🔒 Cybersecurity News - February 2026
Critical Security Updates, Vulnerabilities, and Threat Intelligence
February 2026 Security Overview
February 2026 has witnessed a significant surge in cybersecurity incidents, with AI-powered attacks becoming increasingly sophisticated and prevalent. CISA has issued urgent directives for federal agencies to remove unsupported edge devices within 12-18 months, while ransomware attacks continue to plague the healthcare sector with 27 incidents reported in January alone. Major tech vendors including Microsoft, Google, Cisco, and F5 have released critical security patches addressing high-severity vulnerabilities. The emergence of AI-enabled malware and agentic AI systems marks a new era in cyber threats, requiring organizations to strengthen their security posture immediately.
CISA Orders Federal Agencies to Remove Unsupported Edge Devices
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued Binding Operational Directive 26-02, ordering Federal Civilian Executive Branch agencies to strengthen asset lifecycle management for edge network devices. The directive requires immediate updates to vendor-supported software, cataloging of all devices within three months, and complete decommissioning of end-of-support edge devices within 12 months. This unprecedented move comes as state-sponsored threat actors increasingly exploit unsupported devices as preferred access pathways. Edge devices including firewalls, routers, switches, and IoT devices positioned at the network perimeter are especially vulnerable to persistent cyber threat actors exploiting known vulnerabilities.
Read Full Directive →
Malware and Cyberattacks in the Age of AI
The arrival of agentic AI is revolutionizing the attack landscape. Security researchers predict that by mid-2026, at least one major global enterprise will fall to a breach caused by fully autonomous agentic AI systems. These systems use reinforcement learning and multi-agent coordination to autonomously plan, adapt, and execute entire attack lifecycles from reconnaissance to exfiltration. AI-enabled malware like MalTerminal, PromptLock, and PromptSteal can generate ransomware or reverse-shell code at runtime, creating polymorphic, self-evolving payloads that evade traditional signatures. The barrier to entry has collapsed, giving amateur attackers unprecedented reach while sophisticated gangs run 'platforms' renting out AI-driven kits.
Read Analysis →
February 2026 Patch Tuesday: Multiple OOB Fixes
Microsoft's February 2026 Patch Tuesday will include three rounds of out-of-band patches from January. The first addressed credential prompt failures for remote desktop connections and hibernation issues. The second blocked Outlook Classic from reading PST files on cloud storage like OneDrive. The third was an emergency fix for actively exploited zero-day CVE-2026-21509, a Microsoft Office security bypass vulnerability allowing unauthorized system access. Microsoft also announced a phased plan to disable NTLM authentication protocol by default, with Phase 1 starting immediately using advanced NTLM auditing in Server 2025 and Windows 11 24H2.
Read Update Details →
Cisco and F5 Patch High-Severity Vulnerabilities
Cisco released patches for five security defects including two high-severity bugs in TelePresence and RoomOS software. CVE-2026-20119 allows remote DoS attacks without authentication by sending crafted meeting invitations. CVE-2026-20098 enables authenticated attackers to upload arbitrary files and execute commands with root privileges. F5's February quarterly notification describes five vulnerabilities in BIG-IP and NGINX, including CVE-2026-22548 causing DoS by restarting the bd process, and CVE-2026-1642 allowing MitM attackers to inject responses to clients. Both vendors report no evidence of exploitation in the wild.
Read Patch Notes →
Substack Discloses Security Incident: 700K Records Leaked
Digital publishing platform Substack with 35 million subscribers has disclosed a data breach after a hacker leaked user records. The incident occurred in October 2025 but was only discovered on February 3, 2026. Compromised data includes email addresses, phone numbers, names, profile pictures, user IDs, and bios for nearly 700,000 records obtained through scraping. CEO Chris Best confirmed that passwords, payment card numbers, and financial information were not exposed. The threat actor described the attack as "noisy," which led to quick mitigation. Substack has urged users to watch for suspicious emails and text messages.
Read Breach Report →
Android Security Bulletin: February 2026
Google has published the Android Security Bulletin for February 2026, addressing 37 total security vulnerabilities affecting Android devices. The bulletin includes 25 fixes from Google for the Android OS and 12 fixes from Samsung. Security patch levels of 2026-02-01 or later address all documented issues. The bulletin follows a two-level approach, allowing partners flexibility to fix critical vulnerabilities quickly across all devices. Within 48 hours, corresponding source code patches will be released to the Android Open Source Project repository. Google Play Protect continues monitoring for abuse and warns users about Potentially Harmful Applications.
Read Full Bulletin →
Ransomware Surge: 91 Attacks in January 2026
2026 opened with 91 publicly disclosed ransomware attacks, representing a significant surge in cybercriminal activity. Healthcare was the most targeted sector with 27 incidents, followed by government organizations. Attackers are now exploiting critical SmarterMail vulnerability CVE-2026-24423, prompting CISA to order federal agencies to address it by February 26, 2026. The ransomware threat landscape has entered a new phase defined by scale, automation, and sector-specific targeting. AI-assisted attacks are making ransomware more efficient, while the FTC has issued its second report to Congress on fighting ransomware and cyberattacks, emphasizing the need for enhanced security measures.
Read Ransomware Report →
Microsoft Office Zero-Day CVE-2026-21509 Actively Exploited
Microsoft issued an emergency out-of-band patch for CVE-2026-21509, an actively exploited Microsoft Office zero-day vulnerability with CVSS score 7.8. The security feature bypass flaw allows attackers to bypass built-in security controls in Microsoft 365 and Office that protect against unauthorized access. Russian state-sponsored threat group APT28 continues exploiting this vulnerability even after the emergency patch release, using phishing emails with malicious RTF attachments. The current exploit requires users to open malicious Office files, which then provides unauthorized system access. Impacts affect multiple Office versions including Microsoft 365 Apps for Enterprise.
Read Zero-Day Alert →Critical Vulnerabilities Requiring Immediate Action
CVE-2026-21509 - Microsoft Office Security Feature Bypass
CVSS Score: 7.8 (High) | Status: Actively Exploited | Action: Apply emergency patch immediately
CVE-2026-24423 - SmarterMail Critical Vulnerability
Status: Exploited by Ransomware Actors | Deadline: February 26, 2026 for federal agencies | Action: Update SmarterMail to latest version
CVE-2026-20119 - Cisco TelePresence Remote DoS
CVSS Score: High | Attack Vector: Network (No authentication required) | Action: Update to TelePresence CE 11.27.5.0 or RoomOS 11.32.3.0
CVE-2026-22548 - F5 BIG-IP Denial of Service
Severity: High (CVSS 4.0) | Impact: Traffic disruption via bd process restart | Action: Apply F5 February 2026 patches
CVE-2025-8088 - WinRAR Path Traversal RCE
Type: Remote Code Execution | Exploitation: Active in espionage campaigns | Action: Update WinRAR to latest version immediately
CVE-2026-1281 & CVE-2026-1340 - Ivanti EPMM Zero-Days
Status: Exploited (limited number of customers) | Product: Ivanti Endpoint Manager Mobile | Action: Apply Ivanti patches
Recommendations for Security Teams
🔍 Immediate Actions
Deploy all available patches for Microsoft Office, SmarterMail, Cisco, F5, WinRAR, and Notepad++. Inventory all edge devices and identify end-of-support hardware. Enable advanced NTLM auditing on Windows 11 24H2 and Server 2025.
🛡️ AI-Powered Threat Defense
Implement behavioral EDR focusing on what malware does, not what it looks like. Use AI to detect and block AI-enabled attacks. Monitor for unusual process creation, scripting activity, and unexpected outbound traffic to AI APIs.
📊 Strengthen Security Posture
Focus on cyber hygiene basics: patching, phishing-proof MFA, least privilege access, network segmentation, and regular backups. Minimize exposure and reduce time-to-remediation as offensive capabilities are now automated.
🎯 Ransomware Preparedness
Healthcare organizations must prioritize ransomware defenses given 27 attacks in January. Implement offline backups, test incident response plans, and establish recovery procedures. Monitor for SmarterMail exploitation attempts.