惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
U
Unit 42
H
Help Net Security
博客园_首页
雷峰网
雷峰网
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
博客园 - 【当耐特】
Recent Announcements
Recent Announcements
Recorded Future
Recorded Future
aimingoo的专栏
aimingoo的专栏
爱范儿
爱范儿
C
CXSECURITY Database RSS Feed - CXSecurity.com
The Cloudflare Blog
S
Security @ Cisco Blogs
M
MIT News - Artificial intelligence
Cyberwarzone
Cyberwarzone
Cisco Talos Blog
Cisco Talos Blog
Spread Privacy
Spread Privacy
The GitHub Blog
The GitHub Blog
酷 壳 – CoolShell
酷 壳 – CoolShell
K
Kaspersky official blog
MyScale Blog
MyScale Blog
阮一峰的网络日志
阮一峰的网络日志
C
CERT Recently Published Vulnerability Notes
V
Vulnerabilities – Threatpost
WordPress大学
WordPress大学
C
Cisco Blogs
G
Google Developers Blog
N
News and Events Feed by Topic
P
Palo Alto Networks Blog
Apple Machine Learning Research
Apple Machine Learning Research
Schneier on Security
Schneier on Security
博客园 - 聂微东
Security Latest
Security Latest
Security Archives - TechRepublic
Security Archives - TechRepublic
O
OpenAI News
云风的 BLOG
云风的 BLOG
IT之家
IT之家
PCI Perspectives
PCI Perspectives
Microsoft Security Blog
Microsoft Security Blog
NISL@THU
NISL@THU
小众软件
小众软件
Scott Helme
Scott Helme
大猫的无限游戏
大猫的无限游戏
L
LINUX DO - 最新话题
Microsoft Azure Blog
Microsoft Azure Blog
Simon Willison's Weblog
Simon Willison's Weblog
N
News and Events Feed by Topic
F
Fortinet All Blogs
The Last Watchdog
The Last Watchdog

Recorded Future

The Threat Isn’t the Frontier Model Iran-Nexus TAG-182 Disseminates MarkiRAT Surveillance Tool Where Expertise Meets Algorithm: The Insikt Group® Intelligence Edge Evaluating Mexico’s New Cybersecurity Plan The Purchase Scam Tactic Headed for the World Cup | Recorded Future FortiBleed Campaign Exposing Credentials for 73,932 FortiGate Systems The Klue Security Incident and Its Impact on Recorded Future State Digital Surveillance Risk Landscape The Intelligence No One Else Has: Inside Recorded Future’s Proprietary Collection Engine The Intelligence No One Else Has: Inside Recorded Future’s Proprietary Collection Engine Cyber-Enabled Maritime Sanctions Evasion Recorded Future Launches Impact and Metrics Dashboard 2026 FIFA World Cup: What Public Safety Officials Need to Know China's Noncombatant Evacuation Operations: 2005–2025 Russia’s Defense-Based Economy Risks Forcing Putin to Fight Wars May 2026 CVE Landscape Why Holistic Sourcing Wins: The Numbers Behind the Recorded Future Advantage Threats to the 2026 FIFA World Cup Remembering Sir Alex Younger Iran Expands Handala Brand to Physical Threats The Vulnerability Flood Is Now a Board Conversation. Here's How to Lead It. At Mythos Speed: A Defender's Playbook for the AI Vulnerability Surge in 2026 April 2026 CVE Landscape Beyond Acceleration and Automation: How AI + Intelligence Changes Cyber Defense NIST NVD Enrichment Policy Change: Prioritizing Vulnerabilities with Attacker Behavior Signals A Complete History of Cybersecurity: From Early Viruses to AI-Powered Threats The Different Types of Payment Fraud and How to Prevent Them Digital Citizenship Glossary: Key Terms Every Internet User Should Know Quantum Risk Explained Threat Activity Enablers: The Backbone of Today’s Threat Landscape Recorded Future Named a Leader in the 2026 Gartner® Magic Quadrant™ for Cyberthreat Intelligence Technologies. And there’s more. Hacking Embodied AI Working in London at the World’s Largest Intelligence Company Risk Scenarios for the US’s Strategic Pivot Building with AI: Here's What No Briefing Will Tell You Lazarus Doesn't Need AGI The Money Mule Solution: What Every Scam Has in Common From Overwhelmed to Autonomous: Rethinking Threat Intelligence in 2026 Critical minerals and cyber operations Today, trust is the superpower that makes innovation possible AI Hype vs. Reality: Is AI Really Rewriting the Vulnerability Equation? Evolution of Chinese-Language Guarantee Telegram Marketplaces Emerging Enterprise Security Risks of AI From Bazooka to Fake Nikes Your Supply Chain Breach Is Someone Else's Payday 4 Essential Integration Workflows for Operationalizing Threat Intelligence Recorded Future Iran War: Future Scenario and Business Implications A New Way to Buy Recorded Future: Solutions and Packages Built for the 2026 Threat Landscape March 2026 CVE Landscape: 31 High-Impact Vulnerabilities Identified, Interlock Ransomware Group Exploits Cisco FMC Zero-Day VIP Credential Monitoring Blog Third-Party Risk Is an Intelligence Operation. It's Time We Treated It Like One. Understanding and Anticipating Venezuelan Government Actions The Iran War: What You Need to Know Day in the Life: Product Manager at Recorded Future Panorama del cibercrimen en América Latina y el Caribe Latin America and the Caribbean Cybercrime Landscape Panorama do cibercrime na América Latina e Caribe Industrialization of the Fraud Ecosystem Blog The Shift: An Era of Quantum Geopolitics ClickFix Campaigns Targeting Windows and macOS 2025 Year in Review: Malicious, Infrastructure 2025 Identity Threat Landscape Report: Inside the Infostealer Economy: Credential Threats in 2025 Latin America's Cybersecurity Turning Point: From Reactive Defense to Threat Intelligence Recorded Future Expands Coverage of Scams and Financial Fraud with Money Mule Intelligence from CYBERA January 2026 CVE Landscape: 23 Critical Vulnerabilities Mark 5% Increase, APT28 Exploits Microsoft Office Zero-Day Preparing for Russia’s New Generation Warfare in Europe 2025 Cloud Threat Hunting and Defense Landscape GrayCharlie Hijacks Law Firm Sites in Suspected Supply-Chain Attack Network Intelligence: Your Questions, Global Answers Fragmentation Defined 2025's Threat Landscape. Here's What It Means for 2026 State of Security Report | Recorded Future From 27 Steps to 5: How Recorded Future Reimagined Threat Hunting with Autonomous Threat Operations Rublevka Team: Anatomy of a Russian Crypto Drainer Operation Autonomous Threat Operations in action: Real results from Recorded Future’s own SOC team | Recorded Future PurpleBravo’s Targeting of the IT Software Supply Chain Threat and Vulnerability Management in 2026 Best Ransomware Detection Tools December 2025 CVE Landscape: 22 Critical Vulnerabilities Mark 120% Surge, React2Shell Dominates Threat Activity Practitioners Reveal What Makes Threat Intelligence Programs Mature GRU-Linked BlueDelta Evolves Credential Harvesting New ransomware tactics to watch out for in 2026 Digital Threat Detection Tools & Best Practices BlueDelta’s Persistent Campaign Against UKR.NET The $0 Transaction That Signaled a Nation-State Cyberattack China’s Zero-Day Pipeline: From Discovery to Deployment Cyber on the Geopolitical, Battlefield: Beyond the, “Big Fourˮ What’s Next for Enterprise Threat Intelligence in 2026 Palestine Action: Operations and Global Network Implications of Russia-India-China Trilateral Cooperation GrayBravo’s CastleLoader Activity Clusters Target Multiple Industries November 2025 CVE Landscape: 10 Critical Vulnerabilities Show 69% Drop from October 5 Real-Word Third-Party Risk Examples When the Digital World Turns Physical: The Expanding Role of Threat Intelligence in Executive Protection Critical React2Shell Vulnerability Under Active Exploitation by Chinese Threat Actors The Bug That Won't Die: 10 Years of the Same Mistake The Hidden Cascade: Why Law Firm Breaches Destroy More than Data Intellexa’s Global Corporate Web The Maturity Gap: The Next Frontier in Threat Intelligence Inside the CopyCop Playbook: How to Fight Back in the Age of Synthetic Media AI Malware: Hype vs. Reality
February 2026 CVE Landscape: 13 Critical Vulnerabilities Mark 43% Drop from January
Recorded Future® · 2026-03-12 · via Recorded Future

February 2026 saw a 43% decrease in high-impact vulnerabilities, with Recorded Future's Insikt Group® identifying 13 vulnerabilities requiring immediate remediation, down from 23 in January 2026. All 13 carried a ‘Very Critical’ Recorded Future Risk Score.

What security teams need to know:

  • Microsoft dominates: Six of 13 vulnerabilities affected Microsoft products, accounting for 46% of February's findings; all were added to CISA's KEV catalog on the same day
  • Supply-chain attack on Notepad++: Lotus Blossom, a suspected China state-sponsored threat actor, exploited CVE-2025-15556 to hijack Notepad++'s update channel and deliver a Cobalt Strike Beacon and the Chrysalis backdoor
  • APT28 exploits MSHTML flaw: The Russian state-sponsored group leveraged CVE-2026-21513 via malicious Windows Shortcut files for multi-stage payload delivery
  • Public exploits available: Four of 13 vulnerabilities have publicly available proof-of-concept code; an alleged exploit for a fifth is being advertised for sale

Bottom line: Despite a 43% drop in volume, February's vulnerabilities include named threat actor exploitation and five RCE-enabling flaws, making prioritized, intelligence-driven remediation as important as ever.

Quick Reference: February 2026 Vulnerability Table

All 13 vulnerabilities below were actively exploited in February 2026.

#

Vulnerability

Risk
Score

Affected Vendor/Product

Vulnerability Type/Component

Public PoC

1

99

Notepad++

CWE-494 (Download of Code Without Integrity Check)

2

99

BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA)

CWE-78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'))

3

99

Microsoft Windows

CWE-693 (Protection Mechanism Failure)

No

4

99

Microsoft Windows

CWE-693 (Protection Mechanism Failure)

No

5

99

Microsoft Office

CWE-807 (Reliance on Untrusted Inputs in a Security Decision)

No

6

99

Microsoft Windows

CWE-843 (Access of Resource Using Incompatible Type ('Type Confusion'))

No

7

99

Microsoft Windows

CWE-476 (NULL Pointer Dereference)

No

8

99

Microsoft Windows

CWE-269 (Improper Privilege Management)

*Yes

9

99

Apple iOS, macOS, tvOS, watchOS, and visionOS

CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer)

No

10

99

Soliton Systems K.K. FileZen

CWE-78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'))

No

11

99

Google Chromium

CWE-416 (Use After Free)

12

99

Dell RecoverPoint for Virtual Machines (RP4VMs)

CWE-798 (Use of Hard-coded Credentials)

No

13

99

Cisco Catalyst SD-WAN Controller and Manager

CWE-287 (Improper Authentication)

Table 1: List of vulnerabilities that were actively exploited in February based on Recorded Future data. *An alleged exploit for CVE-2026-21533 is being advertised for sale across Github. Recorded Future Triage was used to browse the website advertising the exploit, which can be viewed here via the Replay Monitor. (Source: Recorded Future)

Vendors Most Affected

  • Microsoft led with six vulnerabilities across Windows, Windows Server, Office, and Microsoft 365 products
  • BeyondTrust faced a critical OS command injection flaw in Remote Support (RS) versions 25.3.1 and earlier, and Privileged Remote Access (PRA) versions 24.3.4 and earlier
  • Cisco saw active exploitation of an authentication bypass in Catalyst SD-WAN infrastructure
  • Additional affected vendors: Notepad++, Apple, Soliton Systems K.K., Google, and Dell

Most Common Weakness Types

  • CWE-78 – OS Command Injection (tied for most common)
  • CWE-693 – Protection Mechanism Failure (tied for most common)
  • CWE-476 – NULL Pointer Dereference
  • CWE-843 – Type Confusion
  • CWE-807 – Reliance on Untrusted Inputs in a Security Decision

Exploitation Activity

Vulnerabilities associated with malware campaigns:

  • Lotus Blossom (suspected China state-sponsored) exploited CVE-2025-15556 to hijack Notepad++ update traffic between June and December 2025. The campaign rotated C2 servers across three attack chains to deliver a Metasploit loader, Cobalt Strike Beacon, and a custom backdoor called Chrysalis.
  • APT28 (Russian state-sponsored) exploited CVE-2026-21513 using malicious Windows Shortcut (.lnk) files with embedded HTML payloads for multi-stage payload delivery, with observed network communication to infrastructure associated with the threat group.
  • UNC6201 (suspected China-nexus) exploited CVE-2026-22769 to compromise Dell RecoverPoint for VMs appliances, deploying the SLAYSTYLE web shell, BRICKSTORM backdoor, and GRIMBOLT, a C#-based backdoor with native AOT compilation to complicate detection.

Long-running exploitation activity:

  • UAT-8616 exploited CVE-2026-20127, chaining it with CVE-2022-20775 to achieve root-level access on Cisco Catalyst SD-WAN systems, with Cisco Talos attributing the activity to a sophisticated threat actor and assessing that the activity dates back to at least 2023.

Priority Alert: Active Exploitation

These vulnerabilities demand immediate attention due to confirmed exploitation in the wild.

CVE-2025-15556 | Notepad++

Risk Score: 99 (Very Critical) | CISA KEV: Added February 12, 2026

Why this matters: Lotus Blossom exploited this flaw to replace legitimate Notepad++ update packages with malicious installers, deploying Cobalt Strike and the Chrysalis backdoor to targeted users over a six-month period. The vulnerability affects the WinGUp updater used by Notepad++ versions prior to 8.8.9, which fails to cryptographically verify downloaded update metadata and installers.

Affected versions: Notepad++ versions prior to 8.8.9 (version 8.9.1 recommended)

Immediate actions:

  • Update to Notepad++ version 8.9.1, released January 26, 2026
  • Hunt for the malicious update.exe sample (SHA256: 4d4aec6120290e21778c1b14c94aa6ebff3b0816fb6798495dc2eae165db4566) in your environment
  • Monitor for GUP.exe spawning unexpected child processes
  • Review network connections for traffic to 45[.]76[.]155[.]202, 45[.]77[.]31[.]210, 45[.]32[.]144[.]255, or 95[.]179[.]213[.]0
  • Check for directories named ProShow under %APPDATA% or unexpected files in %APPDATA%\Adobe\Scripts\
  • Block or alert on curl.exe uploading files to temp[.]sh

Known C2 infrastructure: 45[.]76[.]155[.]202, 45[.]77[.]31[.]210, cdncheck[.]it[.]com, safe-dns[.]it[.]com, 95[.]179[.]213[.]0

Detection resources: Insikt Group created Sigma rules to detect update.exe's execution of reconnaissance commands (whoami, tasklist, systeminfo, and netstat -ano) and curl commands for system information exfiltration, available to Recorded Future customers.

Figure 1: Risk Rules History from Vulnerability Intelligence Card® for CVE-2025-15556 in Recorded Future (Source: Recorded Future)

CVE-2026-1731 | BeyondTrust Remote Support and Privileged Remote Access

Risk Score: 99 (Very Critical) | CISA KEV: Added February 13, 2026

Why this matters: Unauthenticated attackers can execute arbitrary OS commands over a WebSocket connection, enabling remote shell access and full system compromise, with no credentials required.

Affected versions: BeyondTrust Remote Support (RS) versions 25.3.1 and earlier; Privileged Remote Access (PRA) versions 24.3.4 and earlier

Immediate actions:

  • Upgrade to BeyondTrust RS version 25.3.2 or later and PRA version 25.1 or later
  • Monitor WebSocket connections to the /nw endpoint for crafted version strings containing subshell syntax (e.g., a[$(command)]0)
  • Review logs for unexpected OS command execution originating from wsusservice or web service processes
  • Restrict network access to BeyondTrust appliances to authorized management systems only

CVE-2026-20127 | Cisco Catalyst SD-WAN Controller and Manager

Risk Score: 99 (Very Critical) | CISA KEV: Added February 25, 2026

Why this matters: UAT-8616 exploited this authentication bypass to gain high-privileged access to Cisco SD-WAN infrastructure, chaining it with CVE-2022-20775 to achieve root-level access and maintain persistent, covert footholds. CISA issued Emergency Directive 26-03, requiring federal civilian agencies to immediately remediate.

Affected products: Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage) in on-premises deployments and SD-WAN Cloud installations

Immediate actions:

  • Update to patched release versions 20.9.8.2, 20.12.6.1, 20.12.5.3, 20.15.4.2, or 20.18.2.1
  • Monitor SD-WAN logs for unexpected control-connection-state-change new-state:up events and unrecognized peer-system-ip values
  • Audit SSH authorized_keys files at /home/root/.ssh/authorized_keys and /home/vmanage-admin/.ssh/authorized_keys/ for unauthorized entries
  • Check /etc/ssh/sshd_config for PermitRootLogin yes
  • Review logs for path traversal strings related to CVE-2022-20775, such as /../../ and /\n&../\n&../
  • Hunt for cleared or truncated logs from syslog, wtmp, lastlog, cli-history, bash_history, and files in /var/log/, which may indicate log clearing

Technical Deep Dive: Exploitation Analysis

Notepad++ Supply-Chain Attack (CVE-2025-15556)

Three-chain attack evolution: Lotus Blossom ran three distinct attack chains between July and October 2025, each evolving to evade detection:

  • Chain 1 (July–August 2025): Replaced the legitimate Notepad++ update package with a malicious NSIS installer (update.exe) that abused a legitimate ProShow.exe file to launch an exploit payload containing shellcode. The shellcode decrypted and launched a Metasploit downloader, which retrieved a Cobalt Strike Beacon shellcode from hxxps://45[.]77[.]31[.]210/users/admin and executed it.
  • Chain 2 (September 2025): Reused the same update channel with a modified update.exe that dropped legitimate Lua interpreter files alongside a malicious alien.ini script. The compiled Lua script allocated and executed shellcode via the EnumWindowStationsW API, ultimately delivering Cobalt Strike Beacon. Threat actors later split reconnaissance commands into multiple steps to evade detection logic tied to combined command-line patterns.
  • Chain 3 (October 2025): Shifted to a new distribution server and delivered a malicious update.exe file that dropped a legitimate Bitdefender Submission Wizard renamed as BluetoothService.exe, a malicious DLL named log.dll, and an encrypted shellcode file. Update.exe executed BluetoothService.exe, which sideloaded log.dll. Log.dll then decrypted the shellcode and injected it into the BluetoothService.exe process.

APT28 MSHTML Exploitation (CVE-2026-21513)

Browser trust boundary abuse: The vulnerability resides in ieframe.dll hyperlink navigation logic, where insufficient URL validation in _AttemptShellExecuteForHlinkNavigate() allows threat actor-controlled input to invoke ShellExecuteExW outside the intended browser security context.

Akamai identified a malicious .lnk file (document.doc.LnK) associated with APT28 infrastructure. The exploit uses nested iframes and multiple DOM contexts to manipulate browser trust boundaries, bypassing both Mark of the Web (MotW) and Internet Explorer Enhanced Security Configuration (IE ESC) before triggering the vulnerable navigation flow. The .lnk initiates network communication with wellnesscaremed[.]com as part of APT28's multistage payload delivery.

SHA256 for document.doc.LnK.download: aefd15e3c395edd16ede7685c6e97ca0350a702ee7c8585274b457166e86b1fa

Why this matters: APT28's use of a weaponized .lnk file exploiting a patched MSHTML flaw underscores the group's continued targeting of Windows environments and its willingness to operationalize browser-based vulnerabilities for initial access.

UNC6201 Dell RecoverPoint Campaign (CVE-2026-22769)

Persistence through VMware infrastructure: UNC6201 exploited hard-coded credentials stored in /home/kos/tomcat9/tomcat-users.xml to authenticate to the Apache Tomcat Manager and upload a malicious WAR file, deploying the SLAYSTYLE web shell and enabling RCE with root privileges.

After establishing access, UNC6201 deployed the BRICKSTORM backdoor for C2, then replaced it with GRIMBOLT in September 2025. GRIMBOLT uses native ahead-of-time (AOT) compilation to convert to machine-native code, removing common intermediate language metadata and complicating static analysis. UNC6201 then pivoted into VMware virtual infrastructure, creating temporary "Ghost NIC" network ports on ESXi-hosted VMs for stealthy lateral movement and implementing Single Packet Authorization (SPA) via iptables commands to gate access to their backdoor infrastructure.

Why this matters: The progression from web shell to persistent backdoors, and then the pivot to VMware infrastructure to support lateral movement demonstrates a mature, multi-stage intrusion methodology. Organizations running Dell RecoverPoint for VMs should assume default credentials have been compromised and hunt for SLAYSTYLE and GRIMBOLT indicators immediately.

Detection Artifacts from Insikt Group®

Recorded Future customers can access the following from Insikt Group®:

  • CVE-2025-15556 – Sigma rules to detect reconnaissance commands (whoami, tasklist, systeminfo, netstat -ano) and curl-based exfiltration associated with the Notepad++ supply-chain attack
  • CVE-2026-23760 (SmarterTools SmarterMail) – Nuclei template for authentication bypass detection, created in February (previously highlighted in January 2026 CVE Monthly)

Note: All detection artifacts are intended for use in authorized environments only.

Recorded Future Product Integrations

Take Action

Ready to see how Recorded Future can help your team detect active exploitation, prioritize patching, and reduce attack surface risk? Explore our demo center to see these capabilities in action, or dive deeper into Insikt Group research for more threat intelligence insights.

About Insikt Group®:
Recorded Future's Insikt Group® threat research team is comprised of analysts, linguists, and security researchers with deep government and industry experience. Insikt Group® publishes threat intelligence to the Recorded Future analyst community in blog posts and analyst notes.