February 2026 CVEs delivered an aggressive vulnerability cycle, marked by multiple actively exploited Microsoft zero-days and two separate CVSS 10.0 infrastructure flaws impacting core enterprise platforms. From Windows components leveraged for initial access and privilege escalation to authentication bypass in Cisco SD-WAN and root-level exposure in Dell backup systems, this month’s disclosures highlight a concerning acceleration in exploitation timelines.

Attackers are increasingly moving from proof-of-concept to active campaigns within days of disclosure—often chaining endpoint vulnerabilities with infrastructure weaknesses to maximize impact. For enterprise security teams, February’s CVEs reinforce the need for rapid patch management, strong visibility across control planes, and practical experience defending against real-world attack paths.  Practice CVE mitigation with hands-on labs in INE’s Skill Dive Vulnerabilities Lab Collection.

This February CVE roundup focuses on the two most impactful Microsoft zero-days and rounds out the top five with critical Cisco, Dell, and SAP vulnerabilities that demand immediate attention.

1. MSHTML Security Feature Bypass (CVE-2026-21513)

Impact: Security Feature Bypass → Initial Access
Severity: Critical
Status: Actively Exploited Zero-Day
Vendor: Microsoft

CVE-2026-21513 is one of the most significant Microsoft zero-day vulnerabilities disclosed in February 2026. It affects MSHTML, the legacy browser rendering engine still embedded in Windows components and Office applications. Attackers can bypass built-in security protections when rendering specially crafted content.

Why it matters:

• Likely exploitable through phishing or malicious documents

• Enables bypass of browser-based security controls

• Ideal for delivering secondary payloads

• Frequently chained with privilege escalation vulnerabilities

Mitigation:

• Apply February Patch Tuesday updates immediately

• Restrict legacy rendering where possible

• Monitor endpoint telemetry for abnormal script execution

2. Windows Remote Desktop Services Elevation of Privilege (CVE-2026-21533)

Impact: Elevation of Privilege
Severity: High / Critical
Status: Actively Exploited
Vendor: Microsoft

This vulnerability allows attackers to escalate privileges within Windows environments via Remote Desktop Services components.

Why it matters:

• RDS is widely deployed in enterprise environments

• Enables attackers to move from limited access to SYSTEM-level privileges

• Highly effective when chained with phishing or browser exploits

• Expands lateral movement capability significantly

Mitigation:

• Patch all Windows servers and workstations running RDS

• Restrict RDP exposure externally

• Monitor for suspicious privilege escalation activity

3. Cisco SD-WAN Authentication Bypass (CVE-2026-20127)

Impact: Authentication Bypass → Admin Access
Severity: CVSS 10.0
Status: Zero-Day Exploited by UAT-8616
Vendor: Cisco

CVE-2026-20127 Cisco SD-WAN represents one of the most severe enterprise infrastructure vulnerabilities disclosed in February. It affects Cisco SD-WAN Controller and Manager components, allowing attackers to bypass authentication and gain administrative privileges.

Threat actor UAT-8616 reportedly exploited this vulnerability to obtain full administrative control of affected systems.

Why it matters:

• CVSS 10.0 with no authentication required

• Impacts core network infrastructure

• Enables configuration manipulation and persistent access

• High-value target for espionage and financially motivated actors

Mitigation:

• Apply Cisco patches immediately

• Audit admin access logs

• Restrict management plane exposure

4. Dell RecoverPoint for VMs Hard-Coded Credentials (CVE-2026-22769)

Impact: Hard-Coded Credentials → Root Access
Severity: CVSS 10.0
Status: Zero-Day Exploited by UNC6201
Vendor: Dell

CVE-2026-22769 stems from hard-coded credentials in Dell RecoverPoint for Virtual Machines. Exploitation allows attackers to gain unauthorized root-level access.

Why it matters:

• Root-level access to backup and recovery infrastructure

• Enables ransomware staging and persistence

• Backup systems are increasingly targeted in modern attacks

• Exploited by threat actor UNC6201

Mitigation:

• Patch immediately

• Rotate credentials

• Audit for unauthorized root sessions

5. SAP CRM / S4HANA & NetWeaver Vulnerabilities (CVE-2026-0488, CVE-2026-0509)

Impact: Code Injection (9.9) & Missing Authorization (9.6)
Severity: High / Critical
Vendor: SAP

SAP addressed two high-risk vulnerabilities affecting CRM, S/4HANA, and NetWeaver components. These flaws enable code injection and bypass of authorization controls.

Why it matters:

• ERP systems store financial and operational data

• Code injection can lead to backend manipulation

• Missing authorization increases risk of privilege abuse

• Expands overall enterprise attack surface

Mitigation:

• Apply SAP February security notes

• Review access controls

• Monitor ERP transactions for anomalous behavior

Prioritization Strategy for February 2026

1. Patch actively exploited Microsoft zero-days first

• CVE-2026-21513

• CVE-2026-21533

2. Secure infrastructure-level exposures

• Cisco SD-WAN CVE-2026-20127

• Dell RecoverPoint CVE-2026-22769

3. Harden ERP environments

• SAP CVE-2026-0488

• SAP CVE-2026-0509
  

February 2026 underscores a growing trend: attackers are aggressively targeting both endpoint entry points and infrastructure control planes. From MSHTML-based initial access to SD-WAN authentication bypass and root-level backup compromise, this month’s vulnerabilities illustrate how quickly adversaries can pivot from user interaction to enterprise-wide control.

Defending against these threats requires more than patch awareness. Security teams must understand how vulnerabilities are chained, how privilege escalation occurs in practice, and how infrastructure compromise unfolds.

INE’s hands-on cybersecurity training provides the practical experience needed to detect exploitation attempts, secure enterprise systems, and respond effectively to real-world attacks.

Stay ahead of adversaries. Build real-world skills. Train with INE.