Table of Contents
Classification: Public | Reporting Period: February 2–16, 2026 | Distribution: Security Operations, IT Leadership, Executive Team | Prepared By: Tech Jacks Solutions Security Intelligence
TJS Weekly Security Intelligence Briefing – Week of Feb 16th
1. Executive Summary
The period of February 2–16, 2026 carries a critical risk posture driven by Microsoft’s February Patch Tuesday addressing 58 vulnerabilities (including six actively exploited zero-days), active exploitation of Ivanti EPMM zero-days (CVE-2026-1281/CVE-2026-1340) targeting government agencies across Europe, and a critical pre-authentication RCE in BeyondTrust Remote Support now confirmed exploited in the wild (CVE-2026-1731, CVSS 9.9). CISA issued Binding Operational Directive 26-02 on February 5, mandating federal agencies remove end-of-support edge devices within 12 months, citing widespread nation-state exploitation campaigns. Fortinet disclosed CVE-2026-21643 (CVSS 9.1), a critical SQL injection in FortiClientEMS, while ongoing exploitation of the FortiCloud SSO bypass (CVE-2026-24858) continues. Organizations face converging threats across identity infrastructure, remote access platforms, and endpoint security boundaries.
Key Statistics:
- 58 Microsoft vulnerabilities patched (6 actively exploited zero-days)
- 417 Ivanti EPMM exploitation sessions detected Feb 1–9, 83% from a single bulletproof hosting IP
- ~8,500 BeyondTrust on-prem instances exposed; exploitation confirmed Feb 13
- CISA BOD 26-02 issued requiring EOS edge device removal
2. Critical Action Items
3. Key Security Stories
Story 1: Ivanti EPMM Zero-Days Under Mass Exploitation – European Government Agencies Compromised
Two critical code injection vulnerabilities in Ivanti Endpoint Manager Mobile (CVE-2026-1281 and CVE-2026-1340, both CVSS 9.8) are under active mass exploitation. Both allow unauthenticated remote code execution via crafted HTTP requests against on-premises EPMM deployments. Ivanti disclosed these on January 29, and CISA added CVE-2026-1281 to the KEV catalog the same day.
GreyNoise recorded 417 exploitation sessions from 8 source IPs between February 1–9, with 83% originating from a single IP (193.24.123.42) on bulletproof hosting provider PROSPERO OOO (AS200593). A sharp spike on February 8 saw 269 sessions in a single day. The Dutch Data Protection Authority, Council for the Judiciary, the European Commission, and Finland’s Valtori confirmed they were targeted. Defused Cyber identified “sleeper shell” campaigns deploying dormant in-memory Java class loaders at /mifs/403.jsp, consistent with initial access broker tradecraft.
Affected Versions: EPMM 12.x on-prem (all branches prior to patched RPMs) Exploitation Status: Actively exploited; PoC publicly available Remediation: Apply version-specific RPM patches immediately; permanent fix expected in EPMM 12.8.0.0 (Q1 2026). If compromise suspected, rebuild the EPMM appliance and migrate data.
Sources: Ivanti Security Advisory, GreyNoise Analysis, Help Net Security, BleepingComputer
Story 2: Microsoft February 2026 Patch Tuesday – Six Actively Exploited Zero-Days
Microsoft released patches on February 10 addressing 58 vulnerabilities, including six zero-days already exploited in the wild. Three were publicly disclosed before patches were available.
Actively Exploited Zero-Days:
- CVE-2026-21510 (CVSS 8.8) – Windows Shell security feature bypass enabling Mark-of-the-Web evasion. Attackers convince users to open malicious shortcut/link files, bypassing SmartScreen warnings. Affects all supported Windows versions.
- CVE-2026-21513 – MSHTML engine security feature bypass exploitable via crafted HTML or
.lnkfiles. - CVE-2026-21514 (CVSS 5.5) – Microsoft Word security feature bypass via malicious Office documents circumventing OLE mitigations.
- CVE-2026-21519 (CVSS 7.8) – Desktop Window Manager EoP via type confusion, granting SYSTEM privileges. DWM has been exploited in consecutive Patch Tuesdays.
- CVE-2026-21533 – Windows Remote Desktop Services EoP allowing SYSTEM-level access for authenticated attackers.
- CVE-2026-21525 – Windows Remote Access Connection Manager DoS via null pointer dereference, crashing VPN connections.
Also notable: CVE-2026-24300 (CVSS 9.8, Azure Front Door) and CVE-2026-21523 (RCE in GitHub Copilot/VS Code) pose elevated risk to cloud and developer environments.
Remediation: Deploy February cumulative updates immediately. Prioritize zero-day patches, then Critical Azure CVEs.
Sources: Microsoft Security Update Guide, BleepingComputer, Krebs on Security, Help Net Security, Malwarebytes
Story 3: BeyondTrust Pre-Auth RCE – From Disclosure to Active Exploitation in One Week
BeyondTrust disclosed CVE-2026-1731 (CVSS 9.9) on February 6, a critical pre-authentication OS command injection vulnerability in Remote Support and Privileged Remote Access. By February 13, Arctic Wolf, Defused Cyber, and GreyNoise confirmed active exploitation in the wild.
Hacktron AI discovered the flaw on January 31 using AI-enabled variant analysis, identifying approximately 11,000 exposed instances (8,500 on-prem). Rapid7 published a PoC exploit on February 10, and attackers began leveraging Nuclei-based scripts. Post-exploitation activity includes deployment of SimpleHelp RMM for persistence, followed by discovery and lateral movement. BeyondTrust auto-patched SaaS customers on February 2; self-hosted instances remain at risk without manual patching.
The disclosure timeline is notable given BeyondTrust’s history: the Silk Typhoon Chinese APT group breached the U.S. Treasury Department via BeyondTrust zero-days (CVE-2024-12356/12686) in late 2024.
Affected Versions: RS ≤25.3.1, PRA ≤24.3.4 Exploitation Status: Actively exploited as of Feb 13; PoC public Remediation: Apply BT26-02-RS or BT26-02-PRA patches. Instances on RS <21.3 or PRA <22.1 must upgrade first.
Sources: BeyondTrust Advisory BT26-02, Help Net Security, Rapid7, The Hacker News, Arctic Wolf
Story 4: CISA Issues BOD 26-02 – Remove End-of-Support Edge Devices
On February 5, CISA issued Binding Operational Directive 26-02 requiring federal civilian agencies to inventory, update, and decommission end-of-support (EOS) edge devices. CISA cited “widespread exploitation campaigns by advanced threat actors” with nation-state ties targeting EOS routers, firewalls, VPN gateways, and network appliances from vendors including Cisco, Fortinet, Palo Alto Networks, Ivanti, and Juniper.
The directive sets a phased compliance timeline: immediate patching where possible, three-month inventory, 12-month decommissioning, and 24-month continuous discovery processes. While binding only on federal agencies, CISA urged all organizations to adopt similar practices. A companion fact sheet was co-published with the FBI and the UK’s NCSC.
Sources: CISA BOD 26-02, BleepingComputer, Cybersecurity Dive, The Record
Story 5: Fortinet FortiClientEMS SQL Injection and Ongoing FortiCloud SSO Abuse
Fortinet disclosed CVE-2026-21643 (CVSS 9.1) on February 6, a critical SQL injection in FortiClientEMS 7.4.4 that could allow unauthenticated remote code execution via crafted HTTP requests. No active exploitation has been reported yet.
Separately, exploitation of CVE-2026-24858 (FortiCloud SSO authentication bypass, CVSS 9.4) continues. This vulnerability allows attackers with any FortiCloud account to authenticate to other users’ devices when FortiCloud SSO is enabled. Two malicious accounts (cloud-noc@mail.io and cloud-init@mail.io) were locked out January 22. Fortinet temporarily disabled FortiCloud SSO on January 26, restoring it January 27 only for patched devices. CISA added CVE-2026-24858 to the KEV catalog. Organizations that previously patched for CVE-2025-59718/59719 remain vulnerable to this newer bypass.
Sources: Fortinet PSIRT FG-IR-26-060, CISA Alert, SOC Prime Analysis, Arctic Wolf
4. CISA KEV & Critical CVE Table
5. Indicators of Compromise
Ivanti EPMM Exploitation
Primary Exploitation Source:
193.24.123.42(PROSPERO OOO, AS200593, St. Petersburg) – 83% of observed exploitation- ASN: AS200593 (labeled “BULLETPROOF” by Censys)
Malicious Accounts (FortiCloud SSO Abuse):
cloud-noc@mail.iocloud-init@mail.io
File Indicators:
/mifs/403.jsp(sleeper shell on compromised EPMM instances)- Anomalous outbound DNS activity (OAST-style callbacks)
BeyondTrust Post-Exploitation:
- Deployment of SimpleHelp RMM tool for persistence
- Reconnaissance via
get_portal_infoto extractx-ns-companyvalues - WebSocket channel establishment from unauthorized sources
Detection Guidance:
- Monitor Apache access logs on EPMM for unusual HTTP patterns to file delivery endpoints
- Review FortiGate logs for SSO logins from
cloud-init@mail.ioor unfamiliar SSO accounts - Alert on unexpected
system.adminobject additions on FortiGate - Monitor for Nuclei-based scanning patterns against BeyondTrust instances
6. Helpful 5: High-Value, Low-Effort Mitigations
1. BeyondTrust: Verify Patch Status for CVE-2026-1731
Why: CVSS 9.9 pre-auth RCE now actively exploited; 8,500 on-prem instances at risk.
How:
- Confirm SaaS instances received auto-patch (deployed Feb 2)
- Self-hosted: Apply BT26-02-RS or BT26-02-PRA via
/applianceinterface - Instances on RS <21.3 or PRA <22.1 must upgrade before patching
- Review privileged session logs for unauthorized access during vulnerability window
- Monitor for SimpleHelp RMM deployment as persistence indicator
2. Windows Endpoints: Emergency February Patch Deployment
Why: Six zero-days actively exploited, including SmartScreen bypass enabling payload delivery and DWM EoP granting SYSTEM access.
How:
- Deploy February cumulative updates to internet-facing systems first
- Prioritize CVE-2026-21510 (SmartScreen bypass) and CVE-2026-21519 (DWM EoP)
- Test RDS patches (CVE-2026-21533) in staging before deployment to terminal servers
- Monitor for VPN disruptions related to RASMAN DoS (CVE-2026-21525)
- Review Secure Boot certificate rollout guidance ahead of June 2026 expiration
3. Ivanti EPMM: Patch and Hunt for Compromise
Why: 1,600+ exposed instances; European government agencies confirmed compromised; exploitation accelerating.
How:
- Apply version-specific RPM patches (do not cross-apply between branches)
- Search for
/mifs/403.jspon EPMM instances - Review EPMM admin accounts for unauthorized additions
- Audit LDAP/SSO authentication configuration changes
- Block AS200593 (PROSPERO) at network perimeter
4. Fortinet: Audit FortiCloud SSO and Patch FortiClientEMS
Why: CVE-2026-24858 actively exploited for admin account creation; CVE-2026-21643 is a CVSS 9.1 SQL injection with no auth required.
How:
- Upgrade FortiOS, FortiManager, FortiAnalyzer to latest patched versions
- Audit for rogue admin accounts (check for
cloud-init@mail.ioSSO logins) - If FortiCloud SSO was enabled pre-patch, treat as potentially compromised
- Apply FortiClientEMS 7.4.4 patch for CVE-2026-21643
- Restrict management interface access to trusted internal networks
5. Edge Devices: Begin EOS Inventory Per BOD 26-02
Why: Nation-state actors actively exploit EOS edge devices; CISA directive sets 3-month inventory deadline.
How:
- Generate inventory of all edge devices (firewalls, routers, VPN gateways, switches)
- Cross-reference with CISA’s EOS Edge Device List
- Identify devices no longer receiving vendor security updates
- Prioritize replacement of internet-facing EOS devices
- Establish lifecycle management process for future EOS prevention
7. Framework Alignment Matrix
| Vulnerability/Threat | CIS Controls v8 | NIST CSF 2.0 | ISO 27001:2022 | MITRE ATT&CK | OWASP | CISA |
|---|---|---|---|---|---|---|
| CVE-2026-1281/1340 (Ivanti EPMM) | 7.1, 7.4, 12.1 | PR.IP-12, DE.CM-8, RS.AN-1 | A.8.8, A.8.9 | T1190, T1059 | A06:2021 (Vuln Components) | KEV – Patch immediately |
| CVE-2026-1731 (BeyondTrust) | 7.1, 7.4, 4.1 | PR.IP-12, PR.AC-4, DE.CM-4 | A.8.8, A.9.4.1 | T1190, T1059.004 | A03:2021 (Injection) | Patch immediately |
| Microsoft 6 Zero-Days | 7.1, 7.3, 7.7 | PR.IP-12, DE.CM-8 | A.8.8, A.12.6.1 | T1203, T1068, T1566 | — | BOD 22-01 compliance |
| CVE-2026-24858 (Fortinet SSO) | 6.3, 6.5, 7.1 | PR.AC-7, PR.IP-12 | A.8.5, A.9.4.2 | T1078, T1556 | A07:2021 (Auth Failures) | KEV – Patch immediately |
| CVE-2026-21643 (FortiClientEMS) | 7.1, 16.6 | PR.IP-12, DE.CM-4 | A.8.8, A.14.2.5 | T1190, T1059 | A03:2021 (Injection) | Patch immediately |
| BOD 26-02 (EOS Devices) | 1.1, 1.2, 2.1 | ID.AM-1, PR.IP-12 | A.8.1, A.8.9 | T1190 | — | BOD 26-02 compliance |
8. Upcoming Security Events
| Date | Event | Action Required |
|---|---|---|
| Feb 18, 2026 | CISA CVE-2026-1731 KEV deadline (anticipated) | Patch BeyondTrust instances |
| Mar 2, 2026 | BOD 26-02 inventory preparation | Begin EOS edge device cataloging |
| Mar 10, 2026 | March Patch Tuesday | Plan testing cycle |
| May 5, 2026 | BOD 26-02 inventory reporting deadline | Submit EOS findings to CISA |
| Jun 2026 | Windows Secure Boot certificate expiration | Review CVE-2026-21265 guidance |
9. Sources
Authoritative Sources:
- CISA Known Exploited Vulnerabilities Catalog
- CISA BOD 26-02
- Microsoft Security Response Center
- Fortinet FortiGuard PSIRT
- Ivanti Security Advisory
- BeyondTrust Advisory BT26-02
Threat Intelligence:
Security News:
- BleepingComputer | Krebs on Security | Help Net Security | The Hacker News | The Record | Cybersecurity Dive | Malwarebytes
Document Version: 1.0 Last Updated: February 16, 2026, 17:00 EST Next Briefing: February 23, 2026
