Multiple vendors issued fixes for high-impact vulnerabilities that could enable privilege escalation, tenant-wide compromise, security feature bypass, or remote code execution. OpenStack patched CVE-2026-22797 in keystonemiddleware affecting deployments using external_oauth2_token, where failure to sanitize incoming identity headers allows authenticated users to forge headers (e.g., X-Is-Admin-Project, X-Roles, X-User-Id) to escalate privileges or impersonate other users; fixes were released across supported branches and the issue was reported by a Red Hat researcher.
Microsoft patched CVE-2026-20965 in Windows Admin Center’s Azure SSO (fixed in Azure Extension v0.70.00), where improper token validation could let an attacker with local admin on a WAC-enabled Azure VM/Arc machine combine a stolen WAC.CheckAccess token with a forged PoP token to enable lateral movement and tenant-wide access under certain conditions. Separately, Microsoft addressed CVE-2026-20824 in Windows Remote Assistance, an Important security feature bypass that can allow attackers to evade Mark of the Web (MOTW) protections via social engineering. Progress Software also released patches for CVE-2025-13444 and CVE-2025-13447 (CVSS 8.4) affecting LoadMaster and MOVEit WAF, where crafted UI/API requests can trigger command injection leading to remote code execution; the vendor stated it had no evidence of in-the-wild exploitation at the time of release.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
5 events from the most recent confirmed update back to the earliest known activity.
By January 16, 2026, OpenStack had released fixes for CVE-2026-22797 across multiple keystonemiddleware release branches. The vulnerability allowed authenticated attackers in deployments using external_oauth2_token middleware to forge identity headers and potentially gain administrative privileges or impersonate other users.
On January 13, 2026, Microsoft disclosed CVE-2026-20824 and released security updates for affected Windows client and server platforms. The flaw allows a Mark of the Web security feature bypass in Windows Remote Assistance, though Microsoft assessed exploitation as less likely and not observed in the wild.
On January 13, 2026, Microsoft fixed CVE-2026-20965 in Windows Admin Center Azure Extension v0.70.00. The patch addressed improper token validation that could let an attacker with local administrator access pivot to broader Azure tenant resources.
On January 12, 2026, Progress Software released fixes for CVE-2025-13444 and CVE-2025-13447, two high-severity command injection vulnerabilities affecting LoadMaster load balancers and MOVEit Web Application Firewalls. Progress said it had no evidence of in-the-wild exploitation at the time of the advisory and urged customers to patch promptly.
Cymulate Research Labs reported CVE-2026-20965 to Microsoft in August 2025. The vulnerability affected Windows Admin Center Azure Single Sign-On and could enable tenant-wide compromise through improper token validation.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
4 references tracked. Mallory keeps watching after this page renders.
securityonline.info
Open sourcecybersecuritynews.com
Open sourcecybersecuritynews.com
Open sourcesecurityonline.info
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.