AWS Flaw Could Have Put Every Account At Risk - Cybersecurity Today

Episode Overview

Podcast: Cybersecurity Today
Host: David Shipley (filling in for Jim Love)
Episode: AWS Flaw Could Have Put Every Account At Risk
Date: January 26, 2026

In this episode, David Shipley delivers urgent updates on emerging cyber threats, focusing on systemic vulnerabilities with widespread implications. The main theme centers on how authentication gaps, poor patch quality, phishing targeting trusted systems, and a major cloud supply chain vulnerability continue to expose businesses to risk. The most impactful story details a flaw in AWS CodeBuild that could have compromised every AWS account globally—a close call with potentially catastrophic consequences.

Key Discussion Points & Insights

1. Fortinet SSO Authentication Bypass Still Exploited (00:21 – 03:40)

A critical vulnerability (CVE-2025-59718) in Fortinet's FortiCloud single sign-on (SSO) continues to be exploited, even after initial patches.
Attackers bypass authentication using crafted SAML messages, enabling them to create new admin accounts, activate VPN access, and extract firewall configs in seconds.
Arctic Wolf reports the campaign started January 15th, referencing almost identical tactics used after the flaw’s December disclosure.
Fortinet admits attackers discovered a new attack path affecting fully-patched systems.
The flaw impacts all SAML-based SSO implementations, not just FortiCloud.
Interim advice: restrict admin access by IP, disable FortiCloud SSO, rotate credentials if compromise is suspected.
Scale: Nearly 11,000 Fortinet devices remain exposed online.
No final patch timeline announced.

Memorable Moment:

“Attackers created new administrative accounts, enabled VPN access, and exported firewall configurations within seconds, pointing to automated exploitation.” — David Shipley (01:22)

2. Windows 11 Update Causing Boot Failures (03:41 – 05:12)

Microsoft’s January Patch Tuesday update (KB5074109) is causing some Windows 11 systems to fail to boot, showing “unmountable boot volume” errors.
Issue affects Windows 11 25H2 and editions of 24H2—limited to physical devices.
Only manual recovery allows normal operation.
Microsoft is investigating if the patch is a regression and soliciting diagnostics via the Feedback Hub.
An out-of-band update was also issued to address unrelated Outlook freezes with PST files stored in the cloud.
Wave of patch quality issues since 2025 is undermining admin trust in Microsoft patches.

Notable Quote:

“It’s hard to convince systems administrators to patch quickly when mistakes like this keep happening more frequently.” — David Shipley (05:05)

3. Sandworm Cyberattack on Poland’s Power Grid (05:13 – 06:41)

A failed cyberattack on Poland’s energy sector linked to Russia’s Sandworm group.
Attack (Dec 29–30) used new data-wiping malware, “Dynowiper”.
Targets: two combined heat and power plants and a renewables management system.
No widespread outages, but shows constant threat to critical infrastructure.
Sandworm’s history includes Ukraine’s 2015 power grid attack and recent destructive campaigns in 2025.
Details on Dynowiper and attack vectors remain scarce.

Quote:

“This attack occurs while Canada in particular continues to struggle to update its critical infrastructure security laws.” — David Shipley (06:33)

4. Advanced Phishing Attacks Targeting the Energy Sector (06:42 – 08:06)

Microsoft warns of massive phishing and business email compromise campaigns using “Adversary-in-the-Middle” (AitM) tactics.
Attackers leverage compromised trusted accounts, sending phishing emails mimicking SharePoint notifications.
Targets are redirected to fake login portals—stealing credentials and session cookies, bypassing MFA.
Attackers set up inbox rules to mask evidence, then launch internal and external phishing.
Example: Over 600 phishing emails from a single compromised inbox.
Remediation: revoke active sessions, remove attacker rules, undo unauthorized MFA changes, train staff continuously.

5. Main Story: AWS CodeBuild “CodeBreach” Vulnerability – A Close Call for Global Cloud Security (08:07 – 10:27)

Wiz security researchers found a logic flaw in AWS CodeBuild’s repo filters ("CodeBreach"), rooted in a two-character mistake in a regular expression.
Attackers could trigger privileged builds, gaining GitHub admin tokens from AWS build systems.
Worst-case scenario: Malicious code injection into AWS SDKs (like the JS SDK), subverting AWS Console and a swath of cloud applications.
The flaw would have enabled a platform-wide supply chain attack, "putting every single AWS account on the planet at risk."
Exploit method: Predict GitHub user IDs to seize admin control.
AWS responded in days, rotated credentials, audited its pipeline, and found no sign of exploitation.
Takeaway: This was not a customer error, but a vulnerability in the core workings of AWS cloud itself.

Quote:

“With that level of access, attackers could have injected malicious code into trusted AWS SDKs, creating a platform-wide supply chain compromise that researchers say could have put every single AWS account on the planet at risk.” — David Shipley (09:42)

Themes & Takeaways (10:28 – 10:54)

The episode illustrates a pattern: failures in authentication, declining patch reliability, exploitation of trust, and the outsize threat of minute mistakes in cloud infrastructure.
Systemic cyber risk is increasing—it’s not just one company’s problem, but potentially an industry or global one.
“Small, single overlooked detail that could have reshaped how the global cloud works for the worse.” (10:39)
Shipley underscores that cyber risk goes beyond “individual breaches. It’s about systemic fragility and how small failures could cascade at enormous scale…”

Notable Quotes & Timestamps

Fortinet flaw impact:

“Attackers created new administrative accounts, enabled VPN access, and exported firewall configurations within seconds…” (01:22)
Patch trust issues:

“It’s hard to convince systems administrators to patch quickly when mistakes like this keep happening more frequently.” (05:05)
Critical infrastructure threat:

“This attack occurs while Canada in particular continues to struggle to update its critical infrastructure security laws.” (06:33)
AWS near-miss:

“...could have put every single AWS account on the planet at risk.” (09:43)
Systemic risk:

“It’s about systemic fragility and how small failures could cascade at enormous scale, whether that’s attacks on critical infrastructure like power plants or bringing down an entire Cloud Environment.” (10:44)

Important Segments & Timestamps

Fortinet Auth Bypass Flaw: 00:21 – 03:41
Windows 11 Patch Issues: 03:41 – 05:12
Sandworm Poland Grid Attack: 05:13 – 06:41
Advanced Energy Sector Phishing: 06:42 – 08:06
AWS “CodeBreach” Vulnerability: 08:07 – 10:27
Closing Analysis & Takeaways: 10:28 – 10:54

Tone & Style

Shipley delivers the news in a direct, urgent, and pragmatic style, balancing technical detail with real-world implications. He highlights the scale of the threats while offering actionable precautions, and repeatedly circles back to the systemic, not merely individual, nature of today’s cyber risks.

Summary prepared for those looking to understand the latest high-impact cybersecurity threats and what they mean for businesses, IT teams, and anyone depending on cloud infrastructure.

Transcript

A (0:00)

Cybersecurity Today would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack, wired, wireless and cellular in one integrated solution that's built for performance and scale. You can find them@meter.com CST.

B (0:20)

Fortinet flaws still actively exploited Windows 11 updates, breaking some systems, a wiper aimed at Europe's power grid attacker in the middle, phishing hits energy firms, and a flaw that could have put every AWS account on the planet at risk. This is Cybersecurity Today and I'm your host David Shipley. Let's get started. Our first story today is an update on one we've been covering for the last week, and it's not reassuring for Fortinet customers. Fortinet has confirmed that a critical forticloud single sign on authentication bypass tracked as CVE2025 59718 is still not fully patched despite fixes being released in early December. This follows reports from administrators who found fully patched fortigate firewalls compromised in multiple cases. Attackers created new administrative accounts, enabled VPN access, and exported firewall configurations within seconds, pointing to automated exploitation. Security firm Arctic Wolf says The campaign began January 15th and closely resembles activity seen in December when the vulnerability was first disclosed. At that time, the flaw allowed attackers to bypass authentication using crafted SAML messages when Forti Cloud SSO was enabled. Fortinet now acknowledges attackers are using a new attack path, impacting devices that were fully up to date at the time of compromise. The company says it is working on a comprehensive fix and will issue an updated advisory once timelines are confirmed. Fortinet also warned that while exploitation has so far been observed through 40 cloud SSO, the issue applies to all SAML based SSO implementations. As an interim mitigation, customers are advised to restrict administrative access to trusted IP addresses and disable 40 cloud SSO where possible. Organizations finding indicators of compromise are being told to treat effective systems as fully compromised and to rotate credentials as part of their incident response. Shadow server estimates nearly 11,000 Fortinet devices remain exposed online with 40 cloud SSO enabled. CISA previously added this vulnerability to its known exploited vulnerabilities list. Fortinet has not yet provided a timeline for a final fix. Our second story is a cautionary note for Windows administrators following January's patch Tuesday. Microsoft says it is investigating reports that some Windows 11 systems failed to boot after installing January 2026 security updates displaying an unmountable boot volume error during startup. The issue affects Windows 11 version 25H2 and all editions of versions 24H2 after installing KB5074109. Cumulative update released January 13. Affected systems fail to start normally and require manual recovery steps to boot again. Microsoft says reports are limited and appear to affect physical devices only, with no virtual machines reported as impacted. Microsoft has asked affected users and administrators to submit diagnostics through the Feedback Hub while it determines whether the issue is a regression caused by the update. Separately, Microsoft also released an out of band update to fix different January issues related to Outlook, which were causing freezes when PST files were stored in cloud services. Quality issues with Microsoft patches ramped up in 2025 with a number of notable problems, and 2026 appears to be off on a sour note. It's hard to convince systems administrators to patch quickly when mistakes like this keep happening more frequently. Our third story takes us to Europe and a reminder that destructive cyber operations against critical infrastructure remain a real threat. A cyber attack targeting Poland's energy systems in late December has been linked to Sandworm, the Russian state sponsored hacking group with a long history of disruptive attacks, particularly in Ukraine. Researchers say attackers attempted to deploy a new data wiping malware dubbed Dynowiper during an attack that took place between December 29th and 30th. Polish officials say the attack targeted two combined heat and power plants, along with a management system controlling electricity generated from renewable sources, including wind and solar. The attack appears to have failed, with no widespread outages reported. Poland's prime minister said the evidence points to groups directly linked to Russian intelligence services. Sandworm is best known for its 2015 attack on Ukraine's power grid and has been linked to multiple destructive campaigns throughout 2025 targeting Ukrainian government, education and agriculture. Technical details on Dynowiper remain limited and no public samples have surfaced so far. It's still unclear how access was gained or how long attackers remained inside Polish systems. This attack occurs while Canada in particular continues to struggle to update its critical infrastructure security laws. Our fourth story is another warning from Microsoft, this time about a highly coordinated phishing and business email compromise campaign targeting the energy sector. Microsoft says attackers are using Multi Stage Adversary in the Middle, or aitn, approaches that begin with phishing emails sent from previously compromised but trusted accounts. The messages impersonate SharePoint document sharing notifications, exploiting the fact that these services are widely used and trusted, a technique some have referred to as living off trusted sites. Victims are redirected to fake portals that steal credentials and session cookies in real time, allowing attackers to bypass standard MFA protections once inside Attackers create malicious inbox rules to hide evidence of compromise, then use the account to launch large scale internal and external phishing. In one case, more than 600 phishing emails were sent from a single compromised inbox. Microsoft says remediation requires more than password resets. Organizations must revoke active sessions, remove attacker created rules, undo unauthorized MFA changes, and it's highly recommended that organizations support those controls with regular cybersecurity awareness training and phishing simulation exercises. Our final story today involves what may be one of the most consequential cloud security near misses of the decade. Security researchers at Wiz disclosed a vulnerability in AWS code build, dubbed code breach that could have allowed attackers to take over AWS managed GitHub repositories, including the AWS JavaScript SDK, a core component used by the AWS console, and countless cloud applications. The issue stemmed from a subtle misconfiguration in the CICD webhook filters. Missing just two characters in a regular expression, also known as a regex, meant attackers could bypass restrictions, trigger privileged builds, and extract highly privileged GitHub admin tokens directly from AWS's own build environments. With that level of access, attackers could have injected malicious code into trusted AWS SDKs, creating a platform wide supply chain compromise that researchers say could have put every single AWS account on the planet at risk. Wiz demonstrated how predictable GitHub user IDs could be generated to exploit the flaw, enabling full administrative control over the affected repositories. AWS remediated the issue within days of disclosure in August 2025, rotated credentials, audited its build pipelines and added additional safeguards. The company says it found no evidence of exploitation in the wild. Still, the significance here is the scale of the potential impact. This wasn't a customer misconfiguration, it was a weakness in the core machinery that runs AWS itself. Across today's stories, the theme is pretty consistent authentication failures, patch quality problems, trusted systems abused, and in one case, a small, single overlooked detail that could have reshaped how the global cloud works for the worse. Cyber risk today isn't just about individual breaches. It's about systemic fragility and how small failures could cascade at enormous scale, whether that's attacks on critical infrastructure like power plants or bringing down an entire Cloud Environment. That's it for Cybersecurity Today for Monday, January 26th. I'm David Shipley. Stay safe, stay informed, and Jim Love will be back on the news desk on Wednesday. A reminder, if you enjoy the show, please tell others consider leaving us a review and remember to like and subscribe. We'd love to reach even more people and we continue to need your help. Thanks for listening.

Episode Overview

Podcast: Cybersecurity Today
Host: David Shipley (filling in for Jim Love)
Episode: AWS Flaw Could Have Put Every Account At Risk
Date: January 26, 2026

Key Discussion Points & Insights

1. Fortinet SSO Authentication Bypass Still Exploited (00:21 – 03:40)

A critical vulnerability (CVE-2025-59718) in Fortinet's FortiCloud single sign-on (SSO) continues to be exploited, even after initial patches.
Attackers bypass authentication using crafted SAML messages, enabling them to create new admin accounts, activate VPN access, and extract firewall configs in seconds.
Arctic Wolf reports the campaign started January 15th, referencing almost identical tactics used after the flaw’s December disclosure.
Fortinet admits attackers discovered a new attack path affecting fully-patched systems.
The flaw impacts all SAML-based SSO implementations, not just FortiCloud.
Interim advice: restrict admin access by IP, disable FortiCloud SSO, rotate credentials if compromise is suspected.
Scale: Nearly 11,000 Fortinet devices remain exposed online.
No final patch timeline announced.

Memorable Moment:

“Attackers created new administrative accounts, enabled VPN access, and exported firewall configurations within seconds, pointing to automated exploitation.” — David Shipley (01:22)

2. Windows 11 Update Causing Boot Failures (03:41 – 05:12)

Microsoft’s January Patch Tuesday update (KB5074109) is causing some Windows 11 systems to fail to boot, showing “unmountable boot volume” errors.
Issue affects Windows 11 25H2 and editions of 24H2—limited to physical devices.
Only manual recovery allows normal operation.
Microsoft is investigating if the patch is a regression and soliciting diagnostics via the Feedback Hub.
An out-of-band update was also issued to address unrelated Outlook freezes with PST files stored in the cloud.
Wave of patch quality issues since 2025 is undermining admin trust in Microsoft patches.

Notable Quote:

“It’s hard to convince systems administrators to patch quickly when mistakes like this keep happening more frequently.” — David Shipley (05:05)

3. Sandworm Cyberattack on Poland’s Power Grid (05:13 – 06:41)

A failed cyberattack on Poland’s energy sector linked to Russia’s Sandworm group.
Attack (Dec 29–30) used new data-wiping malware, “Dynowiper”.
Targets: two combined heat and power plants and a renewables management system.
No widespread outages, but shows constant threat to critical infrastructure.
Sandworm’s history includes Ukraine’s 2015 power grid attack and recent destructive campaigns in 2025.
Details on Dynowiper and attack vectors remain scarce.

Quote:

“This attack occurs while Canada in particular continues to struggle to update its critical infrastructure security laws.” — David Shipley (06:33)

4. Advanced Phishing Attacks Targeting the Energy Sector (06:42 – 08:06)

Microsoft warns of massive phishing and business email compromise campaigns using “Adversary-in-the-Middle” (AitM) tactics.
Attackers leverage compromised trusted accounts, sending phishing emails mimicking SharePoint notifications.
Targets are redirected to fake login portals—stealing credentials and session cookies, bypassing MFA.
Attackers set up inbox rules to mask evidence, then launch internal and external phishing.
Example: Over 600 phishing emails from a single compromised inbox.
Remediation: revoke active sessions, remove attacker rules, undo unauthorized MFA changes, train staff continuously.

5. Main Story: AWS CodeBuild “CodeBreach” Vulnerability – A Close Call for Global Cloud Security (08:07 – 10:27)

Wiz security researchers found a logic flaw in AWS CodeBuild’s repo filters ("CodeBreach"), rooted in a two-character mistake in a regular expression.
Attackers could trigger privileged builds, gaining GitHub admin tokens from AWS build systems.
Worst-case scenario: Malicious code injection into AWS SDKs (like the JS SDK), subverting AWS Console and a swath of cloud applications.
The flaw would have enabled a platform-wide supply chain attack, "putting every single AWS account on the planet at risk."
Exploit method: Predict GitHub user IDs to seize admin control.
AWS responded in days, rotated credentials, audited its pipeline, and found no sign of exploitation.
Takeaway: This was not a customer error, but a vulnerability in the core workings of AWS cloud itself.

Quote:

“With that level of access, attackers could have injected malicious code into trusted AWS SDKs, creating a platform-wide supply chain compromise that researchers say could have put every single AWS account on the planet at risk.” — David Shipley (09:42)

Themes & Takeaways (10:28 – 10:54)

The episode illustrates a pattern: failures in authentication, declining patch reliability, exploitation of trust, and the outsize threat of minute mistakes in cloud infrastructure.
Systemic cyber risk is increasing—it’s not just one company’s problem, but potentially an industry or global one.
“Small, single overlooked detail that could have reshaped how the global cloud works for the worse.” (10:39)
Shipley underscores that cyber risk goes beyond “individual breaches. It’s about systemic fragility and how small failures could cascade at enormous scale…”

Notable Quotes & Timestamps

Fortinet flaw impact:

“Attackers created new administrative accounts, enabled VPN access, and exported firewall configurations within seconds…” (01:22)
Patch trust issues:

“It’s hard to convince systems administrators to patch quickly when mistakes like this keep happening more frequently.” (05:05)
Critical infrastructure threat:

“This attack occurs while Canada in particular continues to struggle to update its critical infrastructure security laws.” (06:33)
AWS near-miss:

“...could have put every single AWS account on the planet at risk.” (09:43)
Systemic risk:

“It’s about systemic fragility and how small failures could cascade at enormous scale, whether that’s attacks on critical infrastructure like power plants or bringing down an entire Cloud Environment.” (10:44)

Important Segments & Timestamps

Fortinet Auth Bypass Flaw: 00:21 – 03:41
Windows 11 Patch Issues: 03:41 – 05:12
Sandworm Poland Grid Attack: 05:13 – 06:41
Advanced Energy Sector Phishing: 06:42 – 08:06
AWS “CodeBreach” Vulnerability: 08:07 – 10:27
Closing Analysis & Takeaways: 10:28 – 10:54

Tone & Style

Summary prepared for those looking to understand the latest high-impact cybersecurity threats and what they mean for businesses, IT teams, and anyone depending on cloud infrastructure.