Security Check-in Quick Hits: Cisco Zero-Day Exploits, Fortinet SSO Attacks, AI Malware Emergence, Ingram Micro Ransomware, and Cloud Testing App Breaches
For January 23, 2026
Active Exploitation of Cisco Zero-Day Vulnerability (CVE-2026-20045)
In the ever-evolving landscape of cybersecurity threats, a critical zero-day vulnerability in Cisco’s Unified Communications products has come under active exploitation. Identified as CVE-2026-20045, this flaw allows unauthenticated remote attackers to execute arbitrary code on affected systems, potentially leading to full system compromise.
The vulnerability impacts several Cisco products, including Unified Communications Manager (CM), Unified CM Session Management Edition (SME), Unified CM IM & Presence Service, Unity Connection, and Webex Calling. Attackers can exploit it to gain elevated privileges, execute unauthorized commands, and access sensitive data. The confidentiality impact is rated high, as successful attacks could expose critical information, while integrity remains low but still poses risks to business operations. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities catalog, mandating federal agencies to patch immediately.
Cisco has released patches to address the issue, urging all users to update promptly. In the meantime, organizations should monitor for suspicious activity, restrict access to affected ports, and implement network segmentation to mitigate risks. This incident underscores the importance of rapid patch management in defending against zero-day threats.
As threat actors continue to target communication platforms, staying vigilant and proactive is key to maintaining digital security.
Fortinet FortiGate SSO Vulnerabilities Under Active Attack
Fortinet FortiGate firewalls are facing a wave of automated attacks exploiting vulnerabilities in their Single Sign-On (SSO) features. Tracked as CVE-2025-59718 and CVE-2025-59719, these flaws enable attackers to add unauthorized admin users, enable VPN access, and export firewall configurations in seconds.
Reports indicate that threat actors are rapidly scanning for exposed FortiGate devices, injecting malicious configurations, and extracting sensitive data. Even patched devices may be at risk if SSO is misconfigured or exposed to the internet. Arctic Wolf researchers have observed these attacks in the wild, with exploitation occurring almost immediately after vulnerability disclosure.
To defend against this, Fortinet recommends disabling FortiCloud SSO immediately and applying the latest patches. Organizations should also monitor logs for unusual admin activity, rotate credentials, and ensure firewalls are not unnecessarily exposed. This surge in attacks highlights the growing sophistication of automated exploitation tools and the need for robust configuration management.
As firewalls remain a frontline defense, these incidents serve as a reminder to prioritize security hygiene in network appliances.
Emergence of AI-Generated Malware: The VoidLink Threat
The dawn of AI-assisted malware is upon us, with VoidLink marking a significant escalation in cyber threats. This Linux-based malware, potentially generated using advanced AI tools, demonstrates sophisticated capabilities in evasion, persistence, and data exfiltration.
VoidLink targets developers and systems administrators, using techniques like prompt injection and malicious packages to compromise environments. Check Point Research has linked it to the beginning of an era where AI streamlines malware creation, making advanced threats accessible to less skilled actors. Related issues include vulnerabilities in AI frameworks like Chainlit (CVE-2026-22218/22219), which allow remote file access and server-side request forgery, risking cloud breaches.
Other AI security concerns include code execution flaws in Anthropic’s Git MCP server, prompt injection in Microsoft Copilot, and unsecured AI agents in development tools.
Defenders should update AI tools, scrutinize third-party packages, and implement AI-specific security controls like input validation and sandboxing. As AI democratizes cybercrime, the industry must adapt with equally innovative defenses.
Ingram Micro Ransomware Breach: A Supply Chain Wake-Up Call
Ingram Micro, a major IT distributor, has fallen victim to a ransomware attack, exposing personal data of over 42,000 individuals. The breach involved theft of names, contact information, dates of birth, and government IDs like SSNs, driver’s licenses, and passports.
Attackers likely used the compromised data for identity theft or further phishing campaigns. This incident highlights the ripple effects of supply chain attacks, as Ingram Micro serves thousands of organizations worldwide.
Immediate actions for affected parties include rotating credentials, monitoring for suspicious activity, enforcing MFA, and revoking stale vendor access. Organizations using Ingram Micro should review their integrations and apply conditional access policies.
Broader lessons include the inevitability of supply chain risks—treating them not as “if” but “when.” Strengthening vendor management and zero-trust architectures is essential to limit blast radius.
Exploitation of Misconfigured Security Testing Apps in Cloud Environments
Hackers are increasingly targeting misconfigured security testing, demo, and pentesting apps in cloud environments like AWS, GCP, and Azure. These “damn vulnerable” tools, often left exposed with default credentials, serve as entry points for deploying crypto miners, webshells, and escalating to full breaches.
Nearly 2,000 vulnerable apps have been identified, affecting Fortune 500 companies. Attackers exploit these to gain lateral movement and access sensitive data, turning training environments into real threats.
Recommendations include decommissioning temporary labs promptly, monitoring for exposed instances, and treating all cloud assets with production-level security. This trend emphasizes that overlooked demo setups can become critical vulnerabilities.