Table of Contents
In this week’s Security Advisory
- FortiGate Devices Under Mass Exploitation
- SolarWinds warns of critical Web Help Desk RCE
- Cisco Patches Unified Communications RCE
- Two-Year-Old VMware vulnerability Exploited in Attacks
- GNU InetUtils Telnetd Server Vulnerable to Authentication Bypass
FortiGate Devices Under Mass Exploitation
Fortinet has released an advisory addressing the previously reported SSO vulnerability, now labeled as CVE-2026-24858 (CVSS 9.4/10). Patches are not available for all affected versions yet, but they are expected soon.
Recommendations
- Check the advisory page daily for updates.
- Apply patches that are available.
More Reading / Information
Original Advisory
We have observed a significant uptick of attacks against Fortinet FortiGate firewall devices, resulting in unauthorized admin account creation. This follows unofficial user reports of a mid-December patch for two vulnerabilities in their SSO implementation, tracked as CVE-2025-59718 and CVE-2025-59719, not fixing the vulnerability.
While Fortinet has not officially acknowledged that these patches were incomplete, we urge IT teams to be prepared to patch, as this campaign is active in the wild.
CyberMaxx already had novel detections in place to detect activity related to this threat.
IOC’s Include
Initial Logins via these accounts:
- cloud-init@mail.io
- cloud-noc@mail.io
Secondary creation of new administrative accounts:
- secadmin
- itadmin
- support
- backup
- remoteadmin
- audit
Recommendations
- If possible, turn off FortiCloud SSO (Please ensure adequate local Admin account access is configured prior to implementing):
- In the GUI, go to System -> Settings -> Switch “Allow administrative login using FortiCloud SSO” to Off.
- Or through the CLI with the following commands:
- config system global
- set admin-forticloud-sso-login disable
- end
More Reading / Information
- https://www.reddit.com/r/fortinet/comments/1qibdcb/possible_new_sso_exploit_cve202559718_on_749/
- https://thehackernews.com/2026/01/automated-fortigate-attacks-exploit.html
SolarWinds Warns of Critical Web Help Desk RCE
SolarWinds has issued security updates addressing critical vulnerabilities in its Web Help Desk platform, including flaws that allowed authentication bypass and remote code execution. The authentication bypass security flaws are being tracked as CVE-2025-40552 (CVSS 9.8/10) and CVE-2025-40554 (CVSS 9.8/10). Successful exploitation of these vulnerabilities could allow an actor to execute code. An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights.
Affected Versions
- SolarWinds Web Help Desk versions before 2026.1.
Recommendations
- Upgrade to Web Help Desk Version 2026.1.
More Reading / Information
- https://www.bleepingcomputer.com/news/security/solarwinds-warns-of-critical-web-help-desk-rce-auth-bypass-flaws/
- https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htm
Cisco Patches Unified Communications RCE
Cisco has released a patch for CVE-2026-20045 (CVSS 8.2/10), which can be exploited by sending a sequence of crafted HTTP requests to the web-based management interface of an affected device. This impacts Cisco Unified Communications Manager (Unified CM), Unified CM Session Management Edition (SME), Unified CM IM & Presence, Cisco Unity Connection, and Webex Calling Dedicated Instance. While the CVSS score categorizes this vulnerability as high severity, Cisco is labeling it as critical because it can lead to root access on the server when exploited. Cisco also confirmed that attempts to exploit the vulnerability have been observed in the wild.
Affected Versions
- A full list of affected versions can be found here.
Recommendations
- Apply the latest patches.
- Restrict access to trusted IPs.
More Reading / Information
- https://www.bleepingcomputer.com/news/security/cisco-fixes-unified-communications-rce-zero-day-exploited-in-attacks/
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voice-rce-mORhqY4b
Two-Year-Old VMware vulnerability Exploited in Attacks
A known and patched VMware vulnerability has recently been observed being leveraged by threat actors. The vulnerability, CVE-2024-37079 (CVSS 9.8/10), is an out-of-bounds write issue in the Distributed Computing Environment/Remote Procedure Calls (DCERPC) protocol implementation of vCenter Server. This vulnerability can be exploited by remote attackers with access to vCenter Server via specially crafted network packets.
Affected Versions
A full list of affected versions can be found here.
Recommendations
Apply the latest patches if you are on an old version.
More Reading / Information
- https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24453
- https://www.securityweek.com/2024-vmware-flaw-now-in-attackers-crosshairs/
GNU InetUtils Telnetd Server Vulnerable to Authentication Bypass
A Proof-of-Concept exploit has been published for CVE-2026-24061 (CVSS 9.8/10), and exploitations have been seen in the wild. The vulnerability is an authentication bypass in the GNU telnetd service, which does not sanitize the USER environment variable before passing it to the login function. This can be exploited by a remote attacker by sending crafted commands to the USER variable, bypass authentication, and obtain a root shell.
Affected Versions
- A GNU InetUtils version 1.9.3 through 2.7.
Recommendations
- Upgrade to GNU InetUtils version 2.8.
More Reading / Information
- https://www.bleepingcomputer.com/news/security/nearly-800-000-telnet-servers-exposed-to-remote-attacks/
- https://www.securityweek.com/organizations-warned-of-exploited-linux-vulnerabilities/
Recommendations
Please review your environment to ensure the above-mentioned issues are patched in a timely manner. It is security best practice to regularly update and/or patch software to the latest versions. The vulnerabilities above highlight the security benefits of limiting deployed software to “vendor-supported versions” only. This dramatically increases the likelihood that new vulnerabilities have a patch issued for them. Likewise, CyberMaxx strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.
