Wednesday War Room – 01/28/2026

The last 48–72 hours have been a greatest-hits album of 2026 pain...

Author

J.W. Croley
January 28, 2026

In partnership with

Introducing the first AI-native CRM

Connect your email, and you’ll instantly get a CRM with enriched customer insights and a platform that grows with your business.

With AI at the core, Attio lets you:

  • Prospect and route leads with research agents

  • Get real-time insights during customer calls

  • Build powerful automations for your complex workflows

Join industry leaders like Granola, Taskrabbit, Flatfile and more.

Incoming: State-backed espionage, help desk tooling as a breach path, SSO trust getting abused, and phishing that looks “legit” right up until you’re owned.

Let’s dive in.

Mustang Panda Pushes Updated COOLCLIENT Backdoor

Risk Level: High 

Business Impact: Stealthy endpoint backdoors enable long-term espionage, credential theft, and quiet data collection from government and telecom environments.

What You Need to Know: China-linked activity attributed to Mustang Panda is using an updated backdoor called COOLCLIENT to support broad data theft operations, targeting government and telecom entities across Asia.

Why This Matters:

  • Espionage actors play the long game, and they are patient enough to wait out your detection gaps.

  • Telecom and government targeting is a downstream risk for everyone who relies on those ecosystems.

  • Updated tooling usually means improved evasion, better persistence, and fewer noisy indicators.

Executive Actions:

🕵️‍♂️ Prioritize threat hunting on high-value users (execs, admins, telecom-facing teams) for stealthy persistence.

🔐 Tighten credential hygiene: rotate privileged creds and enforce MFA on anything remotely sensitive.

🧱 Segment sensitive data stores and restrict lateral movement paths from user subnets.

📈 Validate endpoint telemetry coverage (EDR + logs) on the systems leadership actually cares about.

SolarWinds Web Help Desk: Critical Auth Bypass + RCE Flaws

Risk Level: Critical

Business Impact: Help desk systems often hold credentials, tokens, and admin workflows. A compromise can turn into rapid lateral movement and environment-wide escalation.

What You Need to Know: SolarWinds released fixes for critical Web Help Desk vulnerabilities that include authentication bypass and remote command execution conditions in affected deployments.

Why This Matters: 

  • IT support platforms are “keys-to-the-kingdom” systems in disguise.

  • Auth bypass on operational tooling removes friction for attackers and speeds up compromise.

  • Once help desk is owned, ticket workflows become a weapon (password resets, software pushes, social engineering).

Executive Actions: 

🩹 Patch Web Help Desk immediately and confirm the fixed build is actually deployed everywhere.

🔒 Restrict admin access to trusted networks only (no open internet access, period).

🧾 Audit for unusual admin activity: new accounts, permission changes, suspicious command execution.

🧱 Require MFA for all admin roles and reduce standing privileges to minimum needed.

Fortinet FortiCloud SSO Auth Bypass Exploited (CVE-2026-24858)

Risk Level: Critical

Business Impact: Authentication bypass in security infrastructure can enable device access, configuration tampering, and downstream compromise of network controls.

What You Need to Know: Fortinet patched an exploited FortiCloud SSO authentication bypass, CVE-2026-24858, and also published guidance in its PSIRT advisory.

Why This Matters: 

  • When perimeter tooling is the target, the attacker gets to rewrite your security narrative.

  • SSO trust paths are highly leveraged: one flaw, many devices.

  • “Security product compromise” has an outsized blast radius compared to typical endpoint infections.

Executive Actions: 

🧯 Patch affected Fortinet products immediately and validate FortiCloud SSO settings against policy.

🔍 Review authentication logs for anomalous logins tied to FortiCloud accounts and device registrations.

🧱 Reduce exposure: restrict management interfaces and enforce admin access controls and segmentation.

🚨 Treat unexpected config changes as an incident trigger, not a “network team problem.”

Leadership Insight:

This week is a reminder that “trusted” is not a security control.

Help desk platforms, SSO paths, browsers, and legacy services are all being treated like entry points because they are predictable, widely deployed, and often poorly governed.

The organizations that win in 2026 are not the ones with the most tools…

They are the ones that can patch fast, remove exposure fast, and shrink trust boundaries before an attacker turns them into a business problem.

Why AI Isn’t Replacing Affiliate Marketing After All

“AI will make affiliate marketing irrelevant.”

Our research shows the opposite.

Shoppers use AI to explore options, but they trust creators, communities, and reviews before buying. With less than 10 percent clicking AI links, affiliate content now shapes both conversions and AI recommendations.

Microsoft Office Zero-Day Fixed Out-of-Band (CVE-2026-21509)

Risk Level: High

Business Impact: Actively exploited Office security feature bypass increases the risk of successful phishing-to-execution chains and user-driven compromise.

What You Need to Know: Microsoft issued emergency updates for an actively exploited Office zero-day, CVE-2026-21509, with additional operational coverage in the incident write-up and deployment notes in a Microsoft support update entry.

Why This Matters:

  • Exploited-in-the-wild means you are already behind if patching lags.

  • Office remains the most reliable “front door” for user-targeted compromise attempts.

  • Feature bypasses often pair nicely with social engineering, not noisy malware.

Executive Actions: 

🩹 Force Office update compliance and require a restart cycle to ensure fixes apply where relevant.

🎯 Focus protections on high-risk groups (execs, finance, legal, admins) with tighter attachment policies.

🔎 Hunt for suspicious Office-launched process trees and abnormal child processes post-document open.

🧠 Re-emphasize “slow down” user behavior: verify sender, verify context, verify intent.

“Stanley” Toolkit Turns Chrome Into an Undetectable Phishing Overlay

Risk Level: High 

Business Impact: Chrome extension-based spoofing can steal credentials and session tokens while showing the legitimate domain in the address bar.

What You Need to Know: A new phishing kit called Stanley is being marketed as malware-as-a-service, enabling overlays on real websites without changing the visible URL; technical background and examples were also documented by Varonis research.

Why This Matters: 

  • URL-checking is no longer the safety blanket people think it is.

  • Extensions are a massive trust gap in many orgs, especially in dev and power-user populations.

  • Token and credential theft via browser is a fast path to account takeover and lateral movement.

Executive Actions:

🧩 Enforce extension allowlisting (block-by-default) for corporate browsers.

🔐 Prioritize phishing-resistant MFA for high-impact apps to reduce stolen-credential value.

🔍 Monitor for new extension installs and sudden changes in extension inventory across fleets.

📣 Train users: “Real URL does not mean real page” when extensions are involved.

Telnetd Auth Bypass Under Active Scanning (CVE-2026-24061)

Risk Level: Critical

Business Impact: Exposed telnet services can be trivially compromised, leading to device takeover, botnet enrollment, and pivoting into internal networks.

What You Need to Know: A critical authentication bypass in GNU InetUtils telnetd, CVE-2026-24061, is being actively abused as defenders track hundreds of thousands of exposed systems, highlighted in reporting on widespread scanning activity by GovInfoSecurity.

Why This Matters: 

  • Telnet exposure is almost always legacy debt, and legacy debt gets collected with interest.

  • Attackers love “old but reachable” because compromise is cheap and scalable.

  • Once a device is owned, it becomes infrastructure for the next stage (pivot, proxy, persistence).

Executive Actions:

🛑 Disable Telnet wherever it exists; block port 23 at the edge and internally where feasible.

🩹 Patch GNU InetUtils to fixed versions (or remove the service entirely).

🧭 Scan for unexpected Telnet exposure across internet-facing and internal networks.

🧱 Segment legacy/IoT systems and restrict outbound traffic to reduce botnet and beaconing risk.

⚙️ Immediate Leadership Checklist ⚙️

🩹 Accelerate patching for SolarWinds WHD, Fortinet SSO, and Office emergency updates, then verify coverage within 72 hours

🔒 Lock down “admin-adjacent” systems (help desk, SSO, management consoles) to trusted networks only

🧩 Move browser extensions to allowlist-only and monitor for drift or mass installs

🛑 Eliminate Telnet exposure (disable service, block port 23, segment legacy systems)

🕵️ Hunt for stealthy persistence and credential theft patterns tied to espionage-grade tradecraft

💡 If your security plan assumes “nobody uses Telnet anymore” and “the URL looks fine,” you are about to learn something expensive. 💡

J.W.

(P.S. Forward to your CISO/Risk Team to keep them informed!)

AI-native CRM

“When I first opened Attio, I instantly got the feeling this was the next generation of CRM.”
— Margaret Shen, Head of GTM at Modal

Attio is the AI-native CRM for modern teams. With automatic enrichment, call intelligence, AI agents, flexible workflows and more, Attio works for any business and only takes minutes to set up.

Join industry leaders like Granola, Taskrabbit, Flatfile and more.