for their own administration. Once access is gained, the attackers typically create a local administrator account, often named "helpdesk" or similar generic terms, to establish persistence independent of the SSO flaw.

"We have been on 7.4.9 since December 30th," wrote one frustrated administrator who shared redacted logs of the incident. "Our SIEM caught a local admin account being created. The attack vector looks exactly like the original CVE-2025-59718 exploit, but against the patched firmware.

Technical Confusion and Workarounds

The persistence of this flaw in version 7.4.9 has led to speculation that the initial patch was incomplete or that attackers have found a bypass to the mitigation logic. Some users report that Fortinet support has acknowledged the issue privately, hinting that the vulnerability might persist even into upcoming builds like 7.4.10, though this remains unconfirmed by official public advisories.

The exploit relies on the "Allow administrative login using FortiCloud SSO" setting, which is often enabled by default when a device is registered to FortiCloud.

Security experts are now advising a "trust no patch" approach for this specific vector. The only guaranteed mitigation currently circulating in professional circles is to manually disable the vulnerable feature via the Command Line Interface (CLI), regardless of the firmware version installed.

Administrators are urged to run the following command immediately on all FortiGate units:

config system global
    set admin-forticloud-sso-login disable
end

Indicators of Compromise

Organizations running FortiOS 7.4.x—including version 7.4.9—should immediately audit their system event logs for the following activity:

1. Unexpected SSO Logins: Filter logs for successful logins where the method is forticloud-sso, especially from unrecognized public IP addresses.

2. New User Creation: Check for the recent creation of administrator accounts with names like helpdesk, support, or fortinet-admin.

3. Configuration Exports: Look for logs indicating a full system configuration download shortly after an SSO login.

As trust in the official patch cycle wavers, the community is once again serving as the first line of defense, sharing Indicators of Compromise (IOCs) and workarounds faster than vendors can issue bulletins. For now, disable the SSO feature, or risk compromise.

DNS Crash Cause Reboot Loops Across Models 

Administrators Trace Impact to DNS Lookups and SNTP Defaults 

Workarounds Stabilize Networks as Root Cause Remains Unpatched 

CVE-2025-13915: IBM API Connect Authentication Bypass Explained

Affected IBM API Connect Versions

• IBM API Connect V10.0.8.0 through V10.0.8.5
• IBM API Connect V10.0.11.0

IBM Releases Fixes for IBM API Connect Vulnerability

Workarounds and Mitigations for Unpatched Systems

Why the IBM API Connect Vulnerability Matters

The cybersecurity world is facing a "Heartbleed" moment for the NoSQL era. A critical vulnerability in MongoDB, the world’s most popular non-relational database, is being actively exploited in the wild, allowing unauthenticated attackers to "bleed" sensitive memory directly from server processes.

Dubbed "MongoBleed" and tracked as CVE-2025-14847, the flaw represents a catastrophic breakdown in how MongoDB handles compressed data. According to researchers at Wiz, who first sounded the alarm on the active exploitation, the vulnerability allows an attacker to remotely read fragments of the server's memory—potentially exposed credentials, session tokens, and the very data the database is meant to protect—without ever needing a password.

The Mechanics of the Leak

At the heart of MongoBleed is a classic security failure- an out-of-bounds (OOB) read. The vulnerability resides in MongoDB’s implementation of the 'zlib' compression library within its wire protocol.

When a client communicates with a MongoDB server, it can use compression to save bandwidth. Security researchers at OX Security noted that by sending a specially crafted, malformed compressed message, an attacker can trick the server into reading past the allocated buffer. Because the server fails to properly validate the length of the decompressed data against the actual buffer size, it responds by sending back whatever happens to be sitting in the adjacent memory.

This is a haunting echo of the 2014 Heartbleed bug in OpenSSL. Like its predecessor, MongoBleed doesn't require the attacker to "break in" through the front door; instead, it allows them to sit outside and repeatedly ask the server for "scraps" of its internal memory until they’ve reconstructed enough data to stage a full-scale breach.

Exploitation in the Wild

The situation escalated quickly from a theoretical risk to a live crisis. Wiz reported that their global sensor network has detected automated scanners and exploit attempts targeting the flaw almost immediately after technical details began to circulate.

Joe Desimone, a cybersecurity researcher from Elastic Security also published a proof-of-concept exploit which showed how data related to MongoDB internal logs and state, WiredTiger storage engine configuration, system /proc data (meminfo, network stats), Docker container paths, and connection UUIDs and client IPs could be leaked using the MongoBleed bug.

The threat is particularly acute because MongoDB is often the backbone of modern web applications, storing everything from user PII to sensitive financial records. MongoDB has a very large footprint with over 200k internet-facing instances.

The ease of exploitation combined with the lack of authentication makes this a perfect storm for attackers, the Wiz team noted in their analysis. In many cases, an attacker only needs a single successful "bleed" to capture an administrative session token, granting them full control over the entire database cluster.

The Australian Cyber Security Centre (ACSC) has also issued an urgent advisory, warning organizations that the vulnerability affects a vast range of versions, from legacy 4.4 installs up to the most recent 8.0 releases.

For defenders, the challenge is that these memory-leak attacks are notoriously "quiet." Because they happen at the protocol level and don’t involve traditional "login" events, they often bypass standard application-layer logs.

Security researchers like Kevin Beaumont, have also reiterated this. "Because of how simple this is now to exploit — the bar is removed — expect high likelihood of mass exploitation and related security incidents," Beaumont wrote in his personal blog. "The exploit author has provided no details on how to detect exploitation in logs via products like.. Elastic. Advice would be to keep calm and patch internet facing assets.

The Race to Patch

The MongoDB team has moved swiftly to release patches, but the sheer scale of the MongoDB install base makes global remediation a daunting task. The following versions have been identified as patched and safe:

• MongoDB 8.0.4

• MongoDB 7.0.16

• MongoDB 6.0.19

• MongoDB 5.0.31

For organizations that cannot patch immediately, experts recommend a "nuclear" temporary workaround: disabling zlib compression. While this may result in a slight performance hit and increased bandwidth usage, it effectively closes the vector used by MongoBleed.

The aviation sector, government agencies, and tech giants alike are now in a frantic race against time. With automated exploit kits already circulating on dark web forums, the window for patching is closing. For anyone running MongoDB, the time to act was yesterday.

Also read: MongoDB Cyberattack Reveals Customer Data Compromise: Incident Response in Progress