THE CXO BRIEF

What 5,000+ IT Leaders Are Thinking This Week

January 30, 2026

📖 4 min read

Three zero-days in one week. While I was writing last issue, Fortinet disabled cloud SSO across all customers, Microsoft rushed an emergency Office patch, and 72 million Under Armour records hit the dark web. Different incidents. Same uncomfortable question

📰 THREE STORIES THAT MATTER

1. Fortinet's Cloud SSO lets attackers access other customers' Firewalls

A critical vulnerability (CVE-2026-24858, CVSS 9.4) allowed anyone with a FortiCloud account and a registered device to log into other customers' firewalls if those devices had FortiCloud SSO enabled. Fortinet disabled all FortiCloud SSO on January 26 after detecting active exploitation, then restored it on January 27 only for patched devices.

Even teams that patched the December FortiGate SSO bypass (CVE-2025-59718/59719) were still exposed here. Arctic Wolf observed automated attacks creating rogue admin accounts on compromised devices. CISA added it to the KEV catalog on January 27 with a deadline of January 30. Yesterday.

Source: CISA / Fortinet PSIRT

🔐 CISO Take: Check for IOCs immediately. Fortinet published specific account names that attackers created: audit, backup, itadmin, secadmin, support, backupadmin, remoteadmin. If any of those exist on your FortiGate devices and you didn't create them, assume compromise.

💻 CIO Take: This is the second critical Fortinet SSO bypass in six weeks. If your renewal conversation wasn't already scheduled, it is now. Document the timeline of how you learned about each vulnerability. That's data for the negotiation.

⚙️ CTO Take: Disable FortiCloud SSO if you don't need cloud-based management. If you do, verify you're running the patched firmware (7.0.17, 7.2.10, 7.4.7, or 7.6.2+) and audit all admin accounts created since January 1.

📡 Network signal: Several teams told us this was the first time a firewall vendor showed up in a renewal conversation as the risk.

The bottom line: If you use FortiCloud SSO, check for rogue admin accounts today. The deadline was yesterday.

2. Microsoft Office Zero-Day Bypasses Macro Warnings

Microsoft released an emergency out-of-band patch on January 27 for CVE-2026-21509 (CVSS 7.8), a security feature bypass that is actively being exploited. The flaw lets attackers bypass OLE mitigations, the protections that normally warn you before Office loads external content. Open the document, and it loads a Shell.Explorer.1 object (embedded Internet Explorer) that can access local files and run scripts. No macro warning. No "Enable Content" prompt.

Affected: Office 2016, 2019, LTSC 2021, LTSC 2024, and Microsoft 365 Apps. CISA added it to the KEV catalog with a February 16 deadline for federal agencies. Office 2021+ gets the fix via automatic update (a restart is required). Office 2016/2019 patches were released on January 28 and require manual deployment.

Source: Bleeping Computer

🔐 CISO Take: This bypasses the controls users have been trained to watch for. "Don't click Enable Content" doesn't help when there's no prompt. Push the patch now. Don't wait for your normal cycle.

💻 CIO Take: If you're still running Office 2016 or 2019, the manual patch deployment is your problem. Office 2021+ gets the fix automatically, but users need to restart. Send the "restart your apps" email today.

⚙️ CTO Take: The exploit loads Shell.Explorer.1, a legacy COM object that embeds IE. Some teams are now blocking this control via Group Policy as defense-in-depth, since they weren't using embedded browser functionality in Office anyway.

📡 Network signal: Emergency patches don't fit in normal cycles. Office 2016/2019 shops don't have auto-update as an escape hatch. If this week proved anything, it's that legacy software isn't just technical debt. It's a security debt with compounding interest.

The bottom line: Office zero-day, actively exploited, no macro warning required. Push the emergency patch before the weekend.

3. Under Armour Breach: 72 Million Customers' Data Now on the Dark Web

The Everest ransomware group has published data from Under Armour, including 72 million unique email addresses, names, phone numbers, physical addresses, and purchase history. The data is now circulating across multiple hacker forums.

This matters for enterprise security because consumer breaches become corporate attack fuel. Your employees are Under Armour customers. Attackers now have their personal emails, home addresses, and purchase patterns. Exactly what's needed for targeted phishing or credential stuffing against your SSO.

Source: Malwarebytes

🔐 CISO Take: Brief your team: employees whose personal email patterns mirror their corporate identity are now higher-risk targets. Consider running a credential exposure check against the breach dataset when it becomes searchable.

💻 CIO Take: This is a third-party risk conversation. Under Armour probably isn't on your vendor list, but how many of your actual vendors share a similar security posture? If you're not asking vendors about ransomware response plans, add it to the questionnaire.

📡 Network signal: Identity and access mentions doubled from Q4 2025 to Q1 2026. Consumer breaches like this accelerate the trend. 72 million credentials just got easier to guess.

The bottom line: Consumer breaches become enterprise threats. Your employees' personal data is now attack fuel.

🎯 FOUR THINGS TO DO THIS WEEK

  1. Check FortiGate for rogue admin accounts. Search for audit, backup, itadmin, secadmin, support, backupadmin, remoteadmin. If they exist and you didn't create them, escalate immediately.

  2. Push the Microsoft Office emergency patch. CVE-2026-21509 is actively exploited and bypasses macro warnings. Office 2021+ auto-updates; Office 2016/2019 requires manual deployment.

  3. Send the "restart your apps" reminder. The Office patch won't take effect until users restart. A simple email now prevents the "I thought I was patched" conversation later.

  4. Run a credential exposure check. Use HaveIBeenPwned or your threat intel provider to check employee emails against the Under Armour dataset once breach feeds are indexed.

📊 FROM THE NETWORK

This week's signal: The perimeter isn't the firewall. It's the credential.

Identity and access mentions in member priorities doubled from Q4 2025 to Q1 2026 (4.8% → 9.5%). Fortinet's cloud just proved that even your firewall vendor can become an identity risk.

Consumer breaches, like those at Under Armour, accelerate this. 72 million email addresses, many matching corporate domains, are now in the attacker's hands. The phishing that follows won't look like spam. It'll reference real purchases, real addresses, real names.

The organizations getting ahead are treating identity as the primary attack surface. Not just for employees, but for the personal data those employees leave scattered across vendors they never vetted.

💬 YOUR TURN

Do you notify employees when consumer breaches expose their data? Or treat it as their problem? Reply and tell me. I read every response.

JOIN THE NETWORK

The CXO Brief is published by DoGood, a network of 5,000+ IT leaders at companies averaging $24B in revenue.

How it works: You control your calendar. Every meeting is opt-in, pre-screened, and paid ($200-400).

The data in this newsletter comes from real conversations with real IT leaders. Not surveys, not analysts, not vendors.

Apply to Join →

Keep Reading

No posts found
© 2026 The CXO Brief.
Report abusePrivacy policyTerms of use
beehiivPowered by beehiiv