Episode Overview

Podcast: Cybersecurity Today
Host: David Shipley (filling in for Jim Love)
Episode: AWS Flaw Could Have Put Every Account At Risk
Date: January 26, 2026

In this episode, David Shipley delivers urgent updates on emerging cyber threats, focusing on systemic vulnerabilities with widespread implications. The main theme centers on how authentication gaps, poor patch quality, phishing targeting trusted systems, and a major cloud supply chain vulnerability continue to expose businesses to risk. The most impactful story details a flaw in AWS CodeBuild that could have compromised every AWS account globally—a close call with potentially catastrophic consequences.

Key Discussion Points & Insights

1. Fortinet SSO Authentication Bypass Still Exploited (00:21 – 03:40)

A critical vulnerability (CVE-2025-59718) in Fortinet's FortiCloud single sign-on (SSO) continues to be exploited, even after initial patches.
Attackers bypass authentication using crafted SAML messages, enabling them to create new admin accounts, activate VPN access, and extract firewall configs in seconds.
Arctic Wolf reports the campaign started January 15th, referencing almost identical tactics used after the flaw’s December disclosure.
Fortinet admits attackers discovered a new attack path affecting fully-patched systems.
The flaw impacts all SAML-based SSO implementations, not just FortiCloud.
Interim advice: restrict admin access by IP, disable FortiCloud SSO, rotate credentials if compromise is suspected.
Scale: Nearly 11,000 Fortinet devices remain exposed online.
No final patch timeline announced.

Memorable Moment:

“Attackers created new administrative accounts, enabled VPN access, and exported firewall configurations within seconds, pointing to automated exploitation.” — David Shipley (01:22)

2. Windows 11 Update Causing Boot Failures (03:41 – 05:12)

Microsoft’s January Patch Tuesday update (KB5074109) is causing some Windows 11 systems to fail to boot, showing “unmountable boot volume” errors.
Issue affects Windows 11 25H2 and editions of 24H2—limited to physical devices.
Only manual recovery allows normal operation.
Microsoft is investigating if the patch is a regression and soliciting diagnostics via the Feedback Hub.
An out-of-band update was also issued to address unrelated Outlook freezes with PST files stored in the cloud.
Wave of patch quality issues since 2025 is undermining admin trust in Microsoft patches.

Notable Quote:

“It’s hard to convince systems administrators to patch quickly when mistakes like this keep happening more frequently.” — David Shipley (05:05)

3. Sandworm Cyberattack on Poland’s Power Grid (05:13 – 06:41)

A failed cyberattack on Poland’s energy sector linked to Russia’s Sandworm group.
Attack (Dec 29–30) used new data-wiping malware, “Dynowiper”.
Targets: two combined heat and power plants and a renewables management system.
No widespread outages, but shows constant threat to critical infrastructure.
Sandworm’s history includes Ukraine’s 2015 power grid attack and recent destructive campaigns in 2025.
Details on Dynowiper and attack vectors remain scarce.

Quote:

“This attack occurs while Canada in particular continues to struggle to update its critical infrastructure security laws.” — David Shipley (06:33)

4. Advanced Phishing Attacks Targeting the Energy Sector (06:42 – 08:06)

Microsoft warns of massive phishing and business email compromise campaigns using “Adversary-in-the-Middle” (AitM) tactics.
Attackers leverage compromised trusted accounts, sending phishing emails mimicking SharePoint notifications.
Targets are redirected to fake login portals—stealing credentials and session cookies, bypassing MFA.
Attackers set up inbox rules to mask evidence, then launch internal and external phishing.
Example: Over 600 phishing emails from a single compromised inbox.
Remediation: revoke active sessions, remove attacker rules, undo unauthorized MFA changes, train staff continuously.

5. Main Story: AWS CodeBuild “CodeBreach” Vulnerability – A Close Call for Global Cloud Security (08:07 – 10:27)

Wiz security researchers found a logic flaw in AWS CodeBuild’s repo filters ("CodeBreach"), rooted in a two-character mistake in a regular expression.
Attackers could trigger privileged builds, gaining GitHub admin tokens from AWS build systems.
Worst-case scenario: Malicious code injection into AWS SDKs (like the JS SDK), subverting AWS Console and a swath of cloud applications.
The flaw would have enabled a platform-wide supply chain attack, "putting every single AWS account on the planet at risk."
Exploit method: Predict GitHub user IDs to seize admin control.
AWS responded in days, rotated credentials, audited its pipeline, and found no sign of exploitation.
Takeaway: This was not a customer error, but a vulnerability in the core workings of AWS cloud itself.

Quote:

“With that level of access, attackers could have injected malicious code into trusted AWS SDKs, creating a platform-wide supply chain compromise that researchers say could have put every single AWS account on the planet at risk.” — David Shipley (09:42)

Themes & Takeaways (10:28 – 10:54)

The episode illustrates a pattern: failures in authentication, declining patch reliability, exploitation of trust, and the outsize threat of minute mistakes in cloud infrastructure.
Systemic cyber risk is increasing—it’s not just one company’s problem, but potentially an industry or global one.
“Small, single overlooked detail that could have reshaped how the global cloud works for the worse.” (10:39)
Shipley underscores that cyber risk goes beyond “individual breaches. It’s about systemic fragility and how small failures could cascade at enormous scale…”

Notable Quotes & Timestamps

Fortinet flaw impact:

“Attackers created new administrative accounts, enabled VPN access, and exported firewall configurations within seconds…” (01:22)
Patch trust issues:

“It’s hard to convince systems administrators to patch quickly when mistakes like this keep happening more frequently.” (05:05)
Critical infrastructure threat:

“This attack occurs while Canada in particular continues to struggle to update its critical infrastructure security laws.” (06:33)
AWS near-miss:

“...could have put every single AWS account on the planet at risk.” (09:43)
Systemic risk:

“It’s about systemic fragility and how small failures could cascade at enormous scale, whether that’s attacks on critical infrastructure like power plants or bringing down an entire Cloud Environment.” (10:44)

Important Segments & Timestamps

Fortinet Auth Bypass Flaw: 00:21 – 03:41
Windows 11 Patch Issues: 03:41 – 05:12
Sandworm Poland Grid Attack: 05:13 – 06:41
Advanced Energy Sector Phishing: 06:42 – 08:06
AWS “CodeBreach” Vulnerability: 08:07 – 10:27
Closing Analysis & Takeaways: 10:28 – 10:54

Tone & Style

Shipley delivers the news in a direct, urgent, and pragmatic style, balancing technical detail with real-world implications. He highlights the scale of the threats while offering actionable precautions, and repeatedly circles back to the systemic, not merely individual, nature of today’s cyber risks.

Summary prepared for those looking to understand the latest high-impact cybersecurity threats and what they mean for businesses, IT teams, and anyone depending on cloud infrastructure.

Episode Overview

Podcast: Cybersecurity Today
Host: David Shipley (filling in for Jim Love)
Episode: AWS Flaw Could Have Put Every Account At Risk
Date: January 26, 2026

Key Discussion Points & Insights

1. Fortinet SSO Authentication Bypass Still Exploited (00:21 – 03:40)

A critical vulnerability (CVE-2025-59718) in Fortinet's FortiCloud single sign-on (SSO) continues to be exploited, even after initial patches.
Attackers bypass authentication using crafted SAML messages, enabling them to create new admin accounts, activate VPN access, and extract firewall configs in seconds.
Arctic Wolf reports the campaign started January 15th, referencing almost identical tactics used after the flaw’s December disclosure.
Fortinet admits attackers discovered a new attack path affecting fully-patched systems.
The flaw impacts all SAML-based SSO implementations, not just FortiCloud.
Interim advice: restrict admin access by IP, disable FortiCloud SSO, rotate credentials if compromise is suspected.
Scale: Nearly 11,000 Fortinet devices remain exposed online.
No final patch timeline announced.

Memorable Moment:

“Attackers created new administrative accounts, enabled VPN access, and exported firewall configurations within seconds, pointing to automated exploitation.” — David Shipley (01:22)

2. Windows 11 Update Causing Boot Failures (03:41 – 05:12)

Microsoft’s January Patch Tuesday update (KB5074109) is causing some Windows 11 systems to fail to boot, showing “unmountable boot volume” errors.
Issue affects Windows 11 25H2 and editions of 24H2—limited to physical devices.
Only manual recovery allows normal operation.
Microsoft is investigating if the patch is a regression and soliciting diagnostics via the Feedback Hub.
An out-of-band update was also issued to address unrelated Outlook freezes with PST files stored in the cloud.
Wave of patch quality issues since 2025 is undermining admin trust in Microsoft patches.

Notable Quote:

“It’s hard to convince systems administrators to patch quickly when mistakes like this keep happening more frequently.” — David Shipley (05:05)

3. Sandworm Cyberattack on Poland’s Power Grid (05:13 – 06:41)

A failed cyberattack on Poland’s energy sector linked to Russia’s Sandworm group.
Attack (Dec 29–30) used new data-wiping malware, “Dynowiper”.
Targets: two combined heat and power plants and a renewables management system.
No widespread outages, but shows constant threat to critical infrastructure.
Sandworm’s history includes Ukraine’s 2015 power grid attack and recent destructive campaigns in 2025.
Details on Dynowiper and attack vectors remain scarce.

Quote:

“This attack occurs while Canada in particular continues to struggle to update its critical infrastructure security laws.” — David Shipley (06:33)

4. Advanced Phishing Attacks Targeting the Energy Sector (06:42 – 08:06)

Microsoft warns of massive phishing and business email compromise campaigns using “Adversary-in-the-Middle” (AitM) tactics.
Attackers leverage compromised trusted accounts, sending phishing emails mimicking SharePoint notifications.
Targets are redirected to fake login portals—stealing credentials and session cookies, bypassing MFA.
Attackers set up inbox rules to mask evidence, then launch internal and external phishing.
Example: Over 600 phishing emails from a single compromised inbox.
Remediation: revoke active sessions, remove attacker rules, undo unauthorized MFA changes, train staff continuously.

5. Main Story: AWS CodeBuild “CodeBreach” Vulnerability – A Close Call for Global Cloud Security (08:07 – 10:27)

Wiz security researchers found a logic flaw in AWS CodeBuild’s repo filters ("CodeBreach"), rooted in a two-character mistake in a regular expression.
Attackers could trigger privileged builds, gaining GitHub admin tokens from AWS build systems.
Worst-case scenario: Malicious code injection into AWS SDKs (like the JS SDK), subverting AWS Console and a swath of cloud applications.
The flaw would have enabled a platform-wide supply chain attack, "putting every single AWS account on the planet at risk."
Exploit method: Predict GitHub user IDs to seize admin control.
AWS responded in days, rotated credentials, audited its pipeline, and found no sign of exploitation.
Takeaway: This was not a customer error, but a vulnerability in the core workings of AWS cloud itself.

Quote:

“With that level of access, attackers could have injected malicious code into trusted AWS SDKs, creating a platform-wide supply chain compromise that researchers say could have put every single AWS account on the planet at risk.” — David Shipley (09:42)

Themes & Takeaways (10:28 – 10:54)

The episode illustrates a pattern: failures in authentication, declining patch reliability, exploitation of trust, and the outsize threat of minute mistakes in cloud infrastructure.
Systemic cyber risk is increasing—it’s not just one company’s problem, but potentially an industry or global one.
“Small, single overlooked detail that could have reshaped how the global cloud works for the worse.” (10:39)
Shipley underscores that cyber risk goes beyond “individual breaches. It’s about systemic fragility and how small failures could cascade at enormous scale…”

Notable Quotes & Timestamps

Fortinet flaw impact:

“Attackers created new administrative accounts, enabled VPN access, and exported firewall configurations within seconds…” (01:22)
Patch trust issues:

“It’s hard to convince systems administrators to patch quickly when mistakes like this keep happening more frequently.” (05:05)
Critical infrastructure threat:

“This attack occurs while Canada in particular continues to struggle to update its critical infrastructure security laws.” (06:33)
AWS near-miss:

“...could have put every single AWS account on the planet at risk.” (09:43)
Systemic risk:

“It’s about systemic fragility and how small failures could cascade at enormous scale, whether that’s attacks on critical infrastructure like power plants or bringing down an entire Cloud Environment.” (10:44)

Important Segments & Timestamps

Fortinet Auth Bypass Flaw: 00:21 – 03:41
Windows 11 Patch Issues: 03:41 – 05:12
Sandworm Poland Grid Attack: 05:13 – 06:41
Advanced Energy Sector Phishing: 06:42 – 08:06
AWS “CodeBreach” Vulnerability: 08:07 – 10:27
Closing Analysis & Takeaways: 10:28 – 10:54

Tone & Style

Summary prepared for those looking to understand the latest high-impact cybersecurity threats and what they mean for businesses, IT teams, and anyone depending on cloud infrastructure.

wavePod

AWS Flaw Could Have Put Every Account At Risk

Powered by Wave AI

Summary

Episode Overview

Key Discussion Points & Insights

1. Fortinet SSO Authentication Bypass Still Exploited (00:21 – 03:40)

2. Windows 11 Update Causing Boot Failures (03:41 – 05:12)

3. Sandworm Cyberattack on Poland’s Power Grid (05:13 – 06:41)

4. Advanced Phishing Attacks Targeting the Energy Sector (06:42 – 08:06)

5. Main Story: AWS CodeBuild “CodeBreach” Vulnerability – A Close Call for Global Cloud Security (08:07 – 10:27)

Themes & Takeaways (10:28 – 10:54)

Notable Quotes & Timestamps

Important Segments & Timestamps

Tone & Style

Summary

Episode Overview

Key Discussion Points & Insights

1. Fortinet SSO Authentication Bypass Still Exploited (00:21 – 03:40)

2. Windows 11 Update Causing Boot Failures (03:41 – 05:12)

3. Sandworm Cyberattack on Poland’s Power Grid (05:13 – 06:41)

4. Advanced Phishing Attacks Targeting the Energy Sector (06:42 – 08:06)

5. Main Story: AWS CodeBuild “CodeBreach” Vulnerability – A Close Call for Global Cloud Security (08:07 – 10:27)

Themes & Takeaways (10:28 – 10:54)

Notable Quotes & Timestamps

Important Segments & Timestamps

Tone & Style