Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

LDAP is commonly used as a centralized authentication backend for VPN gateways. In a typical setup, users submit credentials to the VPN service, which forwards them to the LDAP server for validation. The VPN gateway then grants or denies access based on the response it receives. CVE-2026-22153 does not rely on malformed packets or memory corruption. Instead, it stems from flawed authentication logic, where certain LDAP response states can be misinterpreted under specific configurations.

The modern enterprise software ecosystem increasingly relies on desktop AI applications enhanced through extensible plugin or extension frameworks. These extensions are designed to improve productivity by enabling integrations with local files, browsers, APIs, developer tools, and internal systems. However, this same extensibility introduces a high-risk attack surface when extension permissions, sandboxing, and input validation are weakly enforced.

In mid-January 2026, one of the most ironic cybersecurity incidents in recent memory occurred: eScan antivirus software from MicroWorld Technologies began delivering malware to its own users. Attackers gained unauthorized access to a regional update server and quietly replaced a legitimate update component with a malicious version. For roughly two hours on January 20, 2026, systems that attempted to fetch updates received a trojanized Reload.exe instead of a security patch.

CVE-2026-25253 is a high-severity vulnerability (CVSS 8.8) in OpenClaw (formerly Clawdbot/Moltbot), an open-source AI agent framework. It allows attackers to exfiltrate authentication tokens via a crafted URL, leading to full gateway compromise and remote code execution (RCE) with one click. Disclosed in early February 2026, it affects versions before 2026.1.29.

During routine Dark Web Monitoring activities, Our Threat Intelligence Team identified a newly active ransomware operation calling itself The Green Blood Group. The group operates a dedicated Tor-based leak site and follows a double-extortion model, threatening public disclosure of victim data when negotiations fail. The screenshot shown above captures the group’s Tor portal in its current state.

CVE-2026-24858 is a critical authentication bypass vulnerability(CWE-288: Authentication Bypass Using an Alternate Path or Channel) in Fortinet products. It affects FortiOS, FortiAnalyzer, FortiManager, and potentially FortiProxy. An attacker with a FortiCloud account and registered device can log into devices registered to other accounts if FortiCloud SSO is enabled. Disclosed January 27, 2026, as actively exploited zero-day. CVSS 9.4 (some sources cite 9.8).

Let’s be honest: in 2026, the traditional “firewall” is a bit of a relic. Having spent years analyzing how threat actors operate, I can tell you they aren’t banging on your front door anymore. Why would they? It’s much easier to build a pixel-perfect replica of your front door down the street and trick your customers into handing over their keys there.

CVE-2026-23745 is a high-severity path traversal flaw in node-tar (the tar library for Node.js). Versions ≤7.5.2 fail to sanitize linkpath in hardlink and symlink entries when preservePaths is false (default secure mode). Malicious tar archives bypass extraction root restrictions, enabling arbitrary file overwrite via hardlinks and symlink poisoning via absolute targets. Discovered January 2026, patched in 7.5.3. Impacts npm ecosystems, CI/CD pipelines, and apps extracting untrusted archives.

CVE-2025-34299 is a critical vulnerability in Monsta FTP, a web-based file transfer tool, unauthenticated arbitrary file write via remote download leading to remote code execution (RCE). Affecting versions 2.11 and earlier, it enables attackers to upload malicious files via a crafted SFTP or FTP connection, compromising servers without credentials. This flaw has seen active exploitation through opportunistic scans. By January 2026, Vulnerable instances remain exposed.

CVE-2025-14847, nicknamed MongoBleed, is a high-severity (CVSS 7.5–8.7) unauthenticated information disclosure vulnerability in MongoDB Server. It allows remote attackers to leak uninitialized heap memory containing sensitive data—such as credentials, API keys, session tokens, and PII—without authentication. Exploitation occurs pre-authentication via malformed zlib-compressed network packets on port 27017.