SOCshare: cybersecurity landscape in February 2026
Microsoft’s Patch Tuesday
February delivered one of the most intense Patch Tuesdays, addressing 59 vulnerabilities, including six actively exploited zero-day vulnerabilities. Three out of six zero-days heavily targeted the client-side attack surface through social engineering. Flaws in the Windows Shell (CVE-2026-21510) and MSHTML Framework (CVE-2026-21513) allowed attackers to bypass SmartScreen and other security prompts simply by convincing users to open malicious .lnk or HTML files. A separate bypass in Microsoft Word (CVE-2026-21514) allowed attackers to evade OLE mitigations using crafted Office documents. It’s a reminder that phishing remains as dangerous as ever.
SolarWinds WHD and The Velociraptor
The widespread exploitation of SolarWinds Web Help Desk (exploiting CVE-2025-26399, CVE-2025-40536, and CVE-2025-40551) servers has come to light. But the real story wasn’t the initial access – it was the post-compromise tradecraft. Rather than deploying custom malware, the threat actor utilized Velociraptor, a well-known, open-source digital forensics and incident response (DFIR) tool. By turning a trusted security tool into a Command and Control (C2) framework, the attackers effectively blinded defenders, using Velociraptor to disable Microsoft Defender, stage files, and run commands.
What else happened in February 2026?
Where to pay attention to
Organisations should prioritise:
- Monitor security tooling install and use: Establish strict policies and monitor the behavior of security tools. Threat actors, on occasion, install and use tools like Velociraptor or EDR/XDR solutions to control devices, which often goes unnoticed, because most people consider them inherently safe.
- Isolate Agentic AI: Tools like OpenClaw with code execution and high-level credentials have inherent risks. If your developers or employees are running AI agents, these must be treated as untrusted entities. They should only operate in strictly isolated environments (like sandboxed VMs) with dedicated, non-privileged credentials.
- Audit your update channels: Move toward centralized software repositories (for example, use Microsoft Intune, Microsoft SCCM, or a similar solution) for deployments rather than allowing endpoints to query external update servers directly.
Sources:
- CrowdStrike – February 2026 Patch Tuesday: Six Zero-Days Among 59 CVEs Patched
- Huntress – Active Exploitation of SolarWinds Web Help Desk
- The Hacker News – OpenClaw Bug Enables One-Click Remote Code Execution via Malicious Link
- CSO – Substack data breach leaks users’ email addresses and phone numbers
This entry is published as part of the SOCshare project (No. 101145843), which we are running together with Vilnius City Municipality. It is partly funded by the European Union. The views and opinions expressed are those of the authors alone and do not necessarily reflect those of the European Union or the European Cyber Security Centre of Excellence. Neither the European Union nor the European Cyber Security Centre of Excellence can be held responsible for them.
Other news and stories
SOCshare January 2026: cybersecurity landscape review
CTI-AI project: end of year update
The most common myths related to the implementation of the DORA Regulation
SOCcare December 2025: RondoDox Campaign: Routers Beware
Engaging management and operational teams to do trainings, TTXs, practice sessions, etc.
Designing an engaging and realistic TTX for an organisation
Weekly cyber drills? How to make them a mission possible
