January CVE Report Notes Rise in Critical Flaws

- The Microsoft Office zero-day was identified as CVE-2026-21509 and carries a CVSS score of 7.8, reflecting a critical security feature bypass vulnerability. This flaw was actively exploited by the Russian state-sponsored group APT28 (also known as Fancy Bear) just one day after Microsoft's public disclosure on January 26, 2026. - APT28's campaign, codenamed "Operation Neusploit," used phishing emails with malicious Rich Text Format (RTF) documents to trigger the exploit when opened by users in targeted regions like Ukraine, Slovakia, and Romania. - Successful exploitation of CVE-2026-21509 allowed the attackers to bypass Office's Object Linking and Embedding (OLE) mitigations and deliver multiple malware payloads. These included an email-stealing tool called MiniDoor and a loader known as PixyNetLoader, which deployed a Covenant Grunt implant for persistent remote access. - Beyond the Microsoft zero-day, the January report highlighted a trend of critical authentication bypass and remote code execution (RCE) flaws, with vendors like SmarterTools, Cisco, and Ivanti also releasing significant patches. - Publicly available proof-of-concept (PoC) exploit code already exists for 14 of the 23 critical vulnerabilities reported in January, increasing the risk of widespread attacks by other malicious actors. - The CISA Known Exploited Vulnerabilities (KEV) catalog added 15 new entries in January, including the Microsoft Office flaw and critical vulnerabilities in products from Fortinet, SmarterTools, and Cisco. - APT28 has been active since at least 2007 and has a history of targeting government, military, and critical infrastructure entities, often using spear-phishing and exploiting unpatched vulnerabilities. - Another campaign by APT28, "Operation MacroMaze," ran from September 2025 to January 2026, using simple macro-based malware and legitimate web services for data exfiltration against targets in Western and Central Europe.