Stay Ahead of Threats with the Latest Vulnerability Updates for February
Stay up to date on critical cyber risks, Microsoft’s February Patch Tuesday, and other notable third-party vulnerabilities. Timely patching is key to maintaining a strong security posture and protecting your business from threats.
Quick Highlights
- Microsoft Patch Tuesday:
– 59 vulnerabilities disclosed
– 5 rated Critical, 6 are Zero-Day (6 actively exploited, 3 publicly disclosed)
- High-Severity Advisories from Major Vendors:
– Adobe: 44 vulnerabilities patched across 9 products
– Cisco: 2 high-severity flaws, affecting Cisco Meeting Management, Cisco TelePresenceCollaboration Endpoint (CE) Software and Cisco RoomOS Software
– Fortinet: 2 high-severity flaws in FortiSandbox and FortiOS
– SAP: 2 critical vulnerabilities in SAP NetWeaver Application Server, SAP CRM and SAP S/4HANA
– Ivanti: 2 high-severity flaws in Ivanti Endpoint Manager (EPM)
- Top Threats to Watch:
– State‑linked impersonation and infiltration campaigns, including DPRK operatives using stolen LinkedIn identities to gain corporate access.
– Multi‑stage adversary‑in‑the‑middle (AiTM) phishing & BEC operations, particularly those abusing SharePoint and session-cookie theft for lateral expansion.
Windows 10 Reaches End of Support
As of October 14, 2025, Microsoft has officially ended support for Windows 10. October 2025’s Patch Tuesday was the final security update for the OS—unless your organization enrolls in the Extended Security Updates (ESU) program.
- What This Means for Your Organization:
– No more security patches or bug fixes for Windows 10 devices
– Increased exposure to vulnerabilities and compliance risks
- Continued support requires either:
– Enrolling in Microsoft’s paid ESU program, or
– Upgrading to Windows 11
Need help planning your transition?
Fortress SRM can help assess your environment, prioritize upgrades, and ensure your endpoints remain patch-compliant and secure.
Patch Tuesday Summary
Microsoft February 2026 Patch Tuesday
59 vulnerabilities disclosed, including 5 critical and 6 zero-days. By category:
- 23 Elevation of Privilege
- 13 Remote Code Execution
- 7 Spoofing
- 6 Information Disclosures
- 6 Security Feature Bypass
- 3 Denial of Service
Critical Common Vulnerabilities and Exposures (CVEs)
Windows Zero-Days
| CVE-ID | Details | Severity | Exploited? |
| CVE-2026-21510 | Windows Shell Security Feature Bypass Vulnerability | Important | Yes, also publicly disclosed |
| CVE-2026-21514 | Microsoft Word Security Feature Bypass Vulnerability | Important | Yes, also publicly disclosed |
| CVE-2026-21513 | MSHTML Framework Security Feature Bypass Vulnerability | Important | Yes, also publicly disclosed |
| CVE-2026-21519 | Desktop Window Manager Elevation of Privilege Vulnerability | Important | Yes |
| CVE-2026-21533 | Windows Remote Desktop Services Elevation of Privilege Vulnerability | Important | Yes |
| CVE-2026-21525 | Windows Remote Access Connection Manager Denial of Service Vulnerability | Moderate | Yes |
Other Critical CVE’s Worth Mentioning
| CVE-ID | Details | Severity | Exploited? |
| CVE-2026-21522 | Microsoft ACI Confidential Containers Elevation of Privilege Vulnerability | Critical | No |
| CVE-2026-23655 | Microsoft ACI Confidential Containers Information Disclosure Vulnerability | Critical | No |
| CVE-2016-9535 | MITRE CVE-2016-9535: LibTIFF Heap Buffer Overflow Vulnerability | Critical | No |
| CVE-2026-24300 | Azure Front Door Elevation of Privilege Vulnerability | Critical | No |
| CVE-2026-21531 | Azure SDK for Python Remote Code Execution Vulnerability | Critical | No |
Microsoft February 2026 Security Update Release
3rd Party Critical CVE’s Worth Mentioning
Adobe Products *
| Affected Product | CVE-ID(s) | Critical Issues | Key Risks |
| Adobe Audition | CVE-2026-21312 | 1 Critical | Arbitrary code execution |
| Adobe After Effects | CVE-2026-21318 CVE-2026-21320 CVE-2026-21321 CVE-2026-21322 CVE-2026-21323 CVE-2026-21324 CVE-2026-21325 CVE-2026-21326 CVE-2026-21327 CVE-2026-21328 CVE-2026-21329 CVE-2026-21330 CVE-2026-21351 | 13 Critical | Arbitrary code execution |
| Adobe InDesign | CVE-2026-21357 | 1 Critical | Arbitrary code execution |
| Adobe Substance 3D Designer | CVE-2026-21334 CVE-2026-21335 | 2 Critical | Arbitrary code execution |
| Adobe Substance 3D Stager | CVE-2026-21341 CVE-2026-21342 CVE-2026-21343 CVE-2026-21344 CVE-2026-21345 | 5 Critical | Arbitrary code execution |
| Adobe Bridge | CVE-2026-21346 CVE-2026-21347 | 2 Critical | Arbitrary code execution |
| Lightroom Classic | CVE-2026-21349 | 1 Critical | Arbitrary code execution |
| Adobe DNG Software Development Kit (SDK) | CVE-2026-21349 CVE-2026-21352 CVE-2026-21353 | 3 Critical | Arbitrary code execution |
Cisco *
| Affected Product | CVE-ID(s) | Description | Severity | Exploited? |
| Cisco TelePresenceCollaboration Endpoint (CE) Software and Cisco RoomOSSoftware | CVE-2026-20119 | A vulnerability in the text rendering subsystem could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. | High | No |
| Cisco Meeting Management | CVE-2026-20098 | A vulnerability in the Certificate Management feature could allow an authenticated, remote attacker to upload arbitrary files, execute arbitrary commands, and elevate privileges to root on an affected system. | High | No |
Fortinet *
| Affected Product | CVE-ID | Description | Severity | Exploited? |
| FortiSandbox | CVE-2025-52436 | An Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability may allow an unauthenticatedattacker to execute commands via crafted requests. | High | No |
| FortiOS | CVE-2026-22153 | An Authentication Bypass by Primary Weakness vulnerability may allow an unauthenticated attacker to bypass LDAP authentication of Agentless VPN or FSSO policy, under specific LDAP server configuration. | High | No |
Ivanti *
| Affected Product | CVE-ID(s) | Description | Severity | Exploited? |
| Ivanti Endpoint Manager (EPM) | CVE-2026-1602 CVE-2026-1603 | Ivanti has released updates for Ivanti Endpoint Manager which addresses one high severity vulnerability and one medium severity vulnerability. Successful exploitation could allow a remote authenticated attacker to leak arbitrary data or compromise user sessions. | High | No |
Ivanti February 2026 Security Update
SAP *
| Affected Component | CVE-ID | Description | Severity | Exploited? |
| SAP NetWeaver Application Server | CVE-2026-0488 | This vulnerability allows an authenticated, low-privileged user to perform background Remote Function Calls without the required S_RFC authorization in certain cases. | Critical | No |
| SAP CRM and SAP S/4HANA | CVE-2026-0509 | An authenticated could exploit a flaw in a generic function module call and execute unauthorized critical functionalities, which includes the ability to execute an arbitrary SQL statement. | Critical | No |
SAP February 2026 Security Notes
Google Chrome
- Version: 145.0.7632.75/76 (Windows and Mac), 145.0.7632.75 (Linux)
- Release Date: Friday, February 13, 2026
- Key Fixes: High CVE-2026-2441 currently exploited in the wild.
* Not handled by Fortress SRM.
Threat Intelligence Trends – February 2026
The following resources are grouped by threat type / category.
Emerging Threats
DPRK Operatives Impersonate Professionals on LinkedIn to Infiltrate Companies
North Korean IT workers are using stolen or impersonated LinkedIn profiles—with verified workplace emails and identity badges—to fraudulently secure remote jobs in Western organizations. Their objectives include generating revenue for the DPRK regime and conducting espionage by gaining access to sensitive corporate systems.
Read more →
Resurgence of a Multi‑Stage AiTM Phishing and BEC Campaign Abusing SharePoint
Microsoft researchers uncovered a multi‑stage adversary‑in‑the‑middle (AiTM) phishing and business email compromise campaign targeting organizations in the energy sector, leveraging SharePoint file‑sharing services to deliver phishing payloads. The attackers used compromised trusted identities, inbox‑rule manipulation, and stolen session cookies to silently expand access across multiple organizations.
Read more →
LastPass Warns of Fake Maintenance Messages Targeting Users’ Master Passwords
LastPass is alerting users to an active phishing campaign impersonating the service, sending emails that falsely claim urgent maintenance and instruct users to back up their vaults within 24 hours. These messages redirect victims to a phishing site designed to steal master passwords, though LastPass confirms it never asks for master passwords and is working to dismantle the malicious infrastructure.
Read more →
Convincing LinkedIn Comment‑Reply Tactic Used in New Phishing Campaign
Scammers are flooding LinkedIn posts with fake “reply” comments impersonating the platform, warning users of bogus policy violations and urging them to visit phishing links that often misuse LinkedIn’s own lnkd.in URL shortener. These deceptive replies mimic LinkedIn branding and can redirect victims through multiple malicious domains designed to harvest credentials.
Read more →
Ransomware & Malware Deployment
Fake 7‑Zip Downloads Are Turning Home PCs into Proxy Nodes
A lookalike 7‑Zip website is distributing a trojanized installer that secretly converts victims’ computers into residential proxy nodes, hiding behind a functional copy of the legitimate 7‑Zip program. The malware silently drops additional components (Uphero.exe, hero.exe, hero.dll) and abuses trusted channels—such as YouTube tutorials referencing the wrong download domain—to funnel users toward the malicious site. Read more →
Reynolds: Defense Evasion Capability Embedded in Ransomware Payload
A recent Reynolds ransomware campaign stood out because the payload included a bring‑your‑own‑vulnerable‑driver (BYOVD) componentdirectly inside the ransomware itself, rather than as a separate pre‑deployment tool. The bundled vulnerable NsecSoft NSecKrnl driver enables the ransomware to kill security processes, representing an unusual but increasingly common technique for defense impairment.
Read more →
Malicious Use of Virtual Machine Infrastructure
Sophos researchers uncovered that bulletproof hosting providers are abusing legitimate ISPsystem virtualization infrastructure to mass‑deploy Windows virtual machines with identical autogenerated hostnames, many of which are later used in ransomware operations and other cybercriminal activity. These templated VMs have been linked to incidents involving LockBit, Qilin, BlackCat/ALPHV, NetSupportRAT, and previously exposed Conti/TrickBot operators, illustrating how large‑scale image reuse creates cover for threat actors. Read more →
VoidLink: The Cloud‑Native Malware Framework
Check Point Research uncovered VoidLink, a highly modular cloud‑native Linux malware framework composed of custom loaders, implants, rootkits, and more than 30 plugin modules designed for long‑term, stealthy persistence in modern cloud and container environments. Written in Zig, VoidLink can detect major cloud platforms and container runtimes, harvest cloud and Git credentials, and uses extensive OPSEC features such as runtime code encryption, self‑deletion, and adaptive behavior to evade detection. Read more →
Cloud & Infrastructure Exploits
Notepad++ Infrastructure Hijacked in State‑Linked Supply Chain Attack
Notepad++ suffered an infrastructure‑level compromise in which attackers hijacked update traffic and selectively redirected targeted users to malicious update servers, enabling delivery of a custom backdoor called *Chrysalis*. The attack did not exploit Notepad++ code but stemmed from a compromised shared hosting provider, with evidence suggesting a likely state‑sponsored threat actor.
Read more →
Silent Push Uncovers New Magecart Network Targeting Global Payment Providers
Silent Push researchers discovered a long‑running web‑skimming (Magecart) campaign active since at least early 2022, involving a vast network of malicious domains injecting obfuscated JavaScript into compromised e‑commerce sites. The campaign targets major payment networks—including American Express, Diners Club, Discover, JCB, Mastercard, and UnionPay—stealing customer credit card data during checkout via fake payment forms.
Read more →
AI-Driven Threats
Silent Brothers: Ollama Hosts Form Anonymous AI Network Beyond Platform Guardrails
SentinelOne and Censys uncovered an unmanaged, publicly accessible ecosystem of more than 175,000 exposed Ollama AI hosts across 130 countries, forming a shadow AI compute layer that operates outside standard monitoring and governance boundaries. Nearly half of these hosts are configured with tool‑calling capabilities—allowing code execution, API access, and system interaction—creating significant security risks as attackers can exploit them for automation, malware deployment, or large‑scale abuse.
Read more →
KONNI Targets Developers With AI‑Generated PowerShell Malware
Check Point Research uncovered a North Korea–aligned KONNI phishing campaign targeting software developers and engineering teams across Japan, Australia, and India using AI‑generated PowerShell backdoors. The lures mimic legitimate blockchain‑related project documentation, signaling an effort to compromise development environments and access sensitive infrastructure, API keys, and cryptocurrency assets.
Read more →
VoidLink: Early Evidence of Advanced AI‑Generated Malware
Check Point Research identified VoidLink as one of the first fully documented cases of advanced malware predominantly created through AI‑driven development, reaching a functional 88,000‑line implant in under a week. Operational security leaks exposed development artifacts—including sprint plans, specification documents, and source code—revealing that the framework was planned and built using Spec‑Driven Development, with AI generating architecture, modules, and documentation at a pace previously seen only in well‑resourced threat groups.
Read more →
Recommended Actions
Mitigations
- Prioritize February Patch Tuesday updates across Windows, Office, and third‑party platforms (Adobe, Cisco, Fortinet, SAP, Ivanti). Ensure high‑severity vulnerabilities—especially the 6 Windows zero‑days—are patched immediately.
- Block and monitor impersonation risks by enforcing strong identity verification, MFA, and continuous monitoring for anomalous login patterns or new devices.
- Harden cloud and virtualization infrastructure against threats like VoidLink, ISPsystem VM abuse, and cloud‑native malware by enforcing least privilege, reviewing API keys, and monitoring for unauthorized container or VM deployments.
- Secure endpoints and browsers by restricting access to unverified download sites to prevent malware like fake 7‑Zip installers.
Monitoring
- Monitor identity platforms and email systems for indicators of AiTM activity, MFA bypass attempts, session‑cookie theft, and inbox rule manipulation.
- Watch for signs of compromised developer environments, including suspicious PowerShell execution, anomalous Git activity, or unauthorized cloud resource creation.
- Track network indicators tied to large botnets or proxy-node malware, such as unexplained outbound connections or VM instances with identical hostnames.
- Increase telemetry collection in cloud environments, focusing on unknown containers, unusual API calls, or disabled logging.
Detection Tips
- Look for MFA push fatigue patterns, unexpected MFA approvals, or sessions authenticated without corresponding MFA prompts.
- Flag AI‑generated PowerShell scripts or obfuscated command-line behavior linked to KONNI or AI‑assisted malware families.
- Detect anomalous SharePoint activity, including mass file sharing, newly created sharing links, or impersonated identities distributing files.
- Scan for BYOVD techniques, particularly attempts to load vulnerable kernel drivers such as NsecSoft NSecKrnl in ransomware deployment.
- Monitor web traffic for Magecart-like patterns, such as injected JavaScript, unauthorized payment form changes, or repeated contact with suspicious domains.
About Fortress SRM’s Vigilant Managed Cyber Hygiene Offering
Why Patching Matters
Unpatched software is a leading cause of breaches—nearly 1 in 3 attacks exploit known vulnerabilities.
Vigilant Managed Cyber Hygiene
Fortress SRM’s Vigilant Managed Cyber Hygiene simplifies patch management.
- Automated updates with 97%+ success rate for Microsoft & 100+ third-party applications
- Critical patches, OS upgrades, and configuration updates for all devices, on/off network
- 24/7/365 U.S.-based monitoring and real-time reporting for full visibility
Stay Protected. Stay Proactive.
Learn how Fortress SRM can enhance your cybersecurity strategy →