In January 2026, the most notable threats in the global cybersecurity landscape did not stem from the emergence of new attack techniques or sophisticated zero-day exploits, but rather from the continued external exposure of already well-known services and infrastructure. From legacy Telnet services to firewall devices positioned at the core perimeter of enterprise networks, and critical servers responsible for large-scale organizational communications, attackers consistently prioritized accessible attack surfaces over technical complexity.
This article analyzes three global security issues from January 2026 where real-world exploitability and operational risk were clearly demonstrated. For each case, we outline the core threat, the exposure status of affected assets identified using Criminal IP, and the corresponding security insights. The goal is to provide a practical framework for risk assessment, rather than simply listing vulnerabilities or incidents.
1. GNU InetUtils telnetd: An Authentication Bypass Vulnerability Lurking for 11 Years (CVE-2026-24061)
Summary
The first issue examined is a critical authentication bypass vulnerability in GNU InetUtils telnetd that remained hidden for more than 11 years. Although Telnet may appear to be a legacy technology in steady decline, it is still widely used in legacy equipment and industrial control systems. The GNU InetUtils telnetd authentication bypass vulnerability disclosed in January 2026 (CVE-2026-24061, CVSS 9.8) brought this long-forgotten attack surface back to the forefront.
The vulnerability arises from the way telnetd invokes the login process. By abusing specific environment variable values, an attacker can remotely bypass authentication and gain root-level access. Affected versions are reported to be GNU InetUtils 1.9.3 through 2.7, and the vulnerability has been listed in the NVD with CISA KEV designation, significantly elevating its remediation priority.
Telnet often remains in use within internal networks, embedded systems, OT environments, and legacy devices. Once exposed to the internet, attackers can attempt full system compromise without the need for credential theft.
GNU InetUtils telnetd Asset Analysis Results
Criminal IP Search Query: service:telnet AND port:23
To identify assets exposing Telnet services to the internet, queries like the one above can be used.
Criminal IP Insights
The CVE-2026-24061 case demonstrates that externally exposed Telnet services can become an immediate pathway to full system compromise, rather than merely a source of information leakage. More importantly, the focus should not be solely on the existence of a vulnerability, but on accessibility itself. Even before considering authentication mechanisms, the mere exposure of a Telnet service can constitute a serious security risk.
2. Surge in “Automated Configuration Attacks” Targeting Fortinet FortiGate Firewalls
Summary
According to a recent report by Arctic Wolf, automated attacks targeting Fortinet FortiGate firewalls, aimed at stealing configuration data and making unauthorized configuration changes, are rapidly increasing.
The key concern is not simple scanning, but a chained attack pattern that unfolds within seconds: (1) account creation and persistence establishment → (2) granting VPN access → (3) exfiltration of firewall configuration data. This activity shows behavioral similarities to the exploitation of FortiCloud SSO/SAML–related vulnerabilities observed in December 2025 (e.g., CVE-2025-59718 / CVE-2025-59719). The report warns that even in patched environments, compromises can be reproduced when insecure SSO login configurations, exposed management interfaces, and configuration drift coexist in operational settings.
Firewall configuration leakage goes far beyond simple information disclosure. Configuration files often contain operationally critical details, such as network topology, access control policies, VPN settings, and authentication configurations, which can be directly leveraged for follow-on attacks and lateral movement within the environment.
Fortinet FortiGate Asset Analysis Results
Criminal IP Search Query: service:https AND product:FortiGate
FortiGate supports a variety of management and service ports, but in real-world operations, HTTPS-based management interfaces and portals are often exposed to the internet. The query above can be used to identify exposed FortiGate assets.
Criminal IP Insights
Edge devices such as FortiGate serve as an organization’s first line of defense. However, from a Criminal IP perspective, many management interfaces are unintentionally exposed to the public internet. In particular, when the FortiCloud SSO feature is enabled, these interfaces become especially attractive targets for attackers. Beyond applying patches, it is critical to restrict external access to management pages based on IP allowlists, enforce multi-factor authentication (MFA), or adopt a visibility-driven security approach using attack surface management solutions such as Criminal IP ASM.
3. Cisco Unified CM: Actively Exploited Zero-Day RCE (CVE-2026-20045)
Summary
On January 21, 2026, Cisco released a security advisory and patch for CVE-2026-20045, affecting its Unified Communications product line. This vulnerability can lead to remote code execution (RCE) through specially crafted HTTP requests sent to the web-based management interface, and active exploitation has been confirmed. CISA has added this vulnerability to its KEV (Known Exploited Vulnerabilities) Catalog, elevating it beyond a standard patch recommendation to an issue requiring immediate action.
Unified CM is a core component of enterprise communications infrastructure. A successful compromise can impact calls, messaging, accounts, and overall communication flows, and may also be leveraged as a foothold for lateral movement within internal networks.
Cisco Unified CM Asset Analysis Results
Criminal IP Search Query: service:https AND product:Cisco
Given the broad scope of Cisco products and the widespread use of HTTPS-based services, the query is designed to broadly identify externally exposed Cisco management and service interfaces. In particular, UC and collaboration servers such as Unified CM often include web-based management UIs, making it possible to prioritize the identification of management endpoints that are directly accessible from the internet.
Criminal IP Insights
UC and collaboration infrastructures like Cisco Unified CM are responsible for mission-critical organizational communications. When compromised, the impact extends beyond a single server outage to organization-wide operational disruption. From a Criminal IP perspective, these systems are frequently deployed across headquarters, branch offices, and cloud environments, leading to recurring cases where certain instances are unintentionally exposed to the internet and fall into management blind spots.
Especially in the case of zero-day vulnerabilities, real-world exploitability is determined less by patch status and more by whether the management interface is externally accessible. Test environments, temporary instances created during migrations, or externally permitted access for administrative convenience can all become initial entry points for attackers. For this reason, Cisco environments require more than patching alone, they demand comprehensive visibility across all externally identifiable assets.
FAQ
Q1 What was the biggest common factor among the threats observed in January 2026?
While the major security issues highlighted in January 2026 differed in their technical backgrounds, there was a clear commonality in the conditions that enabled real-world attacks. In all three cases, attackers prioritized externally accessible management interfaces over novel intrusion techniques as their primary attack vectors. Services such as Telnet, firewall management interfaces, and web-based management UIs of communication servers were originally designed for internal operational use. However, once these interfaces are exposed to the public internet, a single vulnerability can be sufficient to gain high-level privileges and fully compromise the system.
This month’s incidents clearly demonstrate that accessibility, rather than vulnerability severity alone, determined attack success.
Q2 Is proper software patching alone sufficient for security?
No, it is not sufficient. As seen in the Fortinet case, if configuration files are already exfiltrated prior to patching, attackers may retain valid intelligence even after the vulnerability is fixed. Moreover, without knowing which assets are exposed and to what extent, effective remediation is not even possible. Modern threat landscapes have shown the limitations of relying solely on software patching to address cyber risks.
As a result, gaining visibility into all exposed assets through attack surface management solutions, such as Criminal IP ASM, must precede patching efforts.
Conclusion
The global security issues observed in January 2026 once again confirmed that today’s threats cannot be mitigated through single-vulnerability remediation alone. Across Telnet, firewall, and communication server cases, attackers first selected accessible entry points, followed by rapid exploitation after vulnerability disclosure. The starting point of security is no longer “what is vulnerable,” but rather “what is externally exposed.” Only when visibility into externally visible assets is established can patching and configuration changes function as truly effective defensive measures.
In relation to this, you can refer to MongoBleed (CVE-2025-14847): Critical Memory Leak in MongoDB and ASM-Based Mitigation
You can subscribe to Criminal IP (criminalip.io/register) and start detecting vulnerable assets right away. Also you can request a demo through the button below, and try Criminal IP’s threat intelligence (TI) analysis of externally exposed assets on the Enterprise level.
Source: Criminal IP(https://www.criminalip.io/), Security Affairs(https://securityaffairs.com/187255/security/11-year-old-critical-telnetd-flaw-found-in-gnu-inetutils-cve-2026-24061.html), The Hacker News (https://thehackernews.com/2026/01/automated-fortigate-attacks-exploit.html), BleepingComputer (https://www.bleepingcomputer.com/news/security/cisco-fixes-unified-communications-rce-zero-day-exploited-in-attacks/)
Related Article: https://www.criminalip.io/knowledge-hub/blog/31875