Top 10 Cybersecurity Stories This Week: Microsoft Patches Six Actively Exploited Zero-Days, Chrome Under Attack, Cisco SD-WAN Emergency Directive

February 27, 2026 | ITBriefcase.net

Why it matters: 

This week witnessed an unprecedented security crisis with Microsoft February 2026 Patch Tuesday addressing 58 vulnerabilities, including six actively exploited zero-days affecting Windows Shell (CVE-2026-21510, CVSS 8.8), MSHTML Framework (CVE-2026-21513, CVSS 8.8), Microsoft Word (CVE-2026-21514, CVSS 5.5), Desktop Window Manager (CVE-2026-21519, CVSS 7.8), Remote Desktop Services (CVE-2026-21533, CVSS 7.8), and Remote Access Connection Manager (CVE-2026-21525, CVSS 6.2). Google Threat Intelligence Group, Microsoft security teams, and anonymous researchers confirmed these were part of sophisticated attack campaigns.

Chrome zero-day CVE-2026-2441 (CVSS 8.8) use-after-free in the CSS engine was added to the CISA KEV catalog following active exploitation, enabling remote code execution through crafted HTML pages.

CISA issued Emergency Directive 26-03 mandating immediate action on Cisco SD-WAN vulnerabilities CVE-2026-20127 (authentication bypass) and CVE-2026-20128 (path traversal), affecting over 18,000 federal devices with evidence of sophisticated intrusion campaigns.

BeyondTrust Remote Support CVE-2026-1731 (CVSS 9.9) OS command injection vulnerability was exploited, enabling unauthenticated attackers to execute operating system commands with potential for complete system compromise and data exfiltration.

Conduent ransomware breach emerged as one of the largest U.S. data breaches, with approximately 8TB of sensitive data stolen, affecting millions through business process outsourcing services.

World Economic Forum Global Cybersecurity Outlook 2026 reveals that 87% of organizations identify AI vulnerabilities as the fastest-growing cyber risk, with ransomware resurgence affecting 24% of organizations.

The bottom line: Organizations must immediately deploy Microsoft February Patch Tuesday updates by CISA March 10 deadline addressing six actively exploited zero-days, update Chrome to version 145.0.7632.75+ and Chromium-based browsers, comply with CISA Emergency Directive 26-03 on Cisco SD-WAN systems, and patch BeyondTrust Remote Support/Privileged Remote Access installations. The convergence of six simultaneous Microsoft zero-day exploitations, browser engine attacks, network infrastructure compromise, and remote access software vulnerabilities demands comprehensive security transformation including accelerated emergency patch management, enhanced endpoint detection, network segmentation isolating critical infrastructure, and zero-trust architectures eliminating implicit trust assumptions across enterprise environments.

What’s ahead: Ten critical security developments spanning Microsoft zero-day exploitation waves, Chrome browser attacks, Cisco SD-WAN infrastructure compromise, and ransomware evolution that define enterprise security priorities for late February 2026.

1. Microsoft February Patch Tuesday – Six Zero-Days Actively Exploited in Sophisticated Attack Campaigns

Microsoft February 2026 Patch Tuesday, released on February 10, addressed 58 vulnerabilities, including an unprecedented six actively exploited zero-days. These were discovered by Google Threat Intelligence Group, Microsoft Threat Intelligence Center (MSTIC), Microsoft Security Response Center (MSRC), the Office Product Group Security Team, CrowdStrike, Acros Security, and anonymous researchers—indicating coordinated and sophisticated attack campaigns.

CVE-2026-21510 (CVSS 8.8) is a Windows Shell security feature bypass that enables attackers to circumvent Windows SmartScreen and other security prompts through malicious links or shortcut (LNK) files. Exploitation requires only a single click to execute attacker-controlled content without warning or consent dialogs, affecting all supported Windows versions.

CVE-2026-21513 (CVSS 8.8) affects the MSHTML Framework and allows a protection mechanism failure that enables security control bypass through malicious HTML or LNK files. The vulnerability targets the Internet Explorer/Trident rendering engine, which remains present in Windows and is still used by components such as Office and File Explorer.

CVE-2026-21514 (CVSS 5.5) is a Microsoft Word security feature bypass exploiting OLE mitigations. Attackers must convince users to open malicious Office documents. The vulnerability relies on untrusted input to bypass defensive measures designed to protect against vulnerable COM/OLE controls.

CVE-2026-21519 (CVSS 7.8) is a Desktop Window Manager type confusion vulnerability that enables local privilege escalation to SYSTEM level. This marks the second consecutive month of DWM zero-day exploitation, following January’s CVE-2026-20805 information disclosure vulnerability.

CVE-2026-21533 (CVSS 7.8) affects Windows Remote Desktop Services, where improper privilege management allows authenticated local attackers to escalate from low privileges to SYSTEM-level access, potentially resulting in full compromise of confidentiality, integrity, and availability.

CVE-2026-21525 (CVSS 6.2) is a Windows Remote Access Connection Manager denial-of-service vulnerability that allows unauthenticated local attackers to crash the service responsible for maintaining VPN connections to corporate networks.

The six zero-days demonstrate coordinated targeting of security feature bypass mechanisms, privilege escalation paths, and critical Windows infrastructure components. Three vulnerabilities—CVE-2026-21510, CVE-2026-21513, and CVE-2026-21514—were publicly disclosed before patches became available, dramatically increasing the exploitation window.

Microsoft credited the same group of reporters for the three publicly disclosed security bypass vulnerabilities, suggesting a potential shared exploitation chain or coordinated campaign by a single threat actor group. The involvement of Google TAG indicates possible links to commercial spyware vendors or nation-state operations.

Cybersecurity and Infrastructure Security Agency (CISA) added all six zero-days to its Known Exploited Vulnerabilities catalog, requiring federal agencies to patch by March 10, 2026. Private sector organizations are strongly urged to implement emergency patching immediately, given confirmed active exploitation.

Impact: Critical – Six simultaneously exploited Microsoft zero-days spanning security feature bypass, privilege escalation, and denial-of-service affecting Windows Shell, MSHTML, Word, Desktop Window Manager, Remote Desktop Services, and VPN infrastructure representing unprecedented threat level requiring emergency response.

Action Steps:

• Deploy Microsoft February 2026 Patch Tuesday updates immediately across all Windows systems, Office installations, and Azure environments, prioritizing the six actively exploited zero-days.
• Implement enhanced monitoring for Windows SmartScreen bypass attempts, including suspicious shortcut file execution and unusual security prompt suppression.
• Review email security filtering to detect malicious Office documents, HTML attachments, and LNK files before delivery to endpoints.
• Deploy endpoint detection and response monitoring for privilege escalation attempts, including Desktop Window Manager exploitation and Remote Desktop Services abuse.
• Conduct threat hunting to search for indicators of zero-day compromise, including unauthorized SYSTEM-level process creation, unusual service configuration modifications, and Remote Access Connection Manager crashes.
• Implement application whitelisting to prevent execution of untrusted shortcut files and block suspicious Office document macros.
• Review security logging to ensure visibility into security feature bypass attempts, privilege changes, and VPN connection disruptions.
• Establish incident response procedures addressing coordinated zero-day exploitation scenarios with clear escalation protocols.
• Deploy security information and event management (SIEM) correlation rules to detect multi-stage attacks combining security bypasses with privilege escalation.
• Implement network segmentation to limit the impact of compromised systems, even after successful privilege escalation to SYSTEM level.
• Review virtual private network configurations to ensure monitoring for unusual connection patterns and denial-of-service attempts.
• Conduct vulnerability scanning to identify unpatched Windows systems requiring emergency updates.
• Deploy enhanced email security awareness training emphasizing the risks of opening Office documents and clicking links from untrusted sources.
• Review backup and recovery procedures to ensure rapid system restoration following exploitation.
• Implement multi-factor authentication for all administrative access to reduce the impact of stolen credentials following system compromise.

2. Chrome Zero-Day CVE-2026-2441 Under Active Exploitation – Use-After-Free in CSS Engine

Google released an emergency Chrome security update on February 13, 2026, addressing an actively exploited zero-day vulnerability, CVE-2026-2441 (CVSS 8.8). The flaw is a use-after-free condition in the browser’s CSS engine that enables remote attackers to execute arbitrary code through crafted HTML pages. It affects versions prior to 145.0.7632.75/76 for Windows and macOS, and 144.0.7559.75 for Linux.

Security researcher Shaheen Fazim discovered and reported the vulnerability on February 11. Google acknowledged that “an exploit for CVE-2026-2441 exists in the wild,” but withheld details about exploitation methods, targeting campaigns, or affected users to prevent additional threat actors from adopting the exploit before patches were widely deployed.

The use-after-free vulnerability occurs when the browser continues referencing a memory location after it has been freed. Improper handling of crafted web content can lead to heap corruption, enabling attackers to achieve code execution within Chrome’s sandbox and potentially escape the browser’s security boundaries.

The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-2441 to its Known Exploited Vulnerabilities catalog on February 24, setting a federal remediation deadline of March 10, 2026. The vulnerability impacts multiple Chromium-based browsers, including Microsoft Edge, Brave, Opera, and Vivaldi, requiring coordinated patching across the broader browser ecosystem.

Exploitation typically involves watering hole attacks, malicious advertisements, or compromised websites hosting exploit code that triggers when users simply visit infected pages. No additional interaction beyond normal web browsing is required for successful compromise.

Browser-based zero-days remain an attractive target for sophisticated threat actors due to Chrome’s installation base of more than three billion users, its widespread deployment across enterprise and consumer environments, and the extensive attack surface exposed through web content rendering, making exploitation highly scalable for mass compromise campaigns.

This disclosure marks the first actively exploited Chrome zero-day patched in 2026, following eight zero-day vulnerabilities addressed in 2025. The trend demonstrates continued threat actor investment in browser exploitation chains, particularly those targeting memory corruption vulnerabilities in rendering engines.

Impact: Critical – Chrome CSS engine use-after-free zero-day enabling remote code execution through web content, actively exploited affecting 3+ billion users globally across Chrome and Chromium-based browsers with potential for mass compromise campaigns.

Action Steps:

• Update Google Chrome immediately to version 145.0.7632.75/76 for Windows/macOS or 144.0.7559.75 for Linux through the automatic update mechanism or manual installation.
• Update Chromium-based browsers including Microsoft Edge, Brave, Opera, and Vivaldi to the latest versions addressing the underlying CVE-2026-2441 vulnerability.
• Implement browser management policies enforcing automatic security updates with verification of deployment across organizational endpoints.
• Deploy web filtering solutions blocking access to known malicious domains and suspicious websites potentially hosting exploit code.
• Implement endpoint detection and response monitoring for browser exploitation attempts, including unusual memory access patterns and sandbox escape indicators.
• Review browser security settings enabling additional protections, including Site Isolation, Enhanced Safe Browsing, and strict site isolation policies.
• Conduct security awareness training educating users about the risks of visiting untrusted websites and clicking suspicious links.
• Deploy network monitoring to detect unusual browser network activity patterns consistent with exploitation or command-and-control communications.
• Implement application sandboxing and virtualization to isolate browser processes from critical system resources.
• Review cloud-based services utilizing headless Chrome for PDF generation or web previews to ensure updated versions are deployed.
• Establish incident response procedures addressing browser-based exploitation scenarios with defined forensic data collection protocols.
• Deploy threat intelligence integration to monitor for indicators of Chrome exploitation campaigns and targeting patterns.
• Implement privileged access management ensuring browsers never run with elevated system permissions.
• Review browser extension policies restricting installation of untrusted add-ons that could expand the attack surface.
• Conduct vulnerability scanning across the enterprise to identify systems running outdated browser versions requiring emergency updates.

3. CISA Emergency Directive 26-03 – Cisco SD-WAN Critical Infrastructure Under Attack

Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 26-03 on February 25, 2026, mandating immediate action on Cisco Catalyst SD-WAN Controller and Manager vulnerabilities CVE-2026-20127 and CVE-2026-20128. The flaws—an authentication bypass and a path traversal vulnerability—affect approximately 18,000 federal devices, with evidence of sophisticated exploitation campaigns targeting critical infrastructure.

CVE-2026-20127 is a maximum severity authentication bypass vulnerability that enables unauthenticated remote attackers to log into Cisco Catalyst SD-WAN Controller as an internal high-privileged non-root user account. Attackers can then access the NETCONF protocol to manipulate network configurations across the entire SD-WAN fabric, impacting routing, security policies, and traffic flows.

CVE-2026-20128 is a path traversal vulnerability in the Cisco SD-WAN CLI that allows authenticated local attackers to gain elevated privileges through improper access controls on CLI commands. Exploitation enables arbitrary command execution as the root user, granting complete administrative control over affected network infrastructure devices.

The Emergency Directive represents a rare federal mandate issued only for vulnerabilities posing unacceptable risk to the federal civilian enterprise and confirmed to be exploited in the wild. Agencies are required to immediately assess exposure in accordance with CISA’s Hunt and Hardening Guidance, which outlines detection procedures and configuration hardening measures.

Federal agencies must check for signs of potential compromise on all internet-accessible BeyondTrust and Cisco SD-WAN products affected by active exploitation, conduct forensic analysis to identify unauthorized access indicators, and implement vendor-provided mitigations. If remediation is unavailable, agencies are directed to discontinue product use.

A compromise of Cisco SD-WAN infrastructure is particularly severe because successful exploitation enables attackers to redirect organizational traffic through attacker-controlled infrastructure, modify security policies to permit malicious activity, exfiltrate sensitive data traversing the network, and establish persistent access mechanisms that survive device reboots and software updates.

The targeting of SD-WAN infrastructure reflects a strategic shift by sophisticated threat actors toward compromising the network control plane, enabling broad visibility and manipulation capabilities across entire enterprise environments rather than focusing solely on individual endpoint compromises.

Impact: Critical – Federal Emergency Directive mandating immediate Cisco SD-WAN remediation with authentication bypass and privilege escalation vulnerabilities affecting 18,000+ federal devices, enabling complete network infrastructure compromise with traffic manipulation and persistent access capabilities.

Action Steps:

• Immediately assess all Cisco Catalyst SD-WAN Controller and Manager systems in accordance with Cybersecurity and Infrastructure Security Agency Emergency Directive 26-03 requirements.
• Deploy Cisco security updates addressing CVE-2026-20127 and CVE-2026-20128 across the entire SD-WAN infrastructure, prioritizing internet-facing systems.
• Implement CISA Hunt & Hardening Guidance by conducting forensic analysis for compromise indicators, including unauthorized NETCONF access, unusual configuration changes, and suspicious administrative account usage.
• Review SD-WAN logs for authentication anomalies, privilege escalation attempts, and unexpected network policy modifications.
• Isolate suspected compromised SD-WAN devices from production networks pending complete forensic investigation and remediation.
• Deploy enhanced monitoring for SD-WAN infrastructure, capturing all administrative actions, configuration changes, and NETCONF protocol interactions.
• Implement network segmentation to ensure SD-WAN management interfaces are never directly accessible from untrusted networks, requiring VPN access and multi-factor authentication.
• Review backup configurations for SD-WAN devices to ensure the ability to rapidly restore known-good settings following compromise.
• Conduct security assessments of the SD-WAN fabric to identify misconfigurations and excessive privilege assignments requiring remediation.
• Deploy intrusion detection systems to monitor SD-WAN traffic for malicious patterns, unauthorized traffic redirection, and data exfiltration attempts.
• Implement privileged access management for SD-WAN administrative credentials with session recording and anomaly detection.
• Review integration points between SD-WAN controllers and other network infrastructure to ensure proper authentication and authorization controls.
• Establish incident response procedures specifically addressing network infrastructure compromise, with clear communication and escalation protocols.
• Deploy threat intelligence monitoring for SD-WAN exploitation campaigns and associated threat actor tactics, techniques, and procedures.
• Conduct penetration testing to simulate SD-WAN compromise scenarios and validate detection and response capabilities.

4. BeyondTrust Remote Support CVE-2026-1731 – Critical OS Command Injection Exploited in Wild

BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) contain a critical OS command injection vulnerability, CVE-2026-1731 (CVSS 9.9), that enables unauthenticated remote attackers to execute operating system commands in the context of a site user without requiring authentication or user interaction. Successful exploitation can lead to complete system compromise, including unauthorized access, data exfiltration, and service disruption.

The vulnerability allows threat actors to bypass all authentication mechanisms and directly execute arbitrary commands on the underlying systems running BeyondTrust’s remote access infrastructure. This provides immediate administrative-level access to platforms responsible for managing privileged access across entire enterprise environments.

Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-1731 to its Known Exploited Vulnerabilities catalog, requiring federal agencies to patch by March 10, 2026. CISA also urged organizations to check for signs of potential compromise on all internet-accessible BeyondTrust products affected by the vulnerability, citing confirmed active exploitation.

BeyondTrust remote access products are widely deployed in enterprise environments to manage privileged administrative access, provide support technicians with controlled remote connectivity, and facilitate third-party vendor access to internal systems. As a result, compromise of these platforms is particularly impactful for enabling lateral movement and privilege escalation.

The command injection flaw is likely exploited through specially crafted HTTP requests sent to vulnerable BeyondTrust interfaces. Attackers leverage improper input validation to inject malicious commands that are executed by the underlying operating system within the security context of the application’s service account.

A successful BeyondTrust compromise can provide attackers with a trove of privileged credentials, session recordings, and audit logs documenting administrative activities, as well as established remote access channels into protected internal networks. This enables extensive reconnaissance and lateral movement operations.

Targeting privileged access management infrastructure reflects a strategic focus by sophisticated threat actors on identity and access control systems, where compromise provides multiplicative access to downstream systems administered through centralized management platforms.

Impact: Critical – BeyondTrust Remote Support/Privileged Remote Access OS command injection enabling unauthenticated remote code execution with CVSS 9.9 severity, threatening privileged access management infrastructure with potential for widespread enterprise compromise and credential theft.

Action Steps:

• Deploy BeyondTrust security updates immediately addressing CVE-2026-1731 across all Remote Support (RS) and Privileged Remote Access (PRA) installations.
• Conduct a comprehensive forensic investigation of BeyondTrust systems, checking for unauthorized command execution, suspicious process creation, and other indicators of compromise.
• Review BeyondTrust logs for unusual HTTP requests, unexpected authentication patterns, and command execution anomalies.
• Isolate internet-accessible BeyondTrust systems from public exposure until patches are verified and compromise assessments are completed.
• Implement enhanced monitoring for privileged access management infrastructure, capturing all administrative actions, remote sessions, and credential usage.
• Deploy network segmentation to ensure BeyondTrust systems are never directly accessible from the internet, requiring VPN access and multi-factor authentication.
• Review all privileged credentials managed through potentially compromised BeyondTrust systems, conducting password resets and certificate rotations as necessary.
• Conduct threat hunting exercises to search for lateral movement indicators and unauthorized privileged access following potential BeyondTrust compromise.
• Implement web application firewalls (WAFs) to protect BeyondTrust interfaces with rules designed to detect command injection patterns and malicious HTTP requests.
• Deploy session recording and behavioral analysis for all remote access activities to detect anomalous administrative behaviors.
• Review integration between BeyondTrust and downstream managed systems to ensure proper authentication controls and comprehensive audit logging.
• Establish incident response procedures specifically addressing privileged access infrastructure compromise, including clear credential rotation protocols.
• Implement data loss prevention (DLP) monitoring for sensitive data exfiltration from systems accessed through BeyondTrust remote access channels.
• Deploy threat intelligence integration to monitor for BeyondTrust exploitation campaigns and associated targeting patterns.
• Conduct security assessments of the privileged access management architecture to identify single points of failure and implement redundancy where required.

5. Conduent Data Breach – 8TB Stolen in One of Largest U.S. Breaches in History

Conduent, a major business process outsourcing provider, confirmed a massive data breach after ransomware actors claimed the theft of approximately 8TB of sensitive data. The incident is being described as one of the largest reported U.S. data breaches in recent years, triggering widespread notification efforts and renewed concerns about third-party risk management. The potential impact spans millions of individuals whose data is processed through government services, healthcare administration systems, and transportation toll collection operations.

Conduent delivers business process services to government agencies, healthcare organizations, and commercial enterprises. Its offerings include Medicaid enrollment, unemployment benefits administration, parking and tolling systems, and HR services. As a result, the company maintains vast repositories of personally identifiable information (PII), protected health information (PHI), and sensitive government records that may now be compromised.

The breach underscores the catastrophic impact of third-party service provider compromises, where a single vendor incident cascades across hundreds of client organizations. Conduent’s extensive government contracts raise concerns that citizen data from multiple states and federal programs managed through centralized BPO platforms could be exposed.

The ransomware actors’ claim of 8TB of stolen data suggests the exfiltration of massive databases, document repositories, and operational datasets accumulated across Conduent’s diverse service offerings. Potentially exposed information may include Social Security numbers, medical records, financial data, driver’s license details, and confidential government program documentation.

Initial assessments indicate breach-related costs have already exceeded $25 million. Ongoing expenses tied to customer notification, credit monitoring services, regulatory penalties, litigation defense, and operational recovery are expected to create cascading financial impacts that extend well beyond any initial ransomware demand.

The incident highlights systemic vulnerabilities in the business process outsourcing model, where cost optimization through service consolidation creates concentrated risk points. Threat actors increasingly recognize these high-value targets as gateways to multiple organizations, enabling broad downstream impact through the compromise of shared infrastructure platforms.

Impact: Critical – Conduent 8TB data breach representing one of largest U.S. incidents affecting millions through business process outsourcing compromising government services, healthcare administration, and sensitive citizen data with cascading third-party impact.

Action Steps:

• Conduent clients should immediately contact provider determining specific data exposure scope and affected individual populations.
• Implement enhanced fraud monitoring systems detecting identity theft, account takeover, and unauthorized benefit claims following data exposure.
• Deploy credit monitoring and identity protection services for all potentially affected individuals as required by breach notification regulations.
• Review business process outsourcing contracts ensuring clear data protection obligations, breach notification timelines, and liability provisions.
• Conduct vendor risk assessments evaluating all third-party service providers with access to sensitive data or critical systems.
• Implement data minimization policies limiting information sharing with BPO providers to operational necessity.
• Deploy enhanced monitoring for phishing campaigns leveraging stolen Conduent data targeting government benefits recipients.
• Review incident response procedures ensuring rapid third-party breach notification and coordinated response capabilities.
• Implement data loss prevention monitoring for unauthorized data transfers to business process outsourcing providers.
• Establish contractual requirements for vendor security controls, regular penetration testing, and independent security audits.
• Deploy threat intelligence monitoring for stolen Conduent data appearing on dark web or underground forums.
• Review cyber insurance coverage ensuring adequate protection for third-party data breaches and supply chain incidents.
• Conduct security awareness training educating employees about risks of credential sharing with external service providers.
• Implement network segmentation isolating vendor access to specific systems preventing lateral movement.
• Review authentication mechanisms for BPO provider access requiring multi-factor verification and privileged access management.

6. World Economic Forum Global Cybersecurity Outlook 2026 – AI Vulnerabilities Fastest-Growing Risk

World Economic Forum Global Cybersecurity Outlook 2026, based on data from 800 global leaders, reveals that 87% of organizations identify AI vulnerabilities as the fastest-growing cyber risk over 2025. Cyber-enabled fraud and phishing have replaced ransomware as the top concern for CEOs, while ransomware still affects 24% of organizations, reversing a multi-year decline.

CEO priorities have shifted from ransomware, which was the top concern in 2025, to cyber-enabled fraud and phishing taking the leading position, with AI vulnerabilities emerging as the second-highest priority. In contrast, CISOs maintain strong continuity with ransomware remaining their primary concern and supply chain disruption consistently holding the second place, demonstrating diverging executive perspectives on threat prioritization.

Geopolitics remains a defining factor influencing cyber risk mitigation in 2026. Survey respondents report that 77% observed an increase in cyber-enabled fraud and phishing, 65% noted growth in supply chain disruption, 58% saw escalation in exploitation of software vulnerabilities, 54% identified increases in ransomware attacks, and 32% reported elevation of insider threats.

The report emphasizes a widening “cyber equity” gap, creating uneven security capabilities across organizations and nations. Accelerating AI adoption, geopolitical fragmentation, and persistent sovereignty challenges are reshaping the global risk landscape, requiring comprehensive international cooperation.

The public sector faces particular vulnerability, with 53% of state and local government offices worldwide falling into the high-risk category for LockBit exploitation. This reflects uneven security practices, inconsistent control adoption, and resource constraints that limit defensive capabilities against sophisticated ransomware operations.

The analysis reveals that attacks are growing faster, becoming more complex, and distributing unevenly across sectors and regions. This creates pressure for organizations and governments to adapt amid rising capability gaps. The report assesses that organizations most at risk in 2026 will be those lacking visibility into identity and lateral movement rather than those lacking security tools.

Impact: High – Global cybersecurity analysis revealing AI vulnerabilities as fastest-growing risk (87% of organizations), cyber-enabled fraud surpassing ransomware as CEO priority, and persistent 24% ransomware impact rate demonstrating fundamental threat landscape transformation.

Action Steps:

• Conduct comprehensive AI security assessments evaluating machine learning model vulnerabilities, prompt injection risks, and data poisoning threats across organizational AI deployments.
• Implement AI-specific security controls including model input validation, output filtering, and behavioral monitoring detecting anomalous AI system activities.
• Deploy enhanced fraud detection systems addressing cyber-enabled fraud through behavioral analysis, transaction monitoring, and anomaly detection across financial operations.
• Review phishing defense strategies implementing advanced email security, user training, and technical controls detecting sophisticated social engineering campaigns.
• Establish AI governance frameworks addressing security, privacy, compliance, and ethical considerations for artificial intelligence deployments.
• Conduct supply chain security assessments evaluating third-party risks, vendor security controls, and dependency vulnerabilities requiring enhanced monitoring.
• Deploy identity-focused security programs implementing zero-trust architectures, privileged access management, and lateral movement detection capabilities.
• Review ransomware preparedness through backup validation, incident response exercises, and business continuity planning despite CEO priority shifts.
• Implement enhanced logging and monitoring providing visibility into identity usage, access patterns, and lateral movement indicators across infrastructure.
• Establish international cooperation frameworks participating in threat intelligence sharing, coordinated vulnerability disclosure, and joint cyber defense initiatives.
• Deploy security awareness training addressing evolving threat landscape including AI-powered attacks, sophisticated fraud schemes, and supply chain risks.
• Review geopolitical risk considerations evaluating cyber sovereignty requirements, data localization mandates, and nation-state threat implications.
• Conduct capability gap assessments identifying organizational security maturity gaps requiring investment prioritization.
• Implement security metrics and reporting providing executive leadership with actionable cyber risk insights aligned with business priorities.

7. Brightspeed Telecom Ransomware Attack – 1 Million+ Customer Records Compromised by Crimson Collective

Brightspeed, a United States-based telecommunications and internet service provider offering ultrafast broadband internet plans, became the victim of a ransomware attack claimed by the Crimson Collective threat group. The data breach compromised customer account and master records of more than one million residential users, including names, emails, phone numbers, and service addresses, creating significant identity theft and fraud risks.

The breach demonstrates the continuing targeting of the telecommunications sector by ransomware groups seeking high-value consumer databases. Internet Service Providers maintain extensive customer information, including billing details, usage patterns, physical addresses, and contact information, providing comprehensive profiles attractive for fraud operations and social engineering campaigns.

Telecom sector breaches are particularly concerning because customer data enables sophisticated vishing (voice phishing) attacks, where threat actors impersonate legitimate service providers armed with authentic customer details, convincing victims to divulge additional sensitive information or authorize fraudulent service changes.

Crimson Collective represents an emerging or rebranded ransomware operation targeting critical infrastructure and essential services, where operational disruption, regulatory obligations, and customer notification requirements create maximum pressure for ransom payment or rapid incident resolution.

The attack follows a broader pattern of ransomware groups pivoting toward data exfiltration and extortion rather than relying solely on encryption. Stolen customer databases are monetized through underground sales, direct extortion threats, or enabling downstream fraud operations, even when organizations refuse ransom demands.

U.S. Federal Communications Commission cited a fourfold increase in ransomware attacks against telecommunications businesses since 2021, with a January 29, 2026 alert warning that communications networks remain vulnerable to cyber exploits, posing significant risks to national security, public safety, and business operations, particularly among small-to-medium-sized providers.

Impact: High – Major U.S. telecommunications provider ransomware attack compromising 1+ million customer records with personal information enabling identity theft, sophisticated phishing campaigns, and fraud schemes affecting residential internet users nationwide.

Action Steps:

• Brightspeed customers should monitor for phishing attempts using stolen personal information and verify all communications through official company channels only.
• Implement enhanced email and phone security filtering expecting increased vishing campaigns leveraging stolen telecom customer data.
• Deploy fraud detection systems monitoring for unauthorized service changes, account takeovers, and identity theft targeting telecommunications customers.
• Review telecommunications vendor security through assessments evaluating cybersecurity controls, incident response capabilities, and data protection measures.
• Conduct security awareness training for telecom sector employees emphasizing ransomware recognition, data protection requirements, and incident reporting procedures.
• Implement data minimization policies limiting customer information retention to regulatory and operational requirements.
• Deploy enhanced monitoring for telecom infrastructure detecting ransomware indicators including unusual data access, bulk exports, and encryption activities.
• Review backup and recovery procedures ensuring rapid restoration of customer service systems, billing platforms, and operational databases.
• Establish incident response procedures specifically addressing telecommunications sector compromise with clear customer notification protocols.
• Deploy network segmentation isolating customer databases from general corporate networks and operational technology systems.
• Implement data loss prevention monitoring unauthorized customer data exports or suspicious database access patterns.
• Review cyber insurance coverage ensuring protection for telecommunications-specific incidents including regulatory penalties and customer notification costs.
• Conduct vulnerability scanning across telecom infrastructure identifying security gaps requiring remediation before exploitation.
• Deploy endpoint detection and response monitoring for ransomware execution indicators across telecom operations.
• Establish threat intelligence programs monitoring for stolen telecom customer data appearing on dark web or underground forums.

8. Nike, National Water Authority Peru, and Belgian Hospital AZ Monica – Ransomware Continues Critical Infrastructure Targeting

Nike, National Water Authority of Peru regulating sustainable water resource management, and AZ Monica all confirmed ransomware attacks in February 2026, demonstrating continued targeting of diverse sectors including retail, critical infrastructure, and healthcare, with operational disruption and sensitive data theft.

The National Water Authority of Peru suffered an attack by the Black Shrantac ransomware group, compromising 2TB of sensitive information including water resource management data, hydrometeorological information, technical documents, permits, and project-related information. The breach affects risk management during floods, droughts, and other water-related emergencies, threatening public safety and disaster response capabilities.

Belgian hospital AZ Monica was hit by a ransomware attack, forcing a proactive shutdown of IT servers. This disrupted access to electronic health records, medical systems, and patient care coordination, requiring staff to revert to manual processes, delaying treatments and potentially impacting patient outcomes.

The coordinated targeting of water infrastructure, healthcare systems, and major retail brands demonstrates ransomware operators’ expanding scope beyond traditional targets. Threat actors recognize that critical infrastructure and essential services face maximum pressure to pay ransoms due to public safety implications, regulatory obligations, and operational dependencies.

Water infrastructure compromise is particularly concerning because disruption to water treatment, distribution monitoring, or flood control systems could result in public health crises, environmental disasters, or life-threatening emergency management failures, requiring immediate restoration regardless of cost.

Healthcare ransomware attacks continue to have a devastating impact, forcing procedure cancellations, clinic closures, ambulance diversions, and degraded patient care quality. Inaccessibility of electronic health records creates risks of medication errors, diagnostic delays, and potentially fatal treatment disruptions.

Impact: High – Coordinated ransomware targeting of critical water infrastructure (Peru), healthcare systems (Belgium), and major retail brands (Nike) demonstrating expanding threat actor scope with operational disruption, public safety risks, and sensitive data compromise.

Action Steps: Implement comprehensive backup and recovery procedures for critical infrastructure operations ensuring rapid restoration capabilities following ransomware incidents. Deploy operational technology security controls segmenting industrial control systems, SCADA networks, and critical infrastructure from general IT environments. Conduct business continuity planning including manual operation procedures, paper-based workflows, and backup systems enabling essential services continuation during cyber incidents. Review healthcare-specific security requirements implementing enhanced protections for electronic health records, medical devices, and patient care systems. Deploy enhanced monitoring for critical infrastructure detecting ransomware indicators including unusual data access, system encryption attempts, and operational disruptions. Establish incident response procedures specifically addressing public safety implications of critical infrastructure compromise with clear escalation protocols. Implement data loss prevention monitoring for sensitive operational data including water management systems, patient records, and proprietary business information. Review retail sector security requirements protecting customer databases, payment processing systems, and supply chain operations from ransomware. Deploy endpoint detection and response across operational technology environments monitoring for ransomware execution attempts. Conduct tabletop exercises simulating critical infrastructure ransomware scenarios testing organizational response, manual operation procedures, and stakeholder communication. Implement network segmentation ensuring ransomware cannot spread from compromised IT systems to operational technology controlling physical processes. Review cyber insurance coverage ensuring adequate protection for critical infrastructure incidents, operational disruption, and public safety impacts. Establish communication protocols with regulatory agencies, public safety authorities, and affected populations during critical infrastructure cyber incidents. Deploy threat intelligence monitoring for ransomware groups targeting specific sectors including water utilities, healthcare providers, and retail operations.

9. Claude Code, Outlook Add-Ins, and AI Agent Security – Emerging Threats in Development Tools

Check Point Research disclosed critical vulnerabilities in Anthropic’s Claude Code AI-powered development tool enabling arbitrary code execution through untrusted project hooks, environment variables, and Model Context Protocol (MCP) servers when developers clone and open malicious repositories, with exploitation enabling API key theft and unauthorized command execution. First malicious Outlook add-in discovered stealing 4,000+ Microsoft credentials demonstrates expanding threat surface through office productivity tool extensions, with attackers distributing malicious add-ins appearing legitimate while harvesting authentication tokens, email content, and sensitive business communications. Google reported state-backed hackers using Gemini AI for reconnaissance and attack support, while ClawdBot and OpenClaw research reveals local AI agents becoming data exfiltration goldmine when attackers steal configuration files and gateway tokens enabling unauthorized access to organizational AI infrastructure. The convergabilities demonstrate fundamental shift in threat landscape where AI development tools, productivity extensions, and autonomous agents create new attack vectors beyond traditional software vulnerabilities, with sophisticated threat actors recognizing that compromising development environments provides access to source code, intellectual property, and production credentials. Claude Code vulnerabilities particularly dangerous because developer tools execute with elevated privileges and maintain long-term access to codebases, with malicious project hooks automatically executing during routine development activities without additional security prompts or user verification. Outlook add-in compromise enables persistent email monitoring, credential harvesting, and business email compromise operations, with attackers leveraging legitimate extension marketplace distribution channels to achieve widespread deployment before detection and removal.

Impact: Medium – AI development tool and productivity extension vulnerabilities enabling code execution, credential theft, and data exfiltration through Claude Code, malicious Outlook add-ins, and compromised AI agent configurations threatening software development and business productivity environments.

Action Steps:

• Update Claude Code to version 1.0.87+ addressing code injection vulnerabilities in project hook handling and MCP server integrations.
• Implement development environment security policies restricting execution of untrusted project hooks and requiring explicit consent for code execution.
• Deploy enhanced monitoring for developer tool activities detecting suspicious command execution, API key access, and unauthorized network connections.
• Review Outlook add-in installations, removing unnecessary extensions and validating legitimacy of productivity tools before deployment.
• Implement least-privilege principles for development environments ensuring tools cannot access production credentials or sensitive organizational data.
• Conduct security awareness training for developers emphasizing risks of cloning untrusted repositories and enabling unverified extensions.
• Deploy endpoint detection and response monitoring on developer workstations for malicious activity, including credential harvesting and data exfiltration.
• Review AI agent configurations ensuring proper access controls, credential management, and audit logging for autonomous tool usage.
• Implement code review procedures including security analysis of development tool configurations, project settings files, and extension integrations.
• Establish incident response procedures addressing compromised development environments with source code protection and credential rotation protocols.
• Deploy data loss prevention monitoring for unauthorized transfers of source code, intellectual property, and development credentials.
• Review marketplace policies for productivity extensions requiring security verification before organizational deployment.
• Implement network segmentation isolating development environments from production systems to prevent lateral movement.
• Deploy threat intelligence monitoring for malicious development tools, compromised AI agents, and credential harvesting campaigns targeting developers.

10. February 2026 CISA KEV Additions – Multiple Critical Vulnerabilities Demand Immediate Action

Cybersecurity and Infrastructure Security Agency added multiple vulnerabilities to its Known Exploited Vulnerabilities catalog throughout February 2026, with federal remediation deadlines between March 10–13, 2026. This demonstrates continued rapid vulnerability exploitation by sophisticated threat actors across diverse attack surfaces.

CVE-2026-2441 (Chrome CSS use-after-free, CVSS 8.8) enables remote code execution through crafted HTML, requiring immediate browser updates. CVE-2024-7694 (TeamT5 ThreatSonar Anti-Ransomware arbitrary file upload, CVSS 7.2) allows malicious file uploads achieving arbitrary system command execution on security infrastructure.

CVE-2020-7796 (Synacor Zimbra Collaboration Suite SSRF, CVSS 9.8) enables attackers to send crafted HTTP requests obtaining unauthorized access to sensitive information, with GreyNoise reporting 400 IP addresses actively exploiting the vulnerability. CVE-2008-0015 (Microsoft Windows Video ActiveX Control stack buffer overflow, CVSS 8.8) represents an 18-year-old vulnerability still exploited, enabling remote code execution through specially crafted web pages.

CVE-2026-25108 (FileZen OS command injection, CVSS 8.7) allows authenticated users to execute arbitrary commands via specially crafted HTTP requests. CVE-2025-68461 (RoundCube Webmail XSS via SVG animate tag) and CVE-2025-49113 (RoundCube Webmail deserialization enabling RCE) demonstrate targeting of mail infrastructure. CVE-2025-40536 (SolarWinds Web Help Desk security control bypass) and CVE-2026-22769 (Dell RecoverPoint hardcoded credentials) expose enterprise management tools.

The diversity of KEV additions—spanning browsers, email systems, anti-ransomware tools, collaboration platforms, and management software—demonstrates that threat actors maintain exploit development capabilities across the entire technology stack. Particular focus is given to internet-facing applications, legacy vulnerabilities receiving renewed attention, and security infrastructure tools ironically becoming attack vectors through their own vulnerabilities.

Impact: Critical – Multiple actively exploited vulnerabilities added to CISA KEV spanning browsers, email systems, security tools, and enterprise management requiring comprehensive remediation by March 10-13 federal deadlines.

Action Steps:

• Review complete CISA Known Exploited Vulnerabilities catalog identifying all vulnerabilities affecting organizational technology stack.
• Deploy Chrome updates addressing CVE-2026-2441 across all systems and Chromium-based browsers.
• Review TeamT5 ThreatSonar Anti-Ransomware deployments ensuring migration away from vulnerable versions as vendor recommends.
• Update Zimbra Collaboration Suite addressing CVE-2020-7796 SSRF vulnerability or implement compensating controls blocking malicious requests.
• Deploy Microsoft security updates addressing legacy CVE-2008-0015 ActiveX vulnerability despite 18-year age, demonstrating ongoing exploitation.
• Update FileZen installations addressing CVE-2026-25108 command injection or restrict access to authenticated users only.
• Deploy RoundCube Webmail security updates addressing CVE-2025-68461 XSS and CVE-2025-49113 deserialization vulnerabilities.
• Update SolarWinds Web Help Desk addressing CVE-2025-40536 security control bypass enabling unauthorized functionality access.
• Review Dell RecoverPoint for Virtual Machines addressing CVE-2026-22769 hardcoded credentials vulnerability.
• Implement emergency patch management procedures treating KEV additions as critical incidents requiring immediate response regardless of normal maintenance windows.
• Conduct vulnerability scanning identifying affected systems requiring patches across diverse product portfolio.
• Establish continuous monitoring for CISA KEV catalog updates enabling rapid response to newly disclosed actively exploited vulnerabilities.
• Deploy virtual patching through web application firewalls and intrusion prevention systems as temporary mitigation while testing permanent fixes.
• Review legacy system inventory identifying aged vulnerabilities like CVE-2008-0015 still present in environment requiring remediation.
• Implement defense-in-depth strategies recognizing attackers exploit vulnerabilities across multiple product categories simultaneously in coordinated campaigns.

---

Key Takeaways for IT Leaders

This week’s developments highlight several critical trends:

• Unprecedented Microsoft zero-day wave with six simultaneously exploited vulnerabilities affecting Windows Shell, MSHTML, Word, Desktop Window Manager, Remote Desktop Services, and VPN infrastructure discovered by Google TAG, MSTIC, MSRC, CrowdStrike, and Acros Security indicating coordinated sophisticated attack campaigns requiring emergency patching by March 10 CISA deadline
• Browser engine attacks continue with Chrome CVE-2026-2441 CSS use-after-free zero-day actively exploited enabling remote code execution affecting 3+ billion users across Chrome and Chromium-based browsers demonstrating persistent threat actor investment in memory corruption vulnerabilities for mass compromise campaigns
• Critical infrastructure targeting escalates through CISA Emergency Directive 26-03 mandating Cisco SD-WAN remediation, BeyondTrust privileged access compromise, and ransomware attacks on water infrastructure, healthcare systems, and telecommunications providers demonstrating expanded threat actor scope beyond traditional targets
• Third-party risk materializes through Conduent 8TB data breach representing one of largest U.S. incidents cascading across government services, healthcare administration, and transportation systems, while World Economic Forum reports 87% identify AI vulnerabilities as fastest-growing cyber risk with widening capability gaps
• Development tool compromise emerges through Claude Code, malicious Outlook add-ins, and AI agent vulnerabilities demonstrating fundamental shift in attack surface where productivity tools, development environments, and autonomous agents create new exploitation vectors beyond traditional software vulnerabilities

Organizations must immediately deploy Microsoft February Patch Tuesday updates by March 10 addressing six actively exploited zero-days, update Chrome and Chromium browsers, comply with CISA Emergency Directive 26-03 on Cisco SD-WAN systems, patch BeyondTrust Remote Support installations, and establish emergency response capabilities treating multiple simultaneous zero-day exploitations as critical security events. The convergence of security feature bypass mechanisms, browser memory corruption, network infrastructure authentication bypass, privileged access system compromise, and massive third-party data breaches demands comprehensive security transformation including accelerated emergency patch management moving from weeks to hours, enhanced endpoint detection monitoring for exploitation attempts, network segmentation isolating critical infrastructure, zero-trust architectures eliminating implicit trust, and third-party risk management programs addressing supply chain vulnerabilities before exploitation occurs.

Stay informed on the latest cybersecurity developments by following ITBriefcase.net for daily updates and in-depth analysis.