Check Point 2026 report

AI-Powered Attacks Surge 70%: Check Point's 2026 Report Reveals the New Threat Reality IT Leaders Must Confront

Francois

28 Jan 2026 — 6 min read

The numbers are in, and they're sobering. Check Point Software's 2026 Cyber Security Report, released January 28, confirms what many IT leaders have suspected: artificial intelligence has fundamentally shifted the threat landscape in favor of attackers, including nation-states and organized cybercriminal groups. With organizations now facing an average of 1,968 attacks per week—a 70% increase since 2023—the question is no longer whether AI-powered threats will impact your organization, but how prepared you are when they do.

The Check Point 2026 Report: Key Findings That Demand Attention

Check Point's 14th annual analysis reveals that AI is driving one of the fastest security shifts the industry has experienced. Capabilities once limited to nation-state actors and well-funded criminal organizations are now widely accessible, enabling more personalized, coordinated, and scalable attacks against organizations of every size.

AI Risk Metrics That Matter

During a three-month analysis period, 89% of organizations encountered risky AI prompts, with approximately one in every 41 prompts classified as high risk. This statistic underscores the dual-edged nature of AI adoption. While organizations rush to leverage AI for competitive advantage, they simultaneously expose new attack surfaces that threat actors are eager to exploit.

A review of approximately 10,000 Model Context Protocol (MCP) servers found security vulnerabilities in 40% of them. As organizations integrate AI into business workflows, these foundational weaknesses create opportunities for attackers to poison data, manipulate outputs, and compromise decision-making processes.

Ransomware Fragmentation Accelerates

The ransomware ecosystem has undergone significant structural change. Rather than consolidating around major players, the landscape has decentralized into smaller, specialized groups. This fragmentation contributed to a 53% year-over-year increase in extorted victims and a 50% rise in new ransomware-as-a-service (RaaS) operations.

The operational implications are significant: smaller groups move faster, adapt more quickly to defensive measures, and collectively apply greater pressure on security teams. Qilin emerged as December's most active ransomware operator, responsible for 18% of published attacks—evidence that well-organized RaaS operations continue to attract affiliates and expand their victim base.

Critical Vulnerabilities Under Active Exploitation

While the Check Point report provides strategic context, this week also brought immediate tactical concerns that demand rapid response. Addressing these vulnerabilities now is crucial to maintaining your organization's security posture and avoiding costly breaches.

WordPress Modular DS Plugin: CVSS 10.0 Admin Takeover

A maximum-severity vulnerability (CVE-2026-23550) in the WordPress Modular DS plugin is under active exploitation. With a CVSS score of 10.0 and over 40,000 active installations, this unauthenticated privilege escalation flaw allows attackers to gain full administrator access without any credentials or user interaction.

According to Patchstack, the vulnerability stems from a combination of direct route selection, authentication bypass mechanisms, and automatic admin login functionality. Attackers have been actively exploiting this flaw since January 13, targeting the plugin's login API from known malicious IP addresses (45.11.89[.]19 and 185.196.0[.]11).

Organizations running WordPress infrastructure should immediately verify whether the Modular DS plugin is installed across their environment using inventory tools or manual checks, and update to version 2.5.2 or later. Additionally, deploying Web Application Firewall (WAF) rules to block suspicious requests to /api/modular-connector/login/can provide an extra layer of protection while patching is underway.

VMware vCenter: 18-Month-Old Flaw Now Confirmed Exploited

CISA added CVE-2024-37079 to its Known Exploited Vulnerabilities catalog on January 23, confirming in-the-wild exploitation of a critical heap overflow vulnerability in VMware vCenter Server. Despite being patched in June 2024—over 18 months ago—this CVSS 9.8 flaw is now actively weaponized against organizations that delayed remediation.

The vulnerability enables unauthenticated remote code execution through the DCERPC protocol implementation, requiring no authentication and minimal attack complexity. Federal agencies face a February 13, 2026, remediation deadline, but private-sector organizations should treat it with equal urgency.

Broadcom has confirmed that no workarounds exist for this vulnerability—patching is the only effective remediation. Organizations unable to patch immediately must implement strict network segmentation to restrict access to vCenter Server management interfaces.

n8n Workflow Automation: RCE Through Eval Injection

In a previous article, I mentioned the n8n workflow automation platform, which is increasingly popular for business process automation, and disclosed CVE-2026-21858 with a CVSS score of 10.0. This eval injection vulnerability allows authenticated users to bypass protections and achieve remote code execution—a significant risk for organizations that have integrated n8n into production workflows.

As organizations expand their automation footprints with platforms like n8n, vulnerabilities such as CVE-2026-21858 can lead to remote code execution, risking widespread disruption. A compromised automation system could impact critical business processes, data integrity, and operational continuity, underscoring the need for prompt remediation and robust security controls.

Practical Recommendations for IT Leaders

Based on this week's developments, security teams should prioritize several immediate and strategic actions.

Immediate Response (24-48 Hours)

First, audit WordPress installations for the Modular DS plugin and apply patches to version 2.5.2 or later. Second, verify the patch status of VMware vCenter Server and remediate any systems still running vulnerable versions from June 2024. Third, review n8n installations and ensure the platform is updated to address CVE-2026-21858. Fourth, implement network-level controls to restrict access to vulnerable management interfaces.

Strategic Initiatives (30-90 Days)

Organizations should establish AI usage governance frameworks that provide visibility into both sanctioned and shadow AI deployments. Implementing prompt logging and monitoring for high-risk AI interactions helps identify potential data leakage or misuse before it becomes a breach. Building such governance can empower IT leaders to feel more in control of emerging AI risks.

Security teams should also evaluate their detection capabilities against AI-augmented attacks. Traditional signature-based detection struggles against personalized, AI-generated phishing content and dynamically generated malware. Behavioral analytics and anomaly detection become increasingly critical.

Finally, reassess ransomware response plans in light of the fragmented threat landscape. Smaller, faster attack groups mean shorter dwell times and increased operational pressure—incident response procedures must account for accelerated timelines.

Common Mistakes to Avoid

Several patterns consistently undermine organizational security posture in the current threat environment.

Treating patch management as optional represents the most fundamental failure. The VMware vCenter exploitation confirms that 18-month-old vulnerabilities remain attractive targets. Attackers systematically scan for known vulnerabilities precisely because many organizations fail to remediate them.

Underestimating WordPress security risks leaves organizations exposed. Many enterprises view WordPress as "just a marketing site" and prioritize its security. However, a compromised WordPress installation provides attackers with a foothold in corporate infrastructure, opportunities for watering-hole attacks, and potential paths for lateral movement.

Ignoring AI security governance creates invisible risks. Organizations racing to adopt AI often bypass security review processes, creating shadow deployments that expose sensitive data through unmonitored channels.

Assuming MFA solves authentication challenges oversimplifies the problem. While multi-factor authentication remains essential, sophisticated attackers increasingly employ real-time techniques to intercept and replay authentication tokens. Defense-in-depth must extend beyond MFA alone.

Framework for AI-Era Security

The Check Point report emphasizes that defending against AI-driven threats requires rethinking security architecture rather than simply accelerating existing approaches. Consider organizing your security program around four pillars.

The first pillar addresses visibility. Map all AI deployments across your environment, including sanctioned tools, shadow IT, and AI-powered capabilities embedded in existing applications. You cannot secure what you cannot see.

The second pillar focuses on velocity. AI enables attackers to move faster—your detection and response capabilities must keep pace. Evaluate mean time to detect (MTTD) and mean time to respond (MTTR) metrics against realistic AI-augmented attack scenarios.

The third pillar encompasses validation. Continuous security validation through red team exercises, attack simulations, and penetration testing ensures defensive measures perform as expected against current threats, not last year's attack techniques.

The fourth pillar emphasizes vulnerability management. The VMware exploitation demonstrates that known vulnerabilities remain attractive targets. Mature vulnerability management, with clear SLAs for critical, high, medium, and low-severity findings, prevents attackers from exploiting well-documented weaknesses.

The Strategic Imperative

The Check Point 2026 report confirms what security professionals have observed throughout 2025: AI has lowered the barrier to entry for sophisticated attacks while simultaneously expanding the attack surface organizations must defend. The 70% increase in weekly attacks reflects not just more threat actors, but also more capable ones operating with unprecedented efficiency.

For CISOs and IT Directors, the strategic response requires an honest assessment of current capabilities against this evolved threat landscape. Many organizations will find gaps between their security programs and the requirements of AI-era defense—gaps that require investment, expertise, and sustained attention to address.

Take Action Now

The convergence of AI-powered threats and actively exploited vulnerabilities demands immediate attention and strategic planning. If your organization needs support assessing AI security risks, remediating critical vulnerabilities, or developing incident response capabilities aligned with current threats, specialized expertise can accelerate your security maturity.