February 2026 CVE Landscape: 13 Critical Vulnerabilities Mark 43% Drop from January

February 2026 saw a 43% decrease in high-impact vulnerabilities with 13 critical flaws identified by Recorded Future, all carrying 'Very Critical' risk scores. Microsoft dominated with six vulnerabilities (46%), followed by BeyondTrust, Cisco, Apple, Google, Dell, Notepad++, and Soliton Systems. Three named threat actors actively exploited vulnerabilities: Chinese state-sponsored Lotus Blossom conducted a supply-chain attack on Notepad++ using CVE-2025-15556 to deliver Cobalt Strike Beacon and the Chrysalis backdoor; Russian APT28 exploited CVE-2026-21513 via malicious Windows Shortcut files; and UNC6201 compromised Dell RecoverPoint deploying multiple backdoors including GRIMBOLT. Four CVEs have public proof-of-concept exploits, and one is being sold. Organizations should prioritize intelligence-driven remediation given the presence of named threat actors and five RCE-enabling vulnerabilities.

February 2026 saw a 43% decrease in high-impact vulnerabilities, with Recorded Future's Insikt Group® identifying 13 vulnerabilities requiring immediate remediation, down from 23 in January 2026.

February 2026 saw a 43% decrease in high-impact vulnerabilities with 13 critical flaws identified by Recorded Future, all carrying 'Very Critical' risk scores. Microsoft dominated with six vulnerabilities (46%), followed by BeyondTrust, Cisco, Apple, Google, Dell, Notepad++, and Soliton Systems. Three named threat actors actively exploited vulnerabilities: Chinese state-sponsored Lotus Blossom conducted a supply-chain attack on Notepad++ using CVE-2025-15556 to deliver Cobalt Strike Beacon and the Chrysalis backdoor; Russian APT28 exploited CVE-2026-21513 via malicious Windows Shortcut files; and UNC6201 compromised Dell RecoverPoint deploying multiple backdoors including GRIMBOLT. Four CVEs have public proof-of-concept exploits, and one is being sold. Organizations should prioritize intelligence-driven remediation given the presence of named threat actors and five RCE-enabling vulnerabilities. February 2026 saw a 43% decrease in high-impact vulnerabilities, with Recorded Future's Insikt Group® identifying 13 vulnerabilities requiring immediate remediation, down from 23 in January 2026. February 2026 saw a 43% decrease in high-impact vulnerabilities, with Recorded Future's Insikt Group® identifying 13 vulnerabilities requiring immediate remediation, down from 23 in January 2026 . All 13 carried a ‘Very Critical’ Recorded Future Risk Score. What security teams need to know: Microsoft dominates: Six of 13 vulnerabilities affected Microsoft products, accounting for 46% of February's findings; all were added to CISA's KEV catalog on the same day Supply-chain attack on Notepad++: Lotus Blossom, a suspected China state-sponsored threat actor, exploited CVE-2025-15556 to hijack Notepad++'s update channel and deliver a Cobalt Strike Beacon and the Chrysalis backdoor APT28 exploits MSHTML flaw: The Russian state-sponsored group leveraged CVE-2026-21513 via malicious Windows Shortcut files for multi-stage payload delivery Public exploits available: Four of 13 vulnerabilities have publicly available proof-of-concept code; an alleged exploit for a fifth is being advertised for sale Bottom line: Despite a 43% drop in volume, February's vulnerabilities include named threat actor exploitation and five RCE-enabling flaws, making prioritized, intelligence-driven remediation as important as ever. Quick Reference: February 2026 Vulnerability Table All 13 vulnerabilities below were actively exploited in February 2026. # Vulnerability Risk Score Affected Vendor/Product Vulnerability Type/Component Public PoC 1 CVE-2025-15556 99 Notepad++ CWE-494 (Download of Code Without Integrity Check) Yes 2 CVE-2026-1731 99 BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) CWE-78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')) Yes 3 CVE-2026-21510 99 Microsoft Windows CWE-693 (Protection Mechanism Failure) No 4 CVE-2026-21513 99 Microsoft Windows CWE-693 (Protection Mechanism Failure) No 5 CVE-2026-21514 99 Microsoft Office CWE-807 (Reliance on Untrusted Inputs in a Security Decision) No 6 CVE-2026-21519 99 Microsoft Windows CWE-843 (Access of Resource Using Incompatible Type ('Type Confusion')) No 7 CVE-2026-21525 99 Microsoft Windows CWE-476 (NULL Pointer Dereference) No 8 CVE-2026-21533 99 Microsoft Windows CWE-269 (Improper Privilege Management) *Yes 9 CVE-2026-20700 99 Apple iOS, macOS, tvOS, watchOS, and visionOS CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) No 10 CVE-2026-25108 99 Soliton Systems K.K. FileZen CWE-78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')) No 11 CVE-2026-2441 99 Google Chromium CWE-416 (Use After Free) Yes 12 CVE-2026-22769 99 Dell RecoverPoint for Virtual Machines (RP4VMs) CWE-798 (Use of Hard-coded Credentials) No 13 CVE-2026-20127 99 Cisco Catalyst SD-WAN Controller and Manager CWE-287 (Improper Authentication) Yes Table 1: List of vulnerabilities that were actively exploited in February based on Recorded Future data. *An alleged exploit for CVE-2026-21533 is being advertised for sale across Github. Recorded Future Triage was used to browse the website advertising the exploit, which can be viewed here via the Replay Monitor. (Source: Recorded Future) Key Trends: February 2026 Vendors Most Affected Microsoft led with six vulnerabilities across Windows, Windows Server, Office, and Microsoft 365 products BeyondTrust faced a critical OS command injection flaw in Remote Support (RS) versions 25.3.1 and earlier, and Privileged Remote Access (PRA) versions 24.3.4 and earlier Cisco saw active exploitation of an authentication bypass in Catalyst SD-WAN infrastructure Additional affected vendors: Notepad++, Apple, Soliton Systems K.K., Google, and Dell Most Common Weakness Types CWE-78 – OS Command Injection (tied for most common) CWE-693 – Protection Mechanism Failure (tied for most common) CWE-476 – NULL Pointer Dereference CWE-843 – Type Confusion CWE-807 – Reliance on...