This week’s brief is a reminder that identity-adjacent features and device-management control planes are still prime time for exploitation. When SSO becomes an alternate auth path, and MDM sits in front of your mobile fleet, patching is only step one — validation and hunt is step two.
🚨 Top Stories
Fortinet FortiCloud SSO auth bypass (CVE-2026-24858) is actively exploited — disable SSO if you can’t patch immediately
Fortinet confirmed exploitation of an alternate-path authentication bypass affecting multiple Fortinet products when FortiCloud SSO is enabled; CISA published mitigation guidance for defenders.
Source: Fortinet PSIRT • CISA Alert • NVD
💡 Key Takeaway: Treat FortiCloud SSO as an exposure multiplier: patch/upgrade ASAP, disable FortiCloud SSO login until fixed, and review for rogue admins, config exports, and unexpected auth events.
Ivanti EPMM pre-auth RCE (CVE-2026-1281) exploited in the wild — MDM is a tier‑0 target
Ivanti disclosed critical code-injection vulnerabilities in Endpoint Manager Mobile; CISA added CVE-2026-1281 to KEV, citing active exploitation.
Source: Ivanti Advisory • CISA KEV Alert • NVD (1281)
💡 Key Takeaway: If EPMM is internet-reachable, assume it was scanned: patch immediately, rotate admin creds/API tokens, and hunt for suspicious shell/process execution and new admin users.
Municipal ransomware continues to disrupt city operations — New Britain, CT reports multi-day outages
New Britain officials reported a ransomware incident disrupting city phone and network services, with federal involvement. Even when public safety remains up, city services can be down for days.
Source: WFSB report
💡 Key Takeaway: For local gov and critical services: segment “business ops” from dispatch/public safety, pre-stage offline workflows, and test restores for directory services, VoIP, and core line-of-business apps.
🛡️ Vulnerability Spotlight
CVE-2026-24858 (Fortinet) — alternate-path auth bypass via FortiCloud SSO
Impacts FortiOS/FortiManager/FortiAnalyzer and related products. If FortiCloud SSO is enabled, attackers can abuse the SSO flow to access other devices. Exploitation has been observed.
Source: Fortinet PSIRT • NVD
💡 Key Takeaway: Patch version‑specifically and validate: check admin account changes, config export logs, and anomalous FortiCloud/SAML authentication patterns post-upgrade.
CVE-2026-1281 (Ivanti EPMM) — unauthenticated code injection to RCE
A critical pre-auth code injection in Ivanti Endpoint Manager Mobile. Vendor disclosure and CISA KEV add indicate exploitation occurred prior to public disclosure.
Source: Ivanti Advisory • NVD • CISA Alert
💡 Key Takeaway: Treat MDM as tier‑0: patch, review web/app logs for exploit strings, rotate secrets, and verify no persistence (scheduled tasks, new binaries, webshell-like artifacts).
CVE-2026-1340 (Ivanti EPMM) — companion pre-auth RCE used alongside CVE-2026-1281
Ivanti disclosed a second critical pre-auth issue alongside CVE-2026-1281. Defensive teams should remediate both together and assume exploit chaining.
Source: Ivanti Advisory • NVD (1340)
💡 Key Takeaway: Don’t patch one and move on: apply the full vendor remediation set and re-scan externally to confirm the appliance is no longer reachable on vulnerable endpoints.
📈 Trend to Watch
SSO features keep turning into alternate access paths — “identity convenience” is becoming a perimeter
This week’s exploited FortiCloud SSO bypass is a reminder: when identity features bridge cloud and on‑prem devices, a single weakness can cascade across fleets.
Source: Fortinet PSIRT Blog • CISA Alert
💡 Key Takeaway: Inventory every SSO integration that reaches admin planes. Require device posture + admin segmentation, and add SSO event telemetry to your weekly threat-hunting checklist.
🏛️ Policy & Regulation Watch
FCC urges communications providers to strengthen ransomware readiness and incident response
A new FCC public notice emphasizes ransomware preparedness and points providers to best practices and reporting considerations to reduce outage and recovery risk.
Source: FCC Public Notice (PDF)
💡 Key Takeaway: If you operate comms or public safety networks: validate offline recovery procedures, confirm escalation/reporting paths, and run a tabletop focused on restoring core services under ransomware pressure.
🧰 Tool / Resource of the Week
CISA Alerts (vendor exploitation guidance) — a reliable signal for “exploitation is happening now”
CISA’s alert feed is the fastest way to catch “vendor says exploited” guidance that turns into real-world incident response work (patch + mitigations + detection) — without hunting across blogs.
Source: CISA Alerts
💡 Key Takeaway: Wire CISA Alerts into your vuln-triage channel, and treat “ongoing exploitation” alerts as same-day change requests: patch/mitigate, then validate with log review and IOC sweeps.
⚡ Quick Hits
CISA adds five exploited vulnerabilities to KEV — patch deadlines keep compressing
CISA’s Jan 26 alert adds five vulnerabilities with evidence of active exploitation, reinforcing the need for a KEV-driven patch SLA.
Source: CISA Alert
💡 Key Takeaway: Automate KEV intake: create tickets within hours, not days, and track “exposure confirmed” vs “patched validated” as separate milestones.
Deep-dive: Ivanti EPMM exploit mechanics and investigation clues
WatchTowr published technical analysis and investigation notes that can help defenders validate whether exploitation occurred and what to look for post-patch.
Source: WatchTowr Labs
💡 Key Takeaway: After patching EPMM, hunt: review web logs for anomalous requests, check filesystem integrity, and look for unexpected processes spawned by the service account.
Fortinet’s own analysis of SSO abuse offers logging and defensive context
Fortinet published additional analysis of how the SSO abuse works and what defenders should review in device logs and configuration state.
Source: Fortinet Blog
💡 Key Takeaway: Build a ‘firewall config theft’ detector: alert on config exports/backups, new admin creation, and unusual admin logins from non-admin networks.
Vite dev-server file exposure (CVE-2025-31125) resurfaced in KEV discussions — don’t expose dev servers
A long-lived Vite dev-server issue continues to show up in exploitation conversations when dev servers are exposed with --host / server.host settings.
Source: GitHub Advisory
💡 Key Takeaway: Treat dev servers as internal-only: block from the internet, enforce allowlists in CI preview environments, and scan for accidental exposure of Vite/webpack hot-reload ports.
⚔️ Actionable Defense Move of the Week
Run a 60-minute “post-patch validation” sprint for tier‑0 appliances
This week’s exploited bugs aren’t just patch-and-forget. You need a small, repeatable validation loop that confirms both remediation and absence of compromise.
💡 Key Takeaway: Pick your tier‑0 list (firewalls, MDM/EMM, VPN, backup, IAM). For each patch: (1) verify version on-box, (2) confirm exposure removed/limited, (3) review last 14 days of admin/auth/config logs, and (4) rotate secrets if compromise is plausible.
🧠 Final Word
Final Word
If an attacker can bypass auth on a control plane, they don’t need phishing. They just need an IP address.
💡 Key Takeaway: Prioritize controls that remove exposure and prove remediation: segmentation + version verification + log-backed validation.