January 2026 CVE Landscape: 23 Critical Vulnerabilities Mark 5% Increase, APT28 Exploits Microsoft Office Zero-Day

January 2026 recorded 23 actively exploited CVEs, a 5% increase from December 2025, with significant threats including APT28's Operation Neusploit. Russian state-sponsored actors exploited CVE-2026-21509, a Microsoft Office zero-day, via weaponized RTF files to deliver MiniDoor, PixyNetLoader, and Covenant Grunt implants targeting enterprise email systems. Critical authentication bypass and RCE vulnerabilities affected major vendors including Microsoft (4 CVEs), SmarterTools (3 CVEs), Cisco, and Ivanti. CWE-94 (Code Injection) dominated the weakness landscape, followed by authentication bypass flaws. Fourteen of 23 vulnerabilities have public proof-of-concept exploits available. Security teams should prioritize patching Microsoft Office and SmarterTools SmarterMail immediately, as these vendors accounted for 30% of January's exploited vulnerabilities. The slight increase masks sophisticated zero-day exploitation by nation-state actors targeting enterprise communication platforms.

January 2026 saw 23 actively exploited CVEs, including APT28’s Microsoft Office zero-day and critical auth bypass flaws impacting enterprise systems.

January 2026 recorded 23 actively exploited CVEs, a 5% increase from December 2025, with significant threats including APT28's Operation Neusploit. Russian state-sponsored actors exploited CVE-2026-21509, a Microsoft Office zero-day, via weaponized RTF files to deliver MiniDoor, PixyNetLoader, and Covenant Grunt implants targeting enterprise email systems. Critical authentication bypass and RCE vulnerabilities affected major vendors including Microsoft (4 CVEs), SmarterTools (3 CVEs), Cisco, and Ivanti. CWE-94 (Code Injection) dominated the weakness landscape, followed by authentication bypass flaws. Fourteen of 23 vulnerabilities have public proof-of-concept exploits available. Security teams should prioritize patching Microsoft Office and SmarterTools SmarterMail immediately, as these vendors accounted for 30% of January's exploited vulnerabilities. The slight increase masks sophisticated zero-day exploitation by nation-state actors targeting enterprise communication platforms. January 2026 saw 23 actively exploited CVEs, including APT28’s Microsoft Office zero-day and critical auth bypass flaws impacting enterprise systems. January 2026 saw a modest 5% increase in high-impact vulnerabilities, with Recorded Future's Insikt Group® identifying 23 vulnerabilities requiring immediate remediation, up from 22 in December 2025. Noteworthy trends last month included Russian state-sponsored exploitation of a Microsoft Office zero-day and critical authentication bypass flaws affecting enterprise infrastructure. What security teams need to know: APT28's Operation Neusploit: Russian state-sponsored actors exploited CVE-2026-21509 (Microsoft Office) via weaponized RTF files, delivering MiniDoor, PixyNetLoader, and Covenant Grunt implants Microsoft and SmarterTools lead concerns: These vendors accounted for 30% of January's vulnerabilities, with multiple critical authentication bypass and RCE flaws Public exploits proliferate: Fourteen of the 23 vulnerabilities reported have public proof-of-concept exploit code available Code Injection dominates: CWE-94 (Code Injection) was the most common weakness type, followed by CWE-288 (Authentication Bypass Using an Alternate Path or Channel) and CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) Bottom line: The slight increase masks significant threats. APT28's zero-day exploitation and multiple critical authentication bypass flaws demonstrate that threat actors continue targeting enterprise communication and management platforms for initial access and persistence. Quick Reference Table All 23 vulnerabilities below were actively exploited in January 2026. # Vulnerability Risk Score Affected Vendor/Product Vulnerability Type/Component Public PoC 1 CVE-2026-20029 99 Cisco Identity Services Engine Software CWE-611 (Improper Restriction of XML External Entity Reference) No 2 CVE-2026-20805 99 Microsoft Windows CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) Yes 3 CVE-2026-20931 99 Microsoft Windows CWE-73 (External Control of File Name or Path) No 4 CVE-2026-23550 99 Modular DS Plugin CWE-266 (Incorrect Privilege Assignment) Yes 5 CVE-2026-24061 99 GNU InetUtils CWE-88 (Argument Injection) Yes 6 CVE-2026-20045 99 Cisco Unified Communications Manager CWE-94 (Code Injection) Yes 7 CVE-2026-23760 99 SmarterTools SmarterMail CWE-288 (Authentication Bypass Using an Alternate Path or Channel) Yes 8 CVE-2026-24423 99 SmarterTools SmarterMail CWE-306 (Missing Authentication for Critical Function) Yes 9 CVE-2026-21509 99 Microsoft Office CWE-807 (Reliance on Untrusted Inputs in a Security Decision) Yes 10 CVE-2026-24858 99 Fortinet Multiple Products CWE-288 (Authentication Bypass Using an Alternate Path or Channel) Yes 11 CVE-2025-40551 99 SolarWinds Web Help Desk CWE-502 (Deserialization of Untrusted Data) No 12 CVE-2026-1281 99 Ivanti Endpoint Manager Mobile (EPMM) CWE-94 (Code Injection) Yes 13 CVE-2026-1340 99 Ivanti Endpoint Manager Mobile (EPMM) CWE-94 (Code Injection) Yes 14 CVE-2018-14634 99 Linux Kernel CWE-190 (Integer Overflow or Wraparound) Yes 15 CVE-2025-52691 99 SmarterTools SmarterMail CWE-434 (Unrestricted Upload of File with Dangerous Type) Yes 16 CVE-2024-37079 99 Broadcom VMware vCenter Server CWE-787 (Out-of-bounds Write) No 17 CVE-2025-68645 99 Synacor Zimbra Collaboration Suite (ZCS) CWE-98 (PHP Remote File Inclusion) Yes 18 CVE-2025-34026 99 Versa Concerto CWE-288 (Authentication Bypass Using an Alternate Path or Channel) No 19 CVE-2025-31125 99 Vite Vitejs CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), CWE-284 (Improper Access Control) Yes 20 CVE-2025-54313 99 Prettier eslint-config-prettier CWE-506 (Embedded Malicious Code) No 21 CVE-2025-8110 89 Gogs CWE-22 (Path Traversal) Yes 22 CVE-2009-0556 89 Microsoft Office CWE-94 (Code Injection) No 23 CVE-2025-37164 89 Hewlett Packard Enterprise OneView CWE-94 (Code Injection) Yes Table 1: List of vulnerabilities that were actively exploited in January based...