Daily Digest

Critical Zero-Days in Dell and Chrome Actively Exploited; CISA Issues Urgent Patch Alerts

Critical Zero-Days in Dell and Chrome Actively Exploited; CISA Issues Urgent Patch Alerts

February 17, 2026
12 articles (11 new, 1 updated)
36 min read

Summary

This reporting period for February 16-17, 2026, is dominated by the active exploitation of critical vulnerabilities. Dell disclosed a maximum-severity zero-day in its RecoverPoint appliance, exploited by a Chinese espionage group for nearly two years. Concurrently, Google rushed out a patch for the first actively exploited Chrome zero-day of 2026. CISA amplified the urgency by adding multiple widely-used products from SolarWinds, Microsoft, and BeyondTrust to its KEV catalog. Other significant developments include the discovery of a sophisticated Android backdoor, a novel attack using AI assistants for C2 channels, and a firmware rootkit targeting Cisco devices.

Filter by Category

New Articles (11)

Dell Zero-Day Exploited for Two Years by Chinese Spies to Steal Data

CRITICAL

Dell Patches Critical RecoverPoint Zero-Day (CVE-2026-22769) Actively Exploited by China-Nexus Group UNC6201

Dell has released an emergency patch for a critical, maximum-severity vulnerability (CVE-2026-22769) in its RecoverPoint for Virtual Machines appliance. The flaw, a case of hardcoded credentials, has been actively exploited by a suspected Chinese cyberespionage group (UNC6201) since mid-2024. Attackers leveraged the CVSS 10.0 vulnerability to gain root access, deploy webshells, and install multiple backdoors, including the novel GRIMBOLT malware. The long-term exploitation allowed the threat actor to maintain persistence and conduct lateral movement within victim networks.

February 17, 2026
6 min read
zero-dayhardcoded credentialscyberespionageVMwarebackup security +1 more
Dell Zero-Day Exploited for Two Years by Chinese Spies to Steal Data
Vulnerability
Threat Actor
Cyberattack

Google Scrambles to Patch First Actively Exploited Chrome Zero-Day of 2026

CRITICAL

Google Releases Emergency Patch for Actively Exploited Chrome Zero-Day CVE-2026-2441

Google has issued an urgent security update for its Chrome web browser to fix a high-severity zero-day vulnerability, CVE-2026-2441. The flaw, a use-after-free bug in the browser's CSS component, is confirmed to be actively exploited in the wild. Successful exploitation allows a remote attacker to execute arbitrary code simply by tricking a user into visiting a malicious webpage. All users are urged to update their browsers immediately.

February 17, 2026
4 min read
zero-dayuse-after-freebrowser securitychromiumGoogle Chrome
Google Scrambles to Patch First Actively Exploited Chrome Zero-Day of 2026
Vulnerability
Patch Management

‘Zero-Knowledge’ Password Managers Not So Secure, Study Finds

MEDIUM

ETH Zurich Study Reveals Architectural Flaws in Bitwarden, LastPass, and Dashlane, Challenging "Zero-Knowledge" Claims

A new study by researchers at ETH Zurich has uncovered significant architectural weaknesses in popular cloud-based password managers, including Bitwarden, LastPass, and Dashlane. The research challenges the "zero-knowledge" encryption promises made by these vendors, demonstrating 27 distinct attack scenarios where a malicious or compromised server could access or alter passwords in a user's encrypted vault. The attacks exploit weaknesses in features like account recovery and data synchronization rather than breaking the underlying cryptography.

February 17, 2026
4 min read
password managerzero knowledgesecurity researchencryptionBitwarden +1 more
‘Zero-Knowledge’ Password Managers Not So Secure, Study Finds
Security Operations
Policy and Compliance
Other

CISA KEV Alert: Patch Now for Exploited Flaws in SolarWinds, Microsoft, Notepad++, and Apple

HIGH

CISA Adds Four Actively Exploited Vulnerabilities to KEV Catalog, Mandating Federal Patching

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added four actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. The flaws affect a wide range of popular products: SolarWinds Web Help Desk (CVE-2025-40536), Microsoft Configuration Manager (CVE-2024-43468), Notepad++ (CVE-2025-15556), and multiple Apple operating systems (CVE-2026-20700). Federal agencies are now under a binding directive to patch these vulnerabilities by their respective deadlines.

February 17, 2026
4 min read
KEVCISApatch managementvulnerability managementSolarWinds +1 more
CISA KEV Alert: Patch Now for Exploited Flaws in SolarWinds, Microsoft, Notepad++, and Apple
Patch Management
Vulnerability
Regulatory

New ClickFix Attack Abuses DNS 'nslookup' for Stealthy Malware Delivery

MEDIUM

Microsoft Warns of Novel ClickFix Variant Using DNS Queries to Deploy ModeloRAT Trojan

Microsoft Threat Intelligence has uncovered a new variant of the 'ClickFix' social engineering attack that uses DNS queries as a covert channel for malware delivery. Victims are tricked into running an 'nslookup' command that queries an attacker-controlled DNS server. The malware payload, a PowerShell script, is embedded in the DNS response, allowing it to bypass some web-based security filters. The attack chain ultimately deploys the ModeloRAT remote access trojan.

February 17, 2026
5 min read
ClickFixDNS tunnelingsocial engineeringModeloRATPowerShell +1 more
New ClickFix Attack Abuses DNS 'nslookup' for Stealthy Malware Delivery
Malware
Phishing
Threat Intelligence

Microsoft 365 Admin Center Outage in North America Investigated as Security Event

MEDIUM

Microsoft Investigates M365 Admin Center Outage as Security Event Amid Disruption for North American Users

A significant service disruption on February 10, 2026, that prevented IT administrators across North America from accessing the Microsoft 365 admin center, is reportedly being investigated as a security event. The outage, which also affected the M365 mobile app, blocked administrators from performing critical user management and security tasks, raising concerns about the incident's root cause and whether it was the result of malicious activity.

February 17, 2026
4 min read
outageMicrosoft 365cloud securityincident responseM365
Microsoft 365 Admin Center Outage in North America Investigated as Security Event
Security Operations
Cloud Security
Incident Response

New 'Keenadu' Android Backdoor Injects into Core Zygote Process, Links Major Botnets

HIGH

Sophisticated 'Keenadu' Android Backdoor Discovered in Firmware and Google Play Apps

Kaspersky researchers have discovered a highly sophisticated Android backdoor named "Keenadu." The malware is being distributed through two alarming vectors: pre-installed in device firmware via supply chain compromise, and through malicious apps on the Google Play Store. Keenadu's primary malicious action is to inject itself into the Android Zygote process, the parent of all applications, giving it pervasive access and control. The investigation also exposed operational links between Keenadu and the notorious Triada and BADBOX malware families.

February 17, 2026
5 min read
Android malwarefirmware attacksupply chainbotnetZygote +1 more
New 'Keenadu' Android Backdoor Injects into Core Zygote Process, Links Major Botnets
Malware
Mobile Security
Supply Chain Attack

Panasonic Launches World-First Cybersecurity Monitoring Trial for Grid-Scale Battery Storage Systems

INFORMATIONAL

Panasonic Trials World's First Cybersecurity Monitoring for Grid-Scale Battery Energy Storage Systems (BESS)

Panasonic Holdings Corporation has announced the start of what it calls the world's first cybersecurity monitoring trial for grid-scale Battery Energy Storage Systems (BESS). This pioneering initiative aims to develop and validate a system for detecting intrusions and unauthorized commands within the BESS's internal operational technology (OT) network, moving beyond conventional perimeter defenses to secure critical energy infrastructure.

February 17, 2026
3 min read
BESSICS securityOT securitycritical infrastructurePanasonic +1 more
Panasonic Launches World-First Cybersecurity Monitoring Trial for Grid-Scale Battery Storage Systems
Industrial Control Systems
Security Operations
Threat Intelligence

Fake 7-Zip Website Tricks Users, Turns PCs into Malicious Proxy Nodes

HIGH

Trojanized 7-Zip Installer from Lookalike Site Secretly Installs Proxyware

A malicious campaign is leveraging a lookalike domain, 7zip[.]com, to distribute a trojanized installer for the popular 7-Zip file archiving utility. The installer, signed with a now-revoked digital certificate, provides a functional version of 7-Zip to avoid suspicion, but also silently installs proxyware. This malware turns the victim's computer into a residential proxy node, allowing threat actors to route their traffic through the victim's IP address for nefarious activities.

February 17, 2026
4 min read
trojanproxyware7-Zipdomain impersonationtyposquatting
Fake 7-Zip Website Tricks Users, Turns PCs into Malicious Proxy Nodes
Malware
Phishing

New 'AI-in-the-Middle' Attack Turns Microsoft Copilot and Grok into C2 Channels

MEDIUM

Researchers Detail "AI-in-the-Middle" Attack Abusing AI Assistants for Covert C2

Security researchers have detailed a novel command-and-control (C2) technique dubbed "AI-in-the-Middle." This method allows malware on a compromised system to use legitimate, web-connected enterprise AI assistants, such as Microsoft Copilot, as a proxy to relay commands. The technique effectively hides malicious C2 traffic within the seemingly benign and trusted communications to AI platforms, posing a significant detection challenge for network security tools.

February 17, 2026
5 min read
AI securityC2command and controlMicrosoft Copilotevasion +1 more
New 'AI-in-the-Middle' Attack Turns Microsoft Copilot and Grok into C2 Channels
Threat Intelligence
Malware
Cloud Security

"Shadow Persistence" Rootkit Targets Cisco Edge Devices, Survives Factory Resets

CRITICAL

New 'Shadow Persistence' Firmware Rootkit Targets Cisco IOS XE Devices in Espionage Campaign

A sophisticated espionage campaign is actively targeting critical infrastructure and government agencies by exploiting a new vulnerability in Cisco's IOS XE software. Attackers are using the flaw to install a powerful firmware rootkit, dubbed "Shadow Persistence," on network edge routers. This rootkit is exceptionally dangerous because it is installed directly into the device's firmware, allowing it to survive reboots and even factory resets, making it nearly impossible to remove through standard procedures.

February 17, 2026
5 min read
rootkitfirmwareCiscoIOS XEespionage +1 more
"Shadow Persistence" Rootkit Targets Cisco Edge Devices, Survives Factory Resets
Cyberattack
Threat Actor
Vulnerability

Updated Articles (1)

BeyondTrust Patches Critical 9.9 CVSS RCE Zero-Day in Remote Access Tools

CRITICAL

BeyondTrust Patches Critical 9.9 CVSS Zero-Day (CVE-2026-1731) in Remote Support and Privileged Remote Access Products

Update:

The critical BeyondTrust RCE vulnerability (CVE-2026-1731) is now being actively exploited in the wild, a significant escalation from its initial disclosure. Following the public release of a proof-of-concept (PoC) exploit on February 10, 2026, widespread scanning and exploitation attempts have been observed. Consequently, CISA has added CVE-2026-1731 to its Known Exploited Vulnerabilities (KEV) catalog on February 13, 2026, mandating federal agencies to patch by February 16, 2026. This development underscores the urgent need for all on-premises BeyondTrust users to apply patches immediately to prevent system compromise.

February 9, 2026
Updated: February 17, 2026
5 min read
BeyondTrustCVE-2026-1731Zero-DayRCEVulnerability +2 more
BeyondTrust Patches Critical 9.9 CVSS RCE Zero-Day in Remote Access Tools
Vulnerability
Patch Management

📢 Share This Publication

Help others stay informed about cybersecurity threats