January 2026 CVE Analysis: 23 Critical Vulnerabilities Discovered as APT28 Exploits Microsoft Office Zero-Day Flaw

January 2026 brought a modest but meaningful uptick in high-impact vulnerabilities, with Recorded Future's Insikt Group® identifying 23 vulnerabilities requiring immediate remediation — up from 22 in December 2025, a 5% increase. The headline threat: Russian state-sponsored group APT28 actively exploiting a Microsoft Office zero-day, alongside a wave of critical authentication bypass flaws hitting enterprise infrastructure.

What security teams need to know:

• APT28's Operation Neusploit: Russian state-sponsored actors exploited CVE-2026-21509 (Microsoft Office) via weaponized RTF files, delivering MiniDoor, PixyNetLoader, and Covenant Grunt implants
• Microsoft and SmarterTools lead concerns: These two vendors accounted for 30% of January's vulnerabilities, spanning multiple critical authentication bypass and remote code execution (RCE) flaws
• Public exploits proliferate: Fourteen of the 23 vulnerabilities have publicly available proof-of-concept exploit code, significantly lowering the barrier for opportunistic attacks
• Code Injection dominates: CWE-94 (Code Injection) was the most prevalent weakness type, followed by CWE-288 (Authentication Bypass Using an Alternate Path or Channel) and CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor)

Bottom line: The slight numerical increase obscures the severity of the underlying threats. APT28's zero-day exploitation and a cluster of critical authentication bypass vulnerabilities underscore that sophisticated threat actors are actively targeting enterprise communication and management platforms for initial access and long-term persistence.

Quick Reference Table

All 23 vulnerabilities below were actively exploited in January 2026.

Table 1: List of vulnerabilities actively exploited in January based on Recorded Future data (Source: Recorded Future)

Key Trends in January 2026

Affected Vendors

• Microsoft faced four critical vulnerabilities across Windows and Office products, most notably APT28's zero-day exploitation of CVE-2026-21509
• SmarterTools accounted for three critical vulnerabilities in SmarterMail, each enabling authentication bypass or remote code execution
• Cisco had two critical flaws — one in Identity Services Engine and one in Unified Communications Manager
• Ivanti contended with two pre-authentication RCE vulnerabilities in Endpoint Manager Mobile
• Additional affected vendors and projects include Fortinet, SolarWinds, Broadcom, Synacor, Versa, Hewlett Packard Enterprise, GNU, Linux, Vite, Prettier, Gogs, and Modular DS

Most Common Weakness Types

• CWE-94 – Code Injection
• CWE-288 – Authentication Bypass Using an Alternate Path or Channel
• CWE-200 – Exposure of Sensitive Information to an Unauthorized Actor

Threat Actor Activity

APT28's Operation Neusploit marked January's most sophisticated campaign:

• Exploited CVE-2026-21509 (Microsoft Office) via weaponized RTF files
• Deployed MiniDoor, a malicious Outlook VBA project engineered to collect and forward victim emails to hardcoded attacker-controlled addresses
• Deployed PixyNetLoader, which staged additional components and ultimately delivered a Covenant Grunt implant
• Abused the Filen API as a command-and-control (C2) bridge between the implant and an actor-controlled Covenant listener

Priority Alert: Active Exploitation

The following vulnerability demands immediate attention due to confirmed exploitation in the wild.

CVE-2026-21509 | Microsoft Office

Risk Score: 99 (Very Critical) | Actively exploited by APT28

Why this matters: Zero-day exploitation by Russian state-sponsored actors allows attackers to bypass Office security features, enabling delivery of email collection implants and persistent backdoors. The flaw stems from the application's reliance on untrusted inputs in security decisions, permitting unauthorized attackers to circumvent OLE mitigations without user interaction beyond opening a malicious file.

Affected versions: Microsoft 365 and Microsoft Office (specific versions not detailed in the advisory)

Immediate actions:

• Install Microsoft's out-of-band update released January 26, 2026
• Search email systems for RTF attachments containing embedded malicious droppers
• Inspect %appdata%\Microsoft\Outlook\VbaProject.OTM for unauthorized modifications
• Examine registry keys: HKCU\Software\Microsoft\Office\16.0\Outlook\Security\Level, Software\Microsoft\Office\16.0\Outlook\Options\General\PONT_STRING, and Software\Microsoft\Office\16.0\Outlook\LoadMacroProviderOnBoot
• Monitor network connections to 213[.]155[.]157[.]123:443 and remote access to Microsoft Office CDN endpoints
• Search for scheduled tasks named "OneDriveHealth" and suspicious files at %programdata%\Microsoft\OneDrive\setup\Cache\SplashScreen.png
• Block sender addresses: ahmeclaw2002@outlook[.]com and ahmeclaw@proton[.]me

Figure 1: Vulnerability Intelligence Card® for CVE-2026-21509 in Recorded Future (Source: Recorded Future)

CVE-2026-23760 | SmarterTools SmarterMail

Risk Score: 99 (Very Critical) | CISA KEV: Added January 26, 2026

Why this matters: Attackers can reset system administrator passwords without authentication, enabling full administrative control and potential remote code execution through volume mount command injection.

Affected versions: SmarterTools SmarterMail prior to build 9511

Immediate actions:

• Upgrade to build 9511 or later immediately
• Review administrator account logs for unauthorized password resets
• Inspect Volume Mounts configuration for suspicious command entries
• Examine administrator access patterns and session logs
• Audit systems for unauthorized changes made with compromised admin credentials

CVE-2026-1281 & CVE-2026-1340 | Ivanti Endpoint Manager Mobile

Risk Score: 99 (Very Critical) | CISA KEV: CVE-2026-1281 added January 29, 2026

Why this matters: Pre-authentication remote code execution flaws in EPMM allow unauthenticated attackers to execute arbitrary code by exploiting Apache RewriteMap helper scripts that pass attacker-controlled strings to Bash.

Affected versions: Ivanti EPMM 12.5.0.0 and earlier, 12.5.1.0 and earlier, 12.6.0.0 and earlier, 12.6.1.0 and earlier, and 12.7.0.0 and earlier

Immediate actions:

• Install temporary fixes via RPM packages: EPMM_RPM_12.x.0 - Security Update - 1761642-1.0.0S-5.noarch.rpm and EPMM_RPM_12.x.1 - Security Update - 1761642-1.0.0L-5.noarch.rpm
• Plan migration to EPMM 12.8.0.0 (scheduled for Q1 2026 release)
• Monitor for unusual Apache RewriteMap activity
• Review logs for crafted HTTP parameters targeting app store retrieval routes
• Check for unauthorized code execution attempts via RewriteRule handling

Exposure: EPMM instances accessible over corporate networks or VPN connections

Figure 2: Risk Rules History from Vulnerability Intelligence Card® for CVE-2026-1340 in Recorded Future (Source: Recorded Future)

Technical Deep Dive: Exploitation Analysis

APT28's Operation Neusploit (CVE-2026-21509)

The multi-stage attack chain: CVE-2026-21509 bypasses Office OLE mitigations through weaponized RTF files:

• Initial delivery – Specially-crafted RTF file exploits CVE-2026-21509
• Server-side evasion – Malicious DLL delivered only to requests from targeted geographies with expected HTTP User-Agent
• Dropper variants – Two distinct infection paths deployed based on targeting:
  • Variant 1 (MiniDoor): Writes VBA project to Outlook, modifies registry settings to enable macro execution, forwards emails to hardcoded recipient addresses
  • Variant 2 (PixyNetLoader): Creates mutex asagdugughi41, decrypts embedded payloads using rolling XOR key, establishes persistence via COM hijacking

Why this matters: APT28 demonstrates sophisticated exploitation combining zero-day vulnerabilities with anti-analysis techniques, targeting government and business users for email collection and persistent access.

Modular DS WordPress Plugin Exploitation (CVE-2026-23550 & CVE-2026-23800)

The authentication bypass chain: CVE-2026-23550 grants administrator-level access without authentication:

• Plugin treats requests as trusted based on request-supplied indicators rather than cryptographic verification
• /api/modular-connector/login flow grants access based on site connector enrollment state
• When no user identifier is supplied, the code selects an existing administrative user and establishes a privileged session
• CVE-2026-23800 represents the second exploitation path via REST API user creation: /?rest_route=/wp/v2/users&origin=mo&type=x

Known IoCs associated with CVE-2026-23550:

• 45[.]11[.]89[.]19
• 185[.]196[.]0[.]11
• 64[.]188[.]91[.]37

Known IoCs associated with CVE-2026-23800:

• 62[.]60[.]131[.]161
• 185[.]102[.]115[.]27
• backup[@]wordpress[.]com
• backup1[@]wordpress[.]com

Why this matters: WordPress plugin vulnerabilities enable threat actors to compromise multiple sites from a single centralized management platform, amplifying attack impact.

SmarterMail Authentication Bypass (CVE-2026-23760)

The password reset flaw: CVE-2026-23760 exposes privileged password reset to anonymous callers:

• ForceResetPassword controller attribute explicitly permits unauthenticated access
• Backend ForcePasswordReset routine branches on client-supplied IsSysAdmin boolean rather than deriving account type from server-side context
• System administrator branch performs basic checks, then sets Password directly from the supplied NewPassword
• Logic fails to validate OldPassword, lacks an authenticated session requirement, and omits authorization controls

Why this matters: Complete administrative takeover without credentials enables threat actors to deploy web shells, modify configurations, and establish persistent access to mail server infrastructure.

Detection & Remediation Resources

Nuclei Templates from Insikt Group®

Recorded Future customers can access Nuclei templates for:

• CVE-2025-8110 (Gogs) – Version detection and fingerprinting check
• CVE-2026-23760 (SmarterMail) – Authentication bypass validation

Recorded Future Product Integrations

• Vulnerability Intelligence – Prioritize based on active exploitation data, including APT28 targeting
• Attack Surface Intelligence – Discover exposed SmarterMail, Ivanti EPMM, and Modular DS assets
• Third-Party Intelligence – Monitor vendor vulnerabilities across your supply chain

January 2026 Summary

State-sponsored zero-days return. APT28's exploitation of CVE-2026-21509 demonstrates continued Russian interest in email collection and persistent access through Office vulnerabilities.

Authentication bypass dominates enterprise risk. Multiple critical flaws in SmarterMail, Modular DS, and Cisco products enable complete administrative takeover without credentials.

Legacy vulnerabilities persist. CVE-2009-0556 (Microsoft Office) highlights how threat actors continue targeting unretired systems where patching has lagged for over a decade.

Take Action

Ready to see how Recorded Future can help your team detect state-sponsored exploitation, prioritize authentication bypass fixes, and reduce enterprise attack surface? Explore our demo center for live examples, or dive deeper with Insikt Group research for technical threat intelligence.

About Insikt Group®:

Recorded Future's Insikt Group® is a team of elite analysts, linguists, and security researchers providing actionable intelligence to protect organizations worldwide. Our research combines human expertise with AI-powered analytics to deliver timely, relevant threat intelligence on emerging vulnerabilities and threat actor campaigns.