Vulnerability Review – January 2026 

This blog is a recap of the most critical vulnerabilities disclosed between 01 January and 31 January 2026 that most likely impact software utilized by managed service providers (MSPs).  

While not all MSPs use the software discussed in this blog, the software has been labeled as a priority software by Blackpoint’s Adversary Pursuit Group (APG) due to the overall number of MSPs/organizations that use it. 

Key Findings 

• There were more than 4,000 vulnerabilities disclosed between 01 January and 31 January 2026, with more than 50% being scored with a high or critical Common Vulnerability Scoring System (CVSS) rating.  

• There are several that have been actively exploited and 17 that have been added to the U.S. CISA Known Exploited Vulnerabilities (KEV) Catalog, indicating reliable reports of active exploitation. 
• Blackpoint’s APG assesses with high confidence that threat actors will continue to leverage known and unknown vulnerabilities in ubiquitous software and services over the next 12 months.  

Prioritized Software Categories – January 2026 

The Blackpoint APG tracks prioritized software across six categories; in January 2026, we delivered notices spanning five of them. These categories include tools that are widely used and critical to daily operations, indicating that security issues in these areas have a higher change of causing devastating impacts if successfully exploited. The categories are listed below.  

• Data Protection & Recovery: These tools are very likely to store important data from multiple systems in one place, making them an attractive target for threat actors. Attackers who gain access to these systems can delete company backups, encrypt them, or steal data.  

• IT Management & Operations: IT teams use these tools to monitor systems, fix issues, and automate tasks. These tools typically have high-level access permissions, and an attacker who gains access could change settings, run malicious code, or spread across many systems without detection. A single compromise of these tools could impact multiple customers as the result of a single intrusion. 

• Network & Infrastructure: These systems control how data moves in and out of a network; they often sit between the internal systems and the internet. Due to their exposure and being highly trusted, they are attractive targets for threat actors and are frequently targeted. An attacker that successfully targets these systems could access internal systems, access network traffic, or bypass security controls. 

• Productivity, Communication, & Knowledge: These tools frequently contain sensitive data, instructions, and private conversations, making them attractive tools for threat actors. An attacker that gains access to these tools can read private messages, steal information, impersonate trusted users, and conduct additional attacks from a trusted platform. 

• Remote Access & Identity: These tools are frequently used by administrators and are trusted across the environment, making them an attractive target for threat actors. An attacker that gains access to or abuses tools within this category can log in as legitimate users, bypass security checks, and more through systems without being detected.  

• Security & Threat Defense: These tools collect security data and alert teams when something appears suspicious or malicious. Attackers that exploit these tools can hide their activity, turn off alerts, or delete evidence of their activity. This type of abuse can leave security teams blind to malicious activity and allow attackers to complete their objectives. 

Vulnerability Review January 2026 

Cisco Unified Communications – CVE-2026-20045 

• Prioritized Category: Productivity, Communication, & Knowledge 
• Impacted Software: Unified CM (CSCwr21851), Unified CM SME (CSCwr21851), Unified CM IM&P (CSCwr29216), Unity Connection (CSCwr29208), Webex Calling Dedicated Instance (CSCwr21851) 
• Type: Code Injection Vulnerability 
• CVSS: 9.8 (Critical) 
• CISA KEV Catalog: Yes – added January 21, 2026 

This vulnerability stems from improper input validation on the web-based management interface. At the time of disclosure, Cisco confirmed active exploitation; however, details of the exploitation remain scarce.  

An attacker could exploit this vulnerability to gain remote code execution on the communications server and elevate privileges to full root access. Attackers could use the access to manipulate or disrupt voice and collaboration services and use the compromised system as a foothold for lateral movement inside the compromised network. [1] 

Fortinet Multiple Products – CVE-2026-24858  

• Prioritized Category: IT Management & Operations, Network & Infrastructure 
• Impacted Software:  
  • FortiAnalyzer – 7.6.0 through 7.6.5, 7.4.0 through 7.4.9, 7.2.0 through 7.2.11, 7.0.0 through 7.0.15 
  • FortiManager – 7.6.0 through 7.6.5, 7.4.0 through 7.4.9, 7.2.0 through 7.2.11, 7.0.0 through 7.0.15 
  • FortiOS – 7.6.0 through 7.6.5, 7.4.0 through 7.4.10, 7.2.0 through 7.2.12, 77.0.0 through 7.0.18 
  • FortiProxy – 7.6.0 through 7.6.4, 7.4.0 through 7.4.12, 7.2 – all versions, 7.0 – all versions 
• Type: Authentication Bypass Vulnerability 
• CVSS: 9.8 (Critical) 
• CISA KEV Catalog: Yes – added January 27, 2026 

Fortinet confirmed exploitation at the time of disclosure (January 27, 2026) and stated that exploitation is limited to environments using the FortiCloud SSO/SAML. By abusing the FortiCloud SSL trust relationship, an attacker could log in without valid customer credentials, potentially gaining administrative or operational access. 

Attackers reportedly used malicious FortiCloud accounts to improperly authenticate into environments that trust FortiCloud SSO. Fortinet reported they identified and disabled the attacker-controlled accounts on January 22, 2026. [3] 

HPE OneView – CVE-2025-37164 

• Prioritized Category: IT Management & Operations 
• Impacted Software: OneView all versions prior to 11.00 
• Type: Code Injection Vulnerability 
• CVSS: 9.8 (Critical) 
• CISA KEV Catalog: Yes – added January 7, 2026 

Threat actors can exploit this vulnerability via low-complexity code injection attacks to gain unauthenticated remote code execution on unpatched systems. The vulnerability was first disclosed in December 2025 and while exploitation details remain vague, a detailed PoC was released, which can allow lower skill level threat actors to attempt exploitation and renew interest. [4] 

Microsoft Multiple Products 

Microsoft Desktop Window Manager – CVE-2026-20805 

• Prioritized Category: IT Management & Operations 
• Impacted Software: Desktop Window Manager 
• Type: Information Disclosure Vulnerability 
• CVSS: 5.5 (Medium) 
• CISA KEV Catalog: Yes – added January 13, 2026 

This vulnerability was addressed in Microsoft’s January Patch Tuesday, which included 114 security vulnerabilities. Details on exploitation remain unavailable; however, Microsoft stated in their advisory that threat actors could access “a section address from a remote ALPC port, which is user-mode memory”. A locally authenticated attacker could exploit this vulnerability to disclose information and evade detection. [5] 

Microsoft Office Products – CVE-2026-21509 

• Prioritized Category: Productivity, Communication & Knowledge 
• Impacted Software: Multiple Microsoft Office Products 
• Type: Security Feature Bypass Vulnerability 
• CVSS: 7.8 (High) 
• CISA KEV Catalog: Yes – added January 26, 2026 

Microsoft disclosed this vulnerability as a zero-day; however, details of exploitation have not been disclosed. A threat actor can exploit this vulnerability by leveraging specially crafted Office documents to bypass built-in security controls, increasing the likelihood of successful phishing and follow-on compromise. This vulnerability can be used as an initial access mechanism and combined with additional malware or payloads to enable credential theft, persistence, or further compromise within a target environment. [6] 

SmarterTools SmarterMail – Multiple Vulnerabilities  

The Blackpoint SOC has observed active exploitation of SmarterMail servers; 100% of observed incidents were interrupted prior to the deployment of any type of payload.  

CVE-2026-27360 

• Prioritized Category: Productivity, Communication & Knowledge 
• Impacted Software: SmarterMail versions prior to build 9511 
• Type: Authentication Bypass Vulnerability 
• CVSS: 9.3 (Critical) 
• CISA KEV Catalog: Yes – added January 26, 2026 

The vulnerability is reportedly due to the force-reset-password endpoint permitting anonymous requests and failing to verify the exiting password or a reset token when resetting administrator accounts.  

Public reporting indicates rapid scanning and exploitation attempts began shortly after the patch availability; technical details are publicly available, which increases the likelihood of increased exploitation attempts.  

SmarterTools also patched a remote code execution (RCE) vulnerability, CVE-2026-24423; a path traversal vulnerability, CVE-2026-25067 that both impact SmarterMail. Neither of these have been reported to be exploited at the time of writing. [7] 

SolarWinds Web Help Desk – CVE-2025-40551 

• Prioritized Category: IT Management & Operations 
• Impacted Software: Web Help Desk 
• Type: Deserialization of Untrusted Data Vulnerability 
• CVSS: 9.8 (Critical) 
• CISA KEV Catalog: Yes – added on February 3, 2026 

Along with this vulnerability, SolarWinds released patches for CVE-2025-40552 and CVE-2025-40554 are authentication bypass vulnerabilities; CVE-2025-40553 a remote code execution (RCE) vulnerability; CVE-2025-40537 is a hardcoded credentials vulnerability.  

CVE-2025-40551 is reported to be actively exploited based on its addition to the U.S. CISA KEV Catalog; however, details of the exploitation are not known.  

If successfully exploited, a threat actor could remotely compromise a vulnerable Web Help Desk instance without authentication. This could enable attackers to gain initial access to the environment, execute arbitrary commands, deploy additional malware, harvest credentials, pivot to internal systems, or abuse the help desk platform for persistence and further lateral movement. Given the role of help desk systems, compromise may also provide visibility into sensitive operational and customer data. [8] 

Veeam Backup & Replication – CVE-2025-59470 

• Prioritized Category: Data Protection & Recovery 
• Impacted Software: Backup & Replication 
• Type: Command Injection Vulnerability 
• CVSS: 9.0 (Critical) 
• CISA KEV Catalog: No 

Veeam also released updates for two remote code execution (RCE) vulnerabilities, CVE-2025-55125 and CVE-2025-59468; and one privilege escalation vulnerability, CVE-2025-59469.  

These vulnerabilities could allow attackers with backup or tape operator access to run arbitrary code, potentially leading to full system compromise. Exploitation could enable data theft or destruction, persistence, and lateral movement within affected environments.  

While these vulnerabilities have not been reported to be actively exploited, Veeam Backup & Replication is an attractive target for threat actors due to the ability to steal information and block efforts to restore environments.  

Blackpoint’s APG Analysis 

Blackpoint’s SOC consistently monitors and actions lateral movement and remote execution within our customer’s environments. Additionally, Blackpoint has detections in place to identify the behaviors associated with the vulnerabilities detailed within this blog. 

Blackpoint’s APG assesses with high confidence that threat actors will continue to target, or begin targeting, these vulnerabilities over the next 12 months to deploy malware, steal sensitive information, and gain unauthorized access to organizations. It is likely that these vulnerabilities will be targeted by multiple types of threat actors, including both nation-state and financially motivated threat actors over the next 12 months. 

References 

1. Cisco Advisory 
2. Fortinet Advisory 
3. HPE Advisory 
4. Microsoft Advisory 
5. Microsoft Advisory 
6. SmarterMail Release Notes 
7. SolarWinds Documentation 
8. Veeam Advisory