Vulnerability Review – February 2026
This blog is a recap of the most critical vulnerabilities disclosed between 01 February and 28 February 2026 that most likely impact software utilized by managed service providers (MSPs).
While not all MSPs use the software discussed in this blog, the software has been labeled as priority software by Blackpoint’s APG due to the overall number of MSPs/organizations that utilize it.
Key Findings
- There were more than 4,600 vulnerabilities disclosed between 01 February and 28 February 2026, with more than 50% being scored with a high or critical Common Vulnerability Scoring System (CVSS) rating.
- There are several that have been actively exploited and 28 that have been added to the U.S. CISA Known Exploited Vulnerabilities (KEV) Catalog, indicating reliable reports of active exploitation.
- Blackpoint’s APG assesses with high confidence that threat actors will continue to leverage known and unknown vulnerabilities in ubiquitous software and services over the next 12 months.
Prioritized Software Categories – February 2026
The Blackpoint APG tracks prioritized software across six categories; in February 2026, we delivered notices spanning four of them. These categories include tools that are widely used and critical to daily operations, indicating that security issues in these areas have a higher change of causing devastating impacts if successfully exploited. The category definitions can be found in the Glossary.
Vulnerability Review – February 2026
Ivanti EPPM – CVE-2026-1281 and CVE-2026-1340
- Prioritized Category: IT Management & Operations
- Impacted Software: Ivanti Endpoint Manager Mobile
- Type: Code Injection
- CVSS: Each vulnerability has a score of 9.8 – Critical
- CISA KEV Catalog: Yes – added 2026-01-29
These code injection vulnerabilities can lead to remote code execution (RCE) and have encountered limited public exploitation. This did not impact cloud versions of the software or any other Ivanti products.[1]
Successful exploitation of these vulnerabilities would allow a threat actor to execute commands on the impacted server and an even chance they could gain control of the system. This level of access and ability could allow attackers to then deploy malware, manipulate device confirmations, or map out and pivot to other connected systems managed by this server.
Vulnerabilities impacting Ivanti EPMM are an attractive target for threat actors; in 2025, the U.S. CISA released a report detailing malware deployed in attacks exploiting two other vulnerabilities impacting this server (CVE-2025-4427 and CVE-2025-4428).
Beyond Trust – CVE-2026-1731
- Prioritized Category: Remote Access and Identity
- Impacted Software: Bomgar
- Type: Operating System Command Injection
- CVSS: 9.9 Critical
- CISA KEV Catalog: Yes – added 2026-02-13
The critical vulnerability, publicly exploited, can result in remote code execution by an unauthenticated attacker. There are several third- party reports of public exploitation, including by ransomware operators. The Blackpoint SOC has observed this vulnerability being exploited to gain initial access into the environment.[2]
Successful exploitation of this vulnerability could allow threat actors to establish persistence, deploy malware, steal credentials, and more. Blackpoint’s SOC thwarted threat actors’ attempts to conduct discovery activities, which included searching for domain accounts, running tasks, user information, and hostnames. These threat actors also attempted to create new accounts and deploy additional remote access tool, SimpleHelp.
Based on additional behavior observed, this incident was very likely indicative of pre-ransomware activities. Blackpoint’s SOC isolated the entire subnet to prevent further malicious activity and cut off the threat actors’ access allowing the partner time to conduct remediation efforts.
Fortinet – CVE-2026-21643
- Prioritized Category: IT Management & Operations
- Impacted Software: FortiClient EMS
- Type: SQL Injection
- CVSS: 9.1 Critical
- CISA KEV Catalog: No
An SQL injection vulnerability enables an unauthenticated attacker to execute arbitrary code via maliciously crafted HTTP packets. Per Fortinet, the vulnerability has been exploited by malicious actors, resulting in administrative account creation, VPN configuration alteration, and firewall configuration exfiltration on target hosts.[3]
Threat actors could gain administrative control and manipulate backend database queries by exploiting this vulnerability. Threat actors could abuse this level of access to alter security configurations to evade detection, create privileged accounts, and intercept or manipulate VPN connections throughout the environment.
Fortinet devices are consistently abused in campaigns by financially motivated threat actors and vulnerability FortiClient EMS instances are likely a prime target.
Windows – Numerous Publicly Exploited Vulnerabilities
- CVE Number: CVE-2026-21510
- Prioritized Category: IT Management & Operations
- Impacted Software: Windows Shell
- Type: Protection Mechanism Failure
- CVSS: 8.8 – High
- CISA KEV Catalog: Yes – added 2026-02-10
This is a security bypass vulnerability that requires user interaction to exploit. An unauthorized attacker can bypass security mechanisms upon a successful exploit.[4] Threat actors could exploit this vulnerability to deploy malware, elevate privileges, or move laterally. Exploitation of this vulnerability allows threat actors to bypass Windows security protections that are designed to block malicious activity.
- CVE Number: CVE-2026-21513
- Prioritized Category: IT Management & Operations
- Impacted Software: MSHTML Framework
- Type: Protection Mechanism Failure
- CVSS: 8.8 – High
- CISA KEV Catalog: Yes – added 2026-02-10
A remote attacker can bypass a security feature due to a protection mechanism failure vulnerability in Microsoft’s MSHTML Framework. Public reporting suggests APT28 had exploited this vulnerability prior to public disclosure.[5] Security bypass vulnerabilities can allow attackers to evade protections that normally block malicious web content. This could enable them to execute additional exploits or deliver malware via compromised websites or phishing links.
- CVE Number: CVE-2026-21514
- Prioritized Category: Productivity, Communication, & Knowledge
- Impacted Software: Microsoft Word
- Type: Unsanitized Inputs
- CVSS: 7.8 – High
- CISA KEV Catalog: Yes – added 2026-02-10
Due to a reliance on untrusted inputs in Microsoft Word, an unauthorized attacker can bypass security features locally. [6] An attacker could create a malicious document that, when opened, bypasses security protections and would allow the attacker to deploy malicious payloads. This type of vulnerability is frequently abused in phishing campaigns to gain initial access and social engineering remains a top initial access vector in 2026.
- CVE Number: CVE-2026-21525
- Prioritized Category: IT Management & Operations
- Impacted Software: Windows Remote Access Manager
- Type: Null Pointer Dereference
- CVSS: 6.2 – Medium
- CISA KEV Catalog: Yes – added 2026-02-10
An unauthorized attacker is able to deny service locally due to a dull pointer deference vulnerability in Windows Remote Access Manager.[8] While denial-of-service vulnerabilities are often not considered as severe, attackers could disrupt administrative functions, which could impact remote services and hinder operational responses during the incident. Disruption of services and downtime lead directly to operational losses.
- CVE Number: CVE-2026-21533
- Prioritized Category: Remote Access & Identity
- Impacted Software: Windows Remote Desktop
- Type: Improper Privilege Management
- CVSS: 7.8 – High
- CISA KEV Catalog: Yes – added 2026-02-10
An authenticated attacker is able to escalate privileges locally.[9] Threat actors actively exploited this vulnerability as a zero-day to gain SYSTEM-level access. The underlying issue is faulty privilege management in RDS, which allows attackers with low-privileged local access to modify configuration registry keys, thus providing them with full SYSTEM privileges. Threat actors can then deploy malware, access sensitive data, and map out and move laterally within the environment.
Google Chrome – CVE-2026-2441
- Prioritized Category: Productivity, Communication, & Knowledge
- Impacted Software: Google Chrome
- Type: Use-after-free Bug
- CVSS: 8.8 – High Severity
- CISA KEV Catalog: Yes – added 2026-02-17
The vulnerability, tracked as CVE-2026-2441, is high severity and results in an attacker executing arbitrary code via maliciously crafted HTML pages. Specific details regarding exploitation attempts were not made public, however, Google did state that an exploit is publicly available.[10]
Threat actors could exploit this vulnerability to run malicious code within the context of the user’s browser. Threat actors could use this to deploy malware, steal session tokens, or gain access to sensitive systems that can be accessed through the browser.
n8n – CVE-2026-25049
- Prioritized Category: IT Management & Operations
- Impacted Software: n8n workflow automation platform
- Type: RCE Vulnerability
- CVSS: 9.4 – Critical
- CISA KEV Catalog: No
Improper control of dynamically –managed code resources allows an authenticated user to create or modify workflows in the n8n automation platform.[11] This vulnerability stems from a flaw in how n8n sanitizes workflow expressions, which could allow a threat actor to bypass sanitization controls entirely. Workflow automation platforms are frequently integrated with multiple other services, which could allow the threat actor to access those services or steal data from them.
Cisco – CVE-2026-20127
- Prioritized Category: Network & Infrastructure
- Impacted Software: Cisco Catalyst SD-WAN Controller and Manager
- Type: Authentication Bypass
- CVSS: 10 – Critical
- CISA KEV Catalog: Yes – added February 25, 2026
Impacts the peering authentication mechanism and allows a threat actor to bypass authentication controls to gain administrative access to the SD-WAN Controller/Manager. It has been actively exploited, which activity attributed to UAT-8616. The group reportedly compromised Cisco SD-WANs to create a rogue device in the network management plan of an organization’s SD-WAN component.[12]
The U.S. CISA released an Emergency Directive related to Cisco SD-WA devices on February 25, 2026.
Exploitation of this vulnerability could allow threat actors to gain administrative access to a network infrastructure product without valid credentials, making it particularly severe. Threat actors that successfully exploit this vulnerability can manipulate network routing, intercept traffic, deploy rogue devices, and maintain persistence in the compromised network.
The severity of this vulnerability, confirmation of active exploitation, and a CISA Emergency Directive, highlight the significant risk this vulnerability poses to impacted organizations and the importance of applying the available patches.
Blackpoint’s APG Analysis
Blackpoint’s SOC consistently monitors customer environments for behaviors associated with lateral movement and remote execution within our customer’s environments, techniques commonly leveraged after successful vulnerability exploitation. Additionally, Blackpoint has detections in place to identify the behaviors associated with the vulnerabilities detailed within this blog, helping to detect and contain malicious activity before it can escalate into broader compromise.
These vulnerabilities are often leveraged to gain initial access, establish persistence, deploy malware, and move laterally across victim environments. As many of the impacted products/software are widely used by MSPs, successful exploitation can provide threat actors with broad access across multiple systems and networks.
Blackpoint’s APG assesses with high confidence that threat actors will continue to target, or begin targeting, these vulnerabilities over the next 12 months to deploy malware, steal sensitive information, and gain unauthorized access to organizations. It is likely that these vulnerabilities will be targeted by multiple types of threat actors, including both nation-state and financially motivated threat actors over the next 12 months. Exploitation of vulnerabilities impacting IT management, network infrastructure, and remote access software remain a consistent and successful tactic for threat actors seeking to disrupt operations, access and steal sensitive information, and deploy malware including ransomware, information stealers, and more.
Glossary
- Data Protection & Recovery: These tools are very likely to store important data from multiple systems in one place, making them an attractive target for threat actors. Attackers who gain access to these systems can delete company backups, encrypt them, or steal data.
- IT Management & Operations: IT teams use these tools to monitor systems, fix issues, and automate tasks. These tools typically have high-level access permissions and an attacker who gains access could change settings, run malicious code, or spread across many systems without detection. A single compromise of these tools could impact multiple customers as the result of a single intrusion.
- Network & Infrastructure: These systems control how data moves in and out of a network; they often sit between the internal systems and the internet. Due to their exposure and being highly trusted, they are attractive targets for threat actors and are frequently targeted. An attacker that successfully targets these systems could access internal systems, access network traffic, or bypass security controls.
- Productivity, Communication, & Knowledge: These tools frequently contain sensitive data, instructions, and private conversations, making them attractive tools for threat actors. An attacker that gains access to these tools can read private messages, steal information, impersonate trusted users, and conduct additional attacks from a trusted platform.
- Remote Access & Identity: These tools are frequently used by administrators and are trusted across the environment, making them an attractive target for threat actors. An attacker that gains access to or abuses tools within this category can log in as legitimate users, bypass security checks, and more through systems without being detected.
- Security & Threat Defense: These tools collect security data and alert teams when something appears suspicious or malicious. Attackers that exploit these tools can hide their activity, turn off alerts, or delete evidence of their activity. This type of abuse can leave security teams blind to malicious activity and allow attackers to complete their objectives.