Microsoft Office Vulnerability Enables Security Feature Bypass
A newly identified vulnerability in Microsoft Office could allow attackers to bypass built-in security protections. Microsoft Office is widely used for everyday productivity tasks such as creating documents, managing spreadsheets, and building presentations, which makes this issue particularly impactful in business environments.
Exploitation requires an attacker to send a specially crafted Microsoft Office file and convince a user to open it. Microsoft has confirmed that the Preview Pane is not an attack vector for this vulnerability.
Affected Systems
- Microsoft Office 2019 (32-bit and 64-bit) prior to 16.0.10417.20095
- Microsoft Office 2016 (32-bit and 64-bit) prior to 16.0.5539.1001
Risk Level
- Large and medium-sized organizations: High
- Small businesses: Medium
Remediation Recommendations
- Verify all Microsoft Office installations are fully up to date
- Apply the Principle of Least Privilege to reduce potential impact
References
Fortinet Releases Guidance to Address Ongoing Exploitation
of Authentication Bypass Vulnerability
A newly disclosed vulnerability, CVE-2026-24858 (CWE-288: Authentication Bypass Using an Alternate Path or Channel), allows malicious actors with a FortiCloud account and a registered device to authenticate to other users’ deviceswhen FortiCloud Single Sign-On (SSO) is enabled.
This vulnerability affects multiple Fortinet products, including FortiOS, FortiManager, FortiWeb, FortiProxy, and FortiAnalyzer. Successful exploitation enables an attacker to log in to devices registered to different FortiCloud users, potentially leading to unauthorized access and configuration changes.
Notably, systems remain vulnerable to CVE-2026-24858 even if they were fully updated to address earlier FortiCloud SSO bypass vulnerabilities (CVE-2025-59718and CVE-2025-59719, CWE-347: Improper Verification of Cryptographic Signature).
Those earlier flaws affected FortiOS, FortiWeb, FortiProxy, and FortiSwitch Manager and allowed authentication bypass through crafted SAML messages.
Fortinet has observed the following malicious activity on devices that were previously patched for CVE-2025-59718 and CVE-2025-59719:
- Unauthorized firewall configuration changes on FortiGate devices
- Unauthorized creation of user accounts
- Unauthorized VPN configuration changes granting access to newly created accounts
To mitigate active exploitation, Fortinet temporarily disabled all FortiCloud SSO authentication on January 26, reinstating the service on January 27 with additional protections to prevent exploitation of vulnerable devices.
The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-24858 to its Known Exploited Vulnerabilities (KEV) Catalog on January 27. CISA strongly urges organizations to inspect affected Fortinet products for indicators of compromise and to apply all available updates immediately, following Fortinet’s official guidance.
Additional Resources
CISA Cracks Down on End-of-Support Edge Devices
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued Binding Operational Directive (BOD) 26-02, requiring Federal Civilian Executive Branch (FCEB) agencies to replace end-of-support (EOS) edge devices that no longer receive vendor security patches.
Under the directive, agencies must:
- Develop and submit an inventory of EOS edge devices within three months
- Fully replace those devices within one year
CISA warned that unsupported edge devices pose a serious and ongoing risk to federal networks. According to the agency, “The imminent threat of exploitation to agency information systems running EOS edge devices is substantial and constant, resulting in a significant threat to federal property.” CISA also noted ongoing, widespread exploitation campaigns by advanced threat actors, who are increasingly targeting EOS edge devices as entry points to pivot deeper into FCEB networks.
Recent public reporting has highlighted multiple vendor-specific campaigns, reinforcing concerns that threat actors are actively leveraging unsupported edge infrastructure to gain persistent access to federal environments.
While BOD 26-02 applies specifically to federal agencies, CISA emphasizes that public- and private-sector organizations should adopt similar best practices. Continuing to operate unsupported edge devices significantly increases exposure to exploitation and undermines overall security posture.
White House Cyber Director Launches Major Overhaul
of Cybersecurity Policy
The Trump administration’s National Cyber Director, Harry Coker Jr., is preparing a significant overhaul of U.S. cybersecurity policy, with a strong focus on private-sector collaboration and regulatory reform, according to reporting by WebProNews.
The forthcoming national cybersecurity strategy is expected to streamline existing security mandates in response to long-standing concerns about overlapping and sometimes conflicting regulations. The updated approach aims to reduce compliance complexity while maintaining strong security standards.
In addition, the strategy would place greater emphasis on improving threat intelligence sharing between government and private-sector organizations, as well as strengthening legal protections for companies that disclose cyber incidents. These measures are intended to encourage transparency and faster information sharing during active cyber threats.
The Office of the National Cyber Director is currently seeking feedback from industry stakeholders, signaling an effort to align federal cybersecurity policy more closely with real-world operational and regulatory challenges.
Nitrogen Ransomware Cannot be Decrypted
Coveware has issued a warning regarding the Nitrogen ransomware ESXi variant, revealing a critical cryptographic flaw that makes file decryption permanently impossible—even for the attackers themselves. Because of this defect, victims impacted by this variant are strongly discouraged from paying the ransom, as recovery is not possible even if a decryption key is provided.
According to Coveware, the issue stems from a corrupted public key used during the encryption process. In a standard Curve25519 keypair, the private key is generated first, and the public key is mathematically derived from it. In this case, however, the ransomware mistakenly overwrote portions of an existing public key, creating a corrupted key that is not associated with any valid private key.
As a result, the encrypted files cannot be decrypted by anyone—attackers included—because the corresponding private key does not exist. This flaw effectively renders ransom payments futile and highlights the continued risks of relying on attacker-provided recovery mechanisms.
.png)
