TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Recorded Future Blog

January 2026 CVE Landscape: 23 Critical Vulnerabilities Mark 5% Increase, APT28 Exploits Microsoft Office Zero-Day

2026-02-24 · Read original ↗

ATT&CK techniques detected

11 predictions
T1190Exploit Public-Facing Application
95%
“variants – two distinct infection paths deployed based on targeting : variant 1 ( minidoor ) : writes vba project to outlook, modifies registry settings to enable macro execution, forwards emails to hardcoded recipient addresses variant 2 ( pixynetloader ) : creates mutex asagdug…”
T1190Exploit Public-Facing Application
95%
“2026 - 23800 represents the second exploitation path via rest api user creation : /? rest _ route = / wp / v2 / users & origin = mo & type = x known iocs associated with cve - 2026 - 23550 : 45 [. ] 11 [. ] 89 [. ] 19 185 [. ] 196 [. ] 0 [. ] 11 64 [. ] 188 [. ] 91 [. ] 37 known …”
T1190Exploit Public-Facing Application
78%
“rce vulnerabilities in endpoint manager mobile additional affected vendors / projects : fortinet, solarwinds, broadcom, synacor, versa, hewlett packard enterprise, gnu, linux, vite, prettier, gogs, and modular ds most common weakness types cwe - 94 – code injection cwe - 288 – au…”
T1190Exploit Public-Facing Application
74%
“##resetpassword controller attribute explicitly permits unauthenticated access backend forcepasswordreset routine branches on client - supplied issysadmin boolean rather than deriving account type from server - side context system administrator branch performs basic checks, then …”
T1190Exploit Public-Facing Application
65%
“access patterns and session logs audit system for unauthorized changes made with compromised admin access cve - 2026 - 1281 & cve - 2026 - 1340 | ivanti endpoint manager mobile risk score : 99 ( very critical ) | cisa kev : cve - 2026 - 1281 added january 29, 2026 why this matter…”
T1203Exploitation for Client Execution
59%
“x. 1 - security update - 1761642 - 1. 0. 0l - 5. noarch. rpm plan migration to epmm 12. 8. 0. 0 ( scheduled for q1 2026 release ) monitor for unusual apache rewritemap activity review logs for crafted http parameters to app store retrieval routes check for unauthorized code execu…”
T1588.006Vulnerabilities
49%
“january 2026 cve landscape : 23 critical vulnerabilities mark 5 % increase, apt28 exploits microsoft office zero - day january 2026 saw a modest 5 % increase in high - impact vulnerabilities, with recorded future ' s insikt group® identifying 23 vulnerabilities requiring immediat…”
T1587.004Exploits
42%
“94 ( code injection ) was the most common weakness type, followed by cwe - 288 ( authentication bypass using an alternate path or channel ) and cwe - 200 ( exposure of sensitive information to an unauthorized actor ) bottom line : the slight increase masks significant threats. ap…”
T1204.002Malicious File
35%
“x. 1 - security update - 1761642 - 1. 0. 0l - 5. noarch. rpm plan migration to epmm 12. 8. 0. 0 ( scheduled for q1 2026 release ) monitor for unusual apache rewritemap activity review logs for crafted http parameters to app store retrieval routes check for unauthorized code execu…”
T1588.006Vulnerabilities
34%
“your supply chain january 2026 summary state - sponsored zero - days return. apt28 ' s exploitation of cve - 2026 - 21509 demonstrates continued russian interest in email collection and persistent access through office vulnerabilities. authentication bypass dominates enterprise r…”
T1588.006Vulnerabilities
32%
“284 ( improper access control ) yes 20 cve - 2025 - 54313 99 prettier eslint - config - prettier cwe - 506 ( embedded malicious code ) no 21 cve - 2025 - 8110 89 gogs cwe - 22 ( path traversal ) yes 22 cve - 2009 - 0556 89 microsoft office cwe - 94 ( code injection ) no 23 cve - …”

Summary

January 2026 saw 23 actively exploited CVEs, including APT28’s Microsoft Office zero-day and critical auth bypass flaws impacting enterprise systems.