1. Ivanti Endpoint Manager Mobile (EPMM) Zero-Day Attacks

Two critical zero-day vulnerabilities in Ivanti EPMM are being actively exploited to achieve unauthenticated remote code execution, with CISA adding CVE-2026-1281 to its Known Exploited Vulnerabilities catalog.

Affected Vendors/Products:

- Ivanti Endpoint Manager Mobile (EPMM) – unauthenticated RCE (CVE-2026-1281, CVE-2026-1340)

2. Fortinet Products Under Widespread Active Exploitation

Multiple Fortinet products face active exploitation of critical vulnerabilities, including FortiCloud SSO authentication bypass and FortiSIEM command injection, forcing Fortinet to temporarily disable SSO services and issue emergency patches.

Affected Vendors/Products:

- Fortinet FortiCloud SSO – authentication bypass actively exploited (CVE-2026-24858)

- Fortinet FortiSIEM – critical command injection enabling root access (CVE-2025-64155)

- Fortinet FortiGate Firewalls – automated attacks stealing configuration data (CVE-2025-59718)

- Fortinet FortiOS – SSO authentication bypass

3. Microsoft Office Zero-Day Enables Malicious Document Attacks

A Microsoft Office zero-day vulnerability is actively exploited in targeted attacks, allowing malicious documents to bypass security checks and execute code, with emergency patches issued.

Affected Vendors/Products:

- Microsoft Office – zero-day RCE allowing malicious documents to bypass security (CVE-2026-21509)

- Microsoft Desktop Window Manager – zero-day privilege escalation actively exploited (CVE-2026-20805)

- Microsoft PowerPoint – code injection vulnerability exploited in attacks

4. Cisco Unified Communications Zero-Day Exploited for Root Access

Cisco Unified Communications Manager faces active exploitation of a zero-day RCE vulnerability, enabling attackers to gain root-level access to affected systems.

Affected Vendors/Products:

- Cisco Unified Communications Manager (CM) – zero-day RCE exploited for root access (CVE-2026-20045)

- Cisco Webex – affected by same zero-day vulnerability

- Cisco Secure Email Gateway – AsyncOS vulnerability exploited by China-linked APT (CVE-2025-20393)

5. SmarterTools SmarterMail Critical Authentication Bypass

Over 6,000-8,000 SmarterMail servers are exposed to active exploitation of a critical authentication bypass vulnerability allowing remote code execution, with public PoC available.

Affected Vendors/Products:

- SmarterTools SmarterMail – authentication bypass leading to RCE (WT-2026-0001)

6. VMware vCenter Server Exploited in Active Attacks

CISA warns of active exploitation of a critical VMware vCenter Server RCE vulnerability, adding it to the Known Exploited Vulnerabilities catalog.

Affected Vendors/Products:

- Broadcom VMware vCenter Server – RCE vulnerability actively exploited (CVE-2024-37079)

- VMware ESXi – zero-day exploit toolkit used by Chinese-speaking hackers

7. WinRAR Path Traversal Flaw Remains Exploitation Target

Nation-state actors and criminal groups continue exploiting a WinRAR path traversal vulnerability despite patches being available, with Google and Mandiant issuing warnings.

Affected Vendors/Products:

- WinRAR – path traversal vulnerability actively exploited (CVE-2025-8088)

8. GNU InetUtils Telnetd Critical 11-Year-Old Flaw Exploited

Over 800,000 GNU InetUtils telnetd instances are exposed to exploitation of an 11-year-old critical RCE vulnerability enabling root access, with public PoC available.

Affected Vendors/Products:

- GNU InetUtils telnetd – 11-year-old RCE enabling root access (CVE-2026-24061)

9. SolarWinds Web Help Desk Critical Vulnerabilities

SolarWinds addresses four critical vulnerabilities in Web Help Desk, including RCE and authentication bypass flaws that pose high risks to enterprise security.

Affected Vendors/Products:

- SolarWinds Web Help Desk – critical RCE and authentication bypass vulnerabilities

10. HPE OneView Maximum Severity Exploitation

A maximum severity vulnerability in HPE OneView is being actively exploited, with CISA adding it to the KEV catalog and warning of code injection attacks.

Affected Vendors/Products:

- HPE OneView – maximum severity code injection actively exploited (CVE-2025-37164)

- HPE Alletra and Nimble Storage – vulnerability granting admin access to remote attackers

11. GitLab 2FA Bypass and Multiple Vulnerabilities

GitLab patches critical vulnerabilities including 2FA login protection bypass that allows account takeover, along with DoS vulnerabilities.

Affected Vendors/Products:

- GitLab – 2FA bypass enabling account takeover

- GitLab – multiple vulnerabilities enabling arbitrary code execution

12. Oracle Critical Patch Update – 337 Vulnerabilities

Oracle's January 2026 Critical Patch Update addresses 337 security vulnerabilities across multiple product families, including critical Apache Tika flaws.

Affected Vendors/Products:

- Oracle (multiple products) – 337 vulnerabilities including critical Apache Tika flaw (CVE-2025-66516, CVE-2026-21962)

13. Gogs Path Traversal Actively Exploited

CISA warns of active exploitation of a Gogs path traversal vulnerability enabling code execution, adding it to the Known Exploited Vulnerabilities catalog.

Affected Vendors/Products:

- Gogs – path traversal enabling code execution

14. WordPress Modular DS Plugin Critical Flaw Exploited

A critical WordPress Modular DS plugin vulnerability is actively exploited to gain instant admin access, affecting thousands of installations.

Affected Vendors/Products:

- WordPress Modular DS Plugin – critical flaw enabling instant admin access

15. AI/LLM Tools and MCP Server Vulnerabilities

Multiple zero-day vulnerabilities discovered in AI tools and Model Context Protocol (MCP) servers, including Anthropic Git MCP Server, enabling code execution and sandbox escapes.

Affected Vendors/Products:

- Anthropic Git MCP Server – path traversal and argument injection enabling code execution

- Gemini MCP Tool – zero-day allowing arbitrary code execution

- Multiple MCP Servers – command injection vulnerabilities (github-kanban, ollama-mcp-server, mcp-manager)

- Langflow – multiple RCE vulnerabilities via code injection and deserialization

- Open WebUI – command injection and credential disclosure

- n8n – CVSS 10.0 RCE vulnerability (CVE-2026-21877, CVE-2025-68668)

- Foundation Agents MetaGPT – deserialization RCE

- GPT Academic – multiple deserialization RCE flaws