Ivanti & Office Zero-Days, Sandbox Escapes, and the “Zombie” Telnet Exploit

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Enterprise Infrastructure Under Zero-Day Fire

The most critical threats this week involve active, unauthenticated attacks against the gateways, management consoles, and productivity tools that form the backbone of enterprise operations.

• Ivanti EPMM Zero-Day RCE (CVE-2026-1281 & -1340) — Ivanti has disclosed two critical zero-day vulnerabilities allowing unauthenticated remote code execution (RCE) on Endpoint Manager Mobile appliances. Attackers are actively injecting code to compromise appliances, potentially exposing sensitive mobile device management (MDM) data and administrative controls.

• Microsoft Office Zero-Day (CVE-2026-21509) — Attackers are exploiting a “Security Feature Bypass” in Microsoft Office to execute malicious code via crafted documents. By circumventing OLE mitigations, this zero-day renders standard protections ineffective against locally executed files.

• Fortinet FortiCloud SSO Bypass (CVE-2026-24858) — A critical flaw allows attackers with any valid FortiCloud account to bypass authentication and access other organizations’ devices if SSO is enabled. This cross-tenant vulnerability is being actively exploited to steal firewall configurations and establish persistence.

• SolarWinds Web Help Desk RCE (CVE-2025-40551) — Four critical vulnerabilities, including unauthenticated RCE via insecure deserialization, have been patched. Given the product’s history of exploitation, these flaws are considered high-priority targets for imminent weaponization.

2. The “Sandbox” Is Broken: Automation Tools at Risk

As low-code and automation platforms become deeply integrated into business logic, their isolation mechanisms are failing, allowing attackers to escape and compromise the underlying host servers.

• n8n Workflow Automation RCE (CVE-2026-1470 & -0863) — Two high-severity vulnerabilities allow authenticated users to escape the JavaScript and Python sandboxes within n8n. By leveraging eval injection and Python string formatting, attackers can break out of the workflow engine to execute arbitrary code on the host.

• vm2 Node.js Library Sandbox Escape (CVE-2026-22709) — A critical flaw in the widely used vm2 library allows attackers to escape the sandbox by abusing unsanitized asynchronous Promise callbacks. Since vm2 is often used by SaaS platforms to run untrusted user code, this vulnerability enables trivial host compromise.

3. Legacy Code and “Trusted” Evasion Techniques

Attackers are finding success by looking backward to decades-old code and looking forward to sophisticated abuse of trusted system binaries.

• GNU InetUtils Telnetd Root Access (CVE-2026-24061) — An 11-year-old vulnerability is being actively exploited to gain unauthenticated root access. By simply passing a manipulated environment variable (USER=-f root) during the Telnet handshake, attackers force the system to skip password validation entirely.

• WinRAR Path Traversal (CVE-2025-8088) — Despite a patch being available since mid-2025, active exploitation continues. Attackers abuse Windows Alternate Data Streams (ADS) to bypass security checks and drop malicious files into the Startup folder upon archive extraction.

• ClickFix abuses Microsoft App-V (Amatera Infostealer) — The “ClickFix” social engineering campaign has evolved to abuse the signed Microsoft App-V script SyncAppvPublishingServer.vbs. By tricking users into running this trusted script, attackers proxy execution to PowerShell, allowing the Amatera infostealer to run entirely in memory while appearing as a legitimate maintenance process.

Proactive Steps for the Week 

• Patch Zero-Days First: Immediately apply RPM patches for Ivanti EPMM, the emergency update for Microsoft Office, and the fix for Fortinet (or disable FortiCloud SSO globally).

• Kill the Telnet Service: Identify any systems running telnetd (port 23). If the service cannot be disabled, block it at the firewall and upgrade GNU InetUtils to version 2.8 immediately.

• Secure Automation Platforms: Update n8n to version 2.5.1+ and vm2 to 3.10.3+. Assume that older versions of these sandboxes provide no effective isolation against a motivated attacker.

• Block “App-V” Abuse: configure EDR or AppLocker to block the execution of SyncAppvPublishingServer.vbs or flag wscript.exe spawning PowerShell, especially if your organization does not use App-V.

• Update Management Tools: Apply the latest hotfixes to SolarWinds Web Help Desk (v2026.1) to prevent unauthenticated RCE.

• Enforce Archive Security: Ensure WinRAR is updated to v7.13+ across the fleet to stop the path traversal attacks still circulating in the wild.