Threat Report 162

This week's threat report highlights authentication bypass issues in Fortinet and n8n, targeted espionage campaigns, attacks on software development tools, and Substack platform breach.

Critical Fortinet Authentication Bypass Under Active Exploitation

Fortinet released emergency security updates to address a critical authentication bypass vulnerability affecting FortiAnalyzer, FortiManager, FortiOS, and FortiProxy products. The vulnerability allows attackers to bypass authentication using an alternative path when the FortiCloud single sign-on login feature is enabled.

The US Cybersecurity and Infrastructure Security Agency added this vulnerability to its Known Exploited Vulnerabilities catalogue, confirming active exploitation in the wild. The flaw carries a CVSS score of 9.1, making it one of the most severe vulnerabilities disclosed this year. Attackers exploiting this weakness can gain unauthorised access to affected devices without valid credentials.

NHS organisations and UK businesses using Fortinet products for network security face significant risks from this vulnerability. FortiManager and FortiAnalyzer are commonly used for centralised management and logging across healthcare networks. FortiOS powers Fortinet firewalls that protect sensitive patient data and clinical systems. A successful exploit could allow attackers to bypass authentication controls entirely, gain administrative access to security infrastructure, monitor network traffic, modify security policies, and establish persistent access within the organisation.

For many certifications to show compliance, organisations must demonstrate effective vulnerability management and network security controls. The active exploitation of this flaw means it should be treated as a critical priority for patching and remediation.

Recommendations:

• Check whether FortiCloud SSO login is enabled on your Fortinet devices immediately, as only devices with this feature enabled are vulnerable
• Apply Fortinet's security updates for FortiAnalyzer, FortiManager, FortiOS, and FortiProxy as soon as possible, following your organisation's change management procedures
• If immediate patching is not possible, disable the FortiCloud SSO login feature until patches can be applied
• Review FortiManager and FortiAnalyzer logs for any suspicious authentication activity or unauthorised configuration changes from the past month
• Verify that administrative access to Fortinet devices is restricted to trusted networks and protected by multi-factor authentication where possible
• Document your patching timeline and any compensating controls for compliance evidence
• Consider rotating administrative credentials and API keys after patching as a precautionary measure
• Contact Fortinet support or your managed security service provider if you need assistance verifying your systems or identifying indicators of compromise

Critical n8n Automation Platform Vulnerabilities Allow Server Takeover

n8n disclosed multiple critical vulnerabilities that bypass security fixes implemented in December 2025. The flaws allow authenticated users with permission to create or modify workflows to execute arbitrary system commands on servers running n8n. The vulnerabilities carry a CVSS score of 9.4 and affect the expression evaluation component that processes workflow logic. Attackers can craft malicious workflow expressions to trigger unintended command execution.

Security researchers demonstrated that exploitation requires relatively little technical skill, with proof-of-concept attacks using short JavaScript snippets. The vendor warned that successful attacks could expose stored credentials, including API keys and tokens for cloud services, AI platforms, and internal systems.

The increasing use of workflow automation platforms like n8n to connect different systems, automate administrative tasks, and integrate AI services into clinical and business processes. These platforms typically store high-value credentials that grant access to multiple systems simultaneously. A compromised automation server could expose patient data systems, clinical applications, and cloud service credentials. For organisations using n8n Cloud, the hosted multi-tenant service, a successful exploit could potentially allow attackers to access other customers' data.

Automation platforms run continuously in the background, making breaches difficult to detect as workflows continue functioning normally while attackers extract sensitive information.

Recommendations:

• Identify all instances of n8n running within your organisation, including both self-hosted and cloud-hosted versions
• Apply the security updates released by n8n immediately to address CVE-2026-25049
• Review user permissions within n8n and restrict workflow creation and modification rights to only those who genuinely require them
• Audit existing workflows for suspicious expressions or unusual system calls, particularly those created or modified by unfamiliar users
• Rotate all credentials stored within n8n workflows, including API keys, service tokens, and authentication secrets
• Implement network segmentation to isolate automation platforms from direct access to sensitive data systems
• Enable enhanced logging and monitoring for n8n servers to detect unusual command execution or data access patterns
• Consider implementing approval workflows for production automation changes to prevent unauthorised modifications
• Document your use of automation platforms in your DSPT evidence, including security controls and credential management processes

State-Sponsored APT28 Group Exploiting Microsoft Office Zero-Day in Targeted Attacks

The Russian state-sponsored threat group APT28 (also known as Fancy Bear) began exploiting a Microsoft Office vulnerability within 24 hours of its public disclosure in late January 2026. The attacks target European military and government entities, with a particular focus on maritime and transport organisations across Poland, Slovenia, Turkey, Greece, the United Arab Emirates, and Ukraine.

The vulnerability allows attackers to execute malicious code simply by opening a specially crafted Office document, without requiring macros or any user interaction beyond opening the file. APT28 uses phishing emails with geopolitically charged content about weapons smuggling, military training programmes, and emergency bulletins to trick targets into opening weaponised documents.

While these attacks primarily target European government and military organisations, UK businesses should remain vigilant. APT28 has a history of targeting NATO member states and their allies. The speed at which this group weaponised the Office vulnerability demonstrates the importance of rapid patching.

Supply chain organisations working with European partners may be particularly at risk. The attack chain uses legitimate cloud services for command and control, making detection more difficult. For organisations handling sensitive information or working with government contracts, the threat from state-sponsored groups requires enhanced security monitoring and staff awareness.

Recommendations:

• Ensure Microsoft's emergency patch for CVE-2026-21509 has been applied to all Office installations across your organisation
• Educate staff about the specific risks of opening unexpected attachments, even from seemingly legitimate sources, particularly documents with geopolitical or security-related content
• Implement enhanced email filtering to block suspicious Office documents, especially those from unexpected external sources
• Consider using Office in Protected View mode by default for documents from external sources to prevent automatic code execution
• Monitor for unusual network connections from Office processes, particularly connections to cloud file-sharing services like filen.io
• Review and strengthen access controls for users handling sensitive information or working with government and defence sector partners
• Implement application allowlisting where possible to prevent unauthorised executables from running, even if delivered via Office documents
• Report any suspected targeting by state-sponsored groups to the National Cyber Security Centre for assistance and threat intelligence sharing

Substack Newsletter Platform Breach Exposes User Contact Details

Substack disclosed a security breach that remained undetected for months after an unauthorised third party accessed user data in October 2025. The incident was only discovered on 3 February 2026, giving attackers approximately four months of undetected access. The exposed information includes email addresses, phone numbers, and internal account metadata. Substack reports that passwords, credit card numbers, and financial data were not accessed.

A threat actor subsequently posted a dataset on a cybercrime forum claiming to contain nearly 700,000 user records, including names, email addresses, phone numbers, user IDs, and profile images. Substack has patched the vulnerability that allowed access and launched an internal investigation.

Organisations may be affected if staff use Substack for professional newsletters or communications. The extended period between breach and detection highlights the importance of continuous security monitoring and prompt incident detection. Email addresses and phone numbers from healthcare professionals could be used for targeted phishing campaigns, business email compromise attacks, or social engineering attempts. Healthcare organisations should be aware that compromised contact details may appear authentic if they match legitimate Substack subscriptions. The breach demonstrates third-party platform risks where staff use external services for professional communications.

Recommendations:

• Identify staff who use Substack for professional purposes or healthcare-related newsletters and communications
• Advise affected staff to be vigilant for phishing emails that reference their Substack subscriptions or appear to come from Substack publishers they follow
• Review your organisation's policies on using third-party platforms for professional communications and ensure staff understand approved channels
• Implement email filtering rules to detect phishing attempts that may reference Substack or newsletter content
• Consider whether any patient-facing or sensitive communications were conducted through Substack and assess the risk
• Remind staff never to share NHS credentials or access sensitive systems from links in emails, even if they appear to come from trusted sources
• Update security awareness training to include risks from compromised third-party platforms and subscription services
• Document your assessment of third-party platform risks as part of your supplier assurance and information governance evidence

Want help staying ahead of threats like these? Contact Us about our Threat Intelligence services to keep your organisation informed about emerging risks and maintain compliance with DSPT and other regulatory requirements.