February 2026 Threat Report:

February 2026’s cyber security headlines were dominated by the sudden emerging risk of CVE-2026-20127, a critical-severity vulnerability in Cisco Catalyst SD-WAN. However, this month, other high-risk vulnerabilities impacting widely deployed enterprise software also opened new gaps for attackers to exploit. To effectively defend IT infrastructure, security teams need granular visibility, reliable threat intelligence for prioritization, and strong leadership for strategic decision-making. Defenders seeking to detect and protect can try Greenbone’s flagship OPENVAS BASIC for free, including a two-week trial of the OPENVAS ENTERPRISE FEED.

Let’s review the highest-risk vulnerabilities in enterprise software from February 2026.

CVE-2026-1731: Ransomware Attacks Leveraging Critical BeyondTrust Flaw

CVE-2026-1731 (CVSS 9.8, EPSS ≥ 98th pctl) was published on February 6th, 2026, added to CISA’s Known Exploited Vulnerabilities (KEV) list one week later, and quickly flagged for ransomware attacks. The flaw enables pre-authentication remote code execution (RCE) via OS command injection [CWE-78] in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA). CISA set an aggressive deadline of three days for civilian federal agencies to complete remediation, perhaps due to RS and PRA being leveraged in a December 2024 breach of the U.S. Treasury.

The root cause is insufficient verification of the remoteVersion user-supplied input in the thin-scc-wrapper WebSocket handshake. The unsanitized data is injected into a Bash arithmetic evaluation, which can trigger the execution of arbitrary shell commands. A PoC exploit became publicly available on February 10th, and a detailed technical write-up has reduced the burden of exploit development for adversaries. According to Hacktron, who discovered the flaw, ~11,000 affected instances were initially exposed to the internet including ~8,500 on-prem deployments. CVE-2026-1731 has triggered numerous advisories from national CERT agencies globally [1][2][3][4][5][6][7][8][9].

After gaining initial access, attackers created rogue accounts, deployed web shells for RCE, installed command-and-control (C2) tools, achieved defense evasion via DNS tunneling, leveraged PSexec and SMB2 setup requests for lateral movement, and exfiltrated data including full PostgreSQL dumps [10][11]. Incident responders also noted the deployment of SparkRAT and VShell malware.

The timeline of events from disclosure to exploitation:

• 2026-01-31: Hacktron responsibly disclosed CVE-2026-1731 to BeyondTrust.
• 2026-02-02: BeyondTrust releases patches for affected RS and PRA products.
• 2026-02-06: BeyondTrust publishes the BT26-02 advisory, and CVE-2026-1731 is published
• 2026-02-09: Greenbone creates detection tests for the OPENVAS ENTERPRISE FEED [12][13].
• 2026-02-10: Technical analysis and PoC exploit code become publicly available.
• 2026-02-12: GreyNoise reports observation of reconnaissance scanning activity and watchTowr Threat Intelligence reports in-the-wild exploitation.
• 2026-02-13: CISA adds CVE-2026-1731 to the KEV catalog and incident responders share indicators of compromise (IoC) and behavioral indicators [10].
• 2026-02-16: CISA adjusts the remediation deadline to end of Monday, 2026-02-16
• 2026-02-19: Further incident reports reveal additional IoCs, TTPs, and targeted sectors and geographic regions [11].

Greenbone’s OPENVAS ENTERPRISE FEED has included remote banner checks to identify affected RS [12] and PRA [13] instances prior to the active exploitation of CVE-2026-1731. Affected versions are described as RS ≤ 25.3.1 and PRA ≤ 24.3.4. Patches have been available since February 2nd, 2026.

CVE-2026-22769: CVSS 10 in Dell RecoverPoint for VMs Actively Exploited

CVE-2026-22769 (CVSS 10, EPSS ≥ 97th pctl) is a new critical-severity flaw affecting Dell RecoverPoint for Virtual Machines (RP4VMs) that security analysts say has been covertly exploited since at least mid-2024. CISA added CVE-2026-22769 to its KEV list on February 28th and demanded that federal agencies apply patches within three days. The root cause is hardcoded admin credentials [CWE-798] in RP4VMs’ Apache Tomcat Manager configuration. Remote attackers with knowledge of these credentials can gain unauthorized root-level access and persistence on affected devices.

RP4VMs is a VMware-focused data protection and replication product, implemented as software components inside a VMware vSphere environment. Its architecture includes a RecoverPoint write-splitter embedded in the hypervisor and a splitter agent installed on every ESXi host.

No public PoC is known and ransomware victims have not been reported. Previous exploitation has been attributed to the UNC6201 threat actor with the goal of espionage. According to Google Threat Intelligence the Slaystyle web shell [1], Brickstorm [2][3], and a novel backdoor dubbed Grimbolt—a precompiled C# binary—were deployed in the attacks. Several countries have issued national CERT alerts [1][2][3][4][5][6][7][8].

The OPENVAS ENTERPRISE FEED includes a remote banner check to identify affected instances. RP4VMs versions prior to 6.0.3.1 HF1 are affected. Dell has urged users to immediately upgrade to 6.0.3.1 HF1 or employ official remediation steps.

Microsoft Patch Tuesday Includes Six Actively Exploited and More

Microsoft’s February 2026 patch cycle disclosed six actively exploited vulnerabilities and classified five others as “Exploitation More Likely”. All the flaws require software updates for protection; no workarounds or mitigations are available. The new actively exploited Microsoft flaws are:

• CVE-2026-21510 (CVSS 8.8, EPSS ≥ 86th pctl): A protection mechanism failure [CWE-693] in the Windows Shell allows an unauthorized attacker to bypass a security feature over a network.
• CVE-2026-21513 (CVSS 8.8, EPSS ≥ 88th pctl): A protection mechanism failure [CWE-693] in the MSHTML Framework allows an unauthorized attacker to bypass a security feature over a network.
• CVE-2026-21514 (CVSS 7.8, EPSS ≥ 84th pctl): Microsoft Office Word relies on untrusted inputs in a security decision [CWE-807], allowing an unauthorized attacker to bypass a security feature locally.
• CVE-2026-21519 (CVSS 7.8, EPSS ≥ 84th pctl): A type confusion flaw [CWE-843] in Desktop Window Manager (dwm.exe) allows an authorized attacker to elevate privileges locally.
• CVE-2026-21533 (CVSS 7.8, EPSS ≥ 82nd pctl): Improper privilege management [CWE-269] in Windows Remote Desktop allows an authorized attacker to elevate privileges locally.
• CVE-2026-21525 (CVSS 6.2, EPSS ≥ 84th pctl): A NULL pointer dereference [CWE-476] in Windows Remote Access Connection Manager allows an unauthorized attacker to deny service locally.

Aside from Microsoft’s regular patch release, two additional high-risk CVEs were disclosed out-of-band in February 2026:

• CVE-2026-26119 (CVSS 8.8): An improper authentication flaw [CWE-287] in Windows Admin Center (WAC) allows an authorized attacker to elevate privileges over a network. If exploited, the flaw could allow a standard user to achieve full domain compromise. The flaw is not considered actively exploited but is classified as “Exploitation More Likely” by Microsoft. CVE-2026-26119 was patched in WAC version 2511, released in December 2025.
• CVE-2026-2636 (CVSS 5.5): An improper handling of invalid special elements flaw [CWE‑159] can force a call to the KeBugCheckEx function leading to an unrecoverable inconsistency in the sys driver. Exploitation allows an unprivileged user to trigger a system crash. CVE-2026-2636 was patched in the September 2025 cumulative update for Windows 11 2024 LTSC and Windows Server 2025. Public PoC code and a full technical analysis are available, increasing the risk of exploitation in-the-wild.

Greenbone includes detection for all aforementioned CVEs affecting Microsoft products and regularly produces vulnerability detection checks for Microsoft Security Bulletins [15][16] and other Windows vulnerabilities. Defenders should continuously verify security patch levels to ensure that newly exposed vulnerabilities are mitigated.

New SolarWinds Serv-U CVEs Present High Risk to Enterprise IT

Four CVEs impacting the SolarWinds Serv-U managed file transfer tool were published on February 24th, 2026. While NIST assigned a CVSS score of 7.2, SolarWinds rates each as CVSS 9.1—critical-severity. All flaws allow RCE; as root on Linux and potentially with SYSTEM-level privileges on Windows. However, all four CVEs require admin privileges to exploit.

Although active exploitation has not been reported and no public PoC or detailed exploitation writeups are available, a 2024 vulnerability in SolarWinds Serv-U was weaponized and actively exploited within weeks. SolarWinds’ popularity with large organizations makes it a popular target. Greenbone’s OPENVAS ENTERPRISE FEED includes a remote banner check to identify vulnerable instances of Serv-U. Users should upgrade to v15.5.4 as soon as possible.

The four new high-risk CVEs affecting SolarWinds Serv-U are:

• CVE-2025-40538 (CVSS 7.2): A broken access control [​​CWE-269] allows an authenticated Serv-U admin user to create a system admin user and execute arbitrary code as a privileged domain admin or group admin.
• CVE-2025-40539 (CVSS 7.2): A type confusion vulnerability [CWE-704] allows an admin authenticated attacker to execute arbitrary native code as a privileged account.
• CVE-2025-40540 (CVSS 7.2): A type confusion flaw [CWE-704] allows an authenticated user to execute arbitrary native code as a privileged user.
• CVE-2025-40541 (CVSS 7.2): An Insecure Direct Object Reference (IDOR) flaw allows native code to be executed as a privileged account by an authenticated Serv-U administrator.

CVE-2026-2329: PoC Exploit for New Grandstream GXP1600 Series IP Phones

CVE-2026-2329 (CVSS 9.8, EPSS ≥ 97th pctl) allows unauthenticated RCE as the device’s root user on Grandstream GXP1600-series VoIP phones. CVE-2026-2329 is a stack-based buffer overflow flaw [CWE-121] caused by improper bounds checking in the /cgi-bin/api.values.get HTTP API. It is not known to be actively exploited. However, a full technical analysis and a Metasploit exploit module are available increasing the risk of attacks.

Exploitation of CVE-2026-2329 could allow an attacker to:

• Execute arbitrary OS commands [T1059] on the phone as the root user
• Maintain persistent access to compromised devices [T1543]
• Dump stored secrets [T1552] from the device such as local user accounts and SIP account credentials and leverage them in subsequent attacks [T1078]
• Reconfigure SIP settings to point at an attacker-controlled SIP proxy, enabling transparent call interception [T1557] and audio eavesdropping [T1040]

The OPENVAS ENTERPRISE FEED includes a remote banner check to identify vulnerable devices. Grandstream GXP1610, GXP1615, GXP1620, GXP1625, GXP1628, and GXP1630 devices with firmware version prior to 1.0.7.81 are affected. Users should update to firmware version 1.0.7.81 or later.

Unauthenticated RCE in VMware Aria Operations During Support-Assisted Migration and More

Since late 2025, security researchers have reported increasing risk to VM environments [1][2]. This month, new threats in this domain included several new vulnerabilities affecting VMware Aria Operations. Aria Operations is a largely automated platform for monitoring, performance analytics, and planning for vSphere VM fleets and hybrid-cloud infrastructure.

The new CVEs affecting VMware Aria Operations are:

• CVE-2026-22719 (CVSS 8.1): A command injection vulnerability [CWE-77] allows an unauthenticated attacker to execute arbitrary commands remotely while support-assisted product migration is in progress. Support-assisted product migration is a workflow that involves VMware Support as part of a product transition/upgrade.
• CVE-2026-22720 (CVSS 8.0): A stored cross-site scripting vulnerability [CWE-79] allows an attacker with privileges to create custom benchmarks and inject scripts to perform administrative actions.
• CVE-2026-22721 (CVSS 6.2): A privilege escalation vulnerability [CWE-269] allows an attacker with vCenter to access Aria Operations to obtain administrative access.

VMware Aria Operations version 8.x are affected and v8.18.6 mitigates all three CVEs. A workaround for CVE-2026-22719 has been made available as a shell script that removes passwordless sudo privileges in the /etc/sudoers file and deletes a migration launcher script. The workaround does not mitigate CVE-2026-22720 or CVE-2026-22721. The OPENVAS ENTERPRISE FEED includes a remote banner check to detect affected Aria Operations nodes.

More Critical CVEs Affect Trend Micro Apex One

Just last month, the Greenbone Threat Report reviewed an authenticated RCE flaw in Trend Micro Apex One. In February, Trend Micro issued another emergency security bulletin, disclosing nine new vulnerabilities in its Apex One endpoint security platform. Curiously, the issued CVE IDs have not appeared in the MITRE CVE repository or NIST NVD as of March 3rd, 2026.

According to Trend Micro, the flaws range in severity from CVSS 7.2 (High) to 9.8 (Critical). The two critical-severity CVEs allow unauthenticated RCE via malicious file upload, while the High severity CVEs all permit local privilege escalation. The OPENVAS ENTERPRISE FEED includes a Windows registry version check for affected instances of Apex One for Windows. Affected users should apply Critical Patch (CP) Build 14136 for Apex One 2019 (on-premises) as soon as possible.

New Authenticated RCE Flaws Affect Kubernetes Ingress NGINX Controller

Two new High severity CVEs were exposed affecting the Kubernetes Ingress NGINX controller along with one Medium and another Low severity CVE. Both new High-severity flaws require Kubernetes API/RBAC privileges and only instances with the Ingress NGINX component are affected. Ingress NGINX is one of several Ingress controller implementations for Kubernetes. It’s important to note that support for Ingress NGINX will end in March 2026. The Kubernetes blog suggests migrating to the Gateway API. Several national CERT alerts were issued [1][2][3][4][5].

The High severity CVEs are:

• CVE-2026-1580 (CVSS 8.8): The ingress.kubernetes.io/auth-method Ingress annotation can be used to inject nginx configurations, leading to arbitrary authenticated RCE in the context of the ingress-nginx controller and potentially, disclosure of all Secrets cluster-wide.
• CVE-2026-24512 (CVSS 8.8): The http.paths.path Ingress field can be used to inject nginx configurations, leading to arbitrary authenticated RCE in the context of the ingress-nginx controller and potentially, disclosure of all Secrets cluster-wide.

The OPENVAS ENTERPRISE FEED has included an executable version check for all new CVEs in the security alert within hours of disclosure. Ingress NGINX versions 1.13.x prior to 1.13.7 and 1.14.x prior to v1.14.3 are affected. Users who must rely on Ingress NGINX should upgrade to v1.13.7, v1.14.3, or later.

Summary

This month’s Threat Report summarizes the highest-impact vulnerabilities and exploitation trends observed in February 2026. Several new CVEs have been tied to in-the-wild exploit activity, ransomware operations, and rapid exploitation development. Defenders seeking to detect and protect can try Greenbone’s flagship OPENVAS BASIC for free, including a two-week trial of the OPENVAS ENTERPRISE FEED.