cybersecurity

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

Wanna chat about something non-infosec amongst those of us who frequent /c/cybersecurity? Here’s your chance! (Keep things civil & respectful please)

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

Wanna chat about something non-infosec amongst those of us who frequent /c/cybersecurity? Here’s your chance! (Keep things civil & respectful please)

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

New research shows that behaviors that occur at the very lowest levels of the network stack make encryption—in any form, not just those that have been broken in the past—incapable of providing client isolation, an encryption-enabled protection promised by all router makers, that is intended to block direct communication between two or more connected clients.

The isolation can effectively be nullified through AirSnitch, the name the researchers gave to a series of attacks that capitalize on the newly discovered weaknesses. Various forms of AirSnitch work across a broad range of routers, including those from Netgear, D-Link, Ubiquiti, Cisco, and those running DD-WRT and OpenWrt.

AirSnitch “breaks worldwide Wi-Fi encryption, and it might have the potential to enable advanced cyberattacks,” Xin’an Zhou, the lead author of the research paper, said in an interview. “Advanced attacks can build on our primitives to [perform] cookie stealing, DNS and cache poisoning. Our research physically wiretaps the wire altogether so these sophisticated attacks will work. It’s really a threat to worldwide network security.” Zhou presented his research on Wednesday at the 2026 Network and Distributed System Security Symposium.

Unlike previous Wi-Fi attacks, AirSnitch exploits core features in Layers 1 and 2 and the failure to bind and synchronize a client across these and higher layers, other nodes, and other network names such as SSIDs (Service Set Identifiers). This cross-layer identity desynchronization is the key driver of AirSnitch attacks.

The most powerful such attack is a full, bidirectional machine-in-the-middle (MitM) attack, meaning the attacker can view and modify data before it makes its way to the intended recipient. The attacker can be on the same SSID, a separate one, or even a separate network segment tied to the same AP. It works against small Wi-Fi networks in both homes and offices and large networks in enterprises.

With the ability to intercept all link-layer traffic (that is, the traffic as it passes between Layers 1 and 2), an attacker can perform other attacks on higher layers. The most dire consequence occurs when an Internet connection isn’t encrypted—something that Google recently estimated occurred when as much as 6 percent and 20 percent of pages loaded on Windows and Linux, respectively. In these cases, the attacker can view and modify all traffic in the clear and steal authentication cookies, passwords, payment card details, and any other sensitive data. Since many company intranets are sent in plaintext, traffic from them can also be intercepted.

Even when HTTPS is in place, an attacker can still intercept domain look-up traffic and use DNS cache poisoning to corrupt tables stored by the target’s operating system. The AirSnitch MitM also puts the attacker in the position to wage attacks against vulnerabilities that may not be patched. Attackers can also see the external IP addresses hosting webpages being visited and often correlate them with the precise URL.

Introduction

This vulnerability report has been generated using data aggregated on Vulnerability-Lookup, with contributions from the platform’s community.

It highlights the most frequently mentioned vulnerability for February 2026, based on sightings collected from various sources, including MISP, Exploit-DB, Bluesky, Mastodon, GitHub Gists, The Shadowserver Foundation, Nuclei, SPLOITUS, Metasploit, and more. For further details, please visit this page.

The Month at a Glance

February 2026 was led by CVE-2026-1731, a Critical-severity issue affecting BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA), with 158 sightings. It was followed closely by CVE-2026-2441 in Google Chrome with 143 sightings.

Microsoft-related vulnerabilities were also prominent in the top 10, including CVE-2026-20841 (Windows Notepad) and CVE-2026-21509 (Microsoft 365 Apps for Enterprise). Other heavily sighted entries spanned enterprise recovery and networking products such as Dell RecoverPoint for Virtual Machines (CVE-2026-22769) and Cisco Catalyst SD-WAN Manager (CVE-2026-20127), as well as platform and tooling ecosystems like Apple macOS (CVE-2026-20700), Ivanti Endpoint Manager Mobile (CVE-2026-1281), and n8n (CVE-2026-25049).

February continued to be an active month for known exploited vulnerabilities. The CISA Known Exploited Vulnerabilities catalog added 28 new entries during the month. Notable additions include:

• CVE-2026-1731: BeyondTrust Remote Support (RS) & Privileged Remote Access (PRA)
• CVE-2026-2441: Google Chrome
• CVE-2026-20127: Cisco Catalyst SD-WAN Manager
• CVE-2026-22769: Dell RecoverPoint for Virtual Machines
• CVE-2025-49113: Roundcube Webmail
• CVE-2020-7796: synacor zimbra_collaboration_suite

The CIRCL Known Exploited Vulnerabilities catalog added three entries (CVE-2026-25108, CVE-2026-1340, and CVE-2026-1281), while the ENISA KEV catalog had no new entries in February.

The Ghost CVE Report highlights eight vulnerability identifiers that were observed in sightings despite limited or missing public records. The most frequently sighted were CVE-2023-42344 (5 occurrences) and CVE-2026-1584 (4 occurrences), followed by CVE-2026-23456 (3 occurrences).

Contributor insights this month covered Cisco Catalyst SD-WAN vulnerabilities, an IceWarp command-injection RCE, analysis of CVEs affecting the Svelte ecosystem, TP-Link VIGI IP camera issues, and reporting on UAC-0001 (APT28) activity leveraging CVE-2026-21509.

Top 10 Vendors of the Month

Top 10 Assigners of the Month

Top 10 vulnerabilities of the Month

Vulnerability	Sighting Count	Vendor	Product	VLAI Severity
CVE-2026-1731	158	BeyondTrust	Remote Support(RS) & Privileged Remote Access(PRA)	Critical (confidence: 0.9914)
CVE-2026-2441	143	Google	Chrome	High (confidence: 0.9908)
CVE-2026-20841	131	Microsoft	Windows Notepad	High (confidence: 0.9833)
CVE-2026-21509	113	Microsoft	Microsoft 365 Apps for Enterprise	High (confidence: 0.9687)
CVE-2026-22769	91	Dell	RecoverPoint for Virtual Machines	Critical (confidence: 0.9356)
CVE-2026-20127	76	Cisco	Cisco Catalyst SD-WAN Manager	Critical (confidence: 0.9411)
CVE-2026-20700	69	Apple	macOS	High (confidence: 0.9705)
CVE-2026-1281	69	Ivanti	Endpoint Manager Mobile	Critical (confidence: 0.9791)
CVE-2026-25253	55	OpenClaw	OpenClaw	High (confidence: 0.7975)
CVE-2026-25049	54	n8n-io	n8n	Critical (confidence: 0.617)

Known Exploited Vulnerabilities

New entries have been added to major Known Exploited Vulnerabilities catalogs.

CISA

CVE ID	Date Added	Vendor	Product	VLAI Severity
CVE-2026-20127	2026-02-25	Cisco	Cisco Catalyst SD-WAN Manager	High (confidence: 0.9183)
CVE-2022-20775	2026-02-25	Cisco	Cisco Catalyst SD-WAN	High (confidence: 0.9894)
CVE-2026-25108	2026-02-24	Soliton Systems K.K.	FileZen	High (confidence: 0.8244)
CVE-2025-49113	2026-02-20	Roundcube	Webmail	High (confidence: 0.7952)
CVE-2025-68461	2026-02-20	Roundcube	Webmail	Medium (confidence: 0.9892)
CVE-2021-22175	2026-02-18	GitLab	GitLab	Medium (confidence: 0.7533)
CVE-2026-22769	2026-02-18	Dell	RecoverPoint for Virtual Machines	Critical (confidence: 0.9356)
CVE-2020-7796	2026-02-17	synacor	zimbra_collaboration_suite	Critical (confidence: 0.5846)
CVE-2024-7694	2026-02-17	TeamT5	ThreatSonar Anti-Ransomware	High (confidence: 0.9626)
CVE-2008-0015	2026-02-17	Microsoft	Windows	High (confidence: 0.981)
CVE-2026-2441	2026-02-17	Google	Chrome	High (confidence: 0.9908)
CVE-2026-1731	2026-02-13	BeyondTrust	Remote Support(RS) & Privileged Remote Access(PRA)	Critical (confidence: 0.9914)
CVE-2025-15556	2026-02-12	notepad-plus-plus	notepad-plus-plus	High (confidence: 0.9083)
CVE-2026-20700	2026-02-12	Apple	MacOS	High (confidence: 0.9705)
CVE-2024-43468	2026-02-12	Microsoft	Microsoft Configuration Manager	High (confidence: 0.8181)
CVE-2025-40536	2026-02-12	SolarWinds	Web Help Desk	High (confidence: 0.7215)
CVE-2026-21533	2026-02-10	Microsoft	Windows 10 Version 1607	High (confidence: 0.9889)
CVE-2026-21510	2026-02-10	Microsoft	Windows 10 Version 1607	High (confidence: 0.5272)
CVE-2026-21513	2026-02-10	Microsoft	Windows 10 Version 1607	High (confidence: 0.8378)
CVE-2026-21514	2026-02-10	Microsoft	Microsoft 365 Apps for Enterprise	High (confidence: 0.9769)
CVE-2026-21519	2026-02-10	Microsoft	Windows 10 Version 1607	High (confidence: 0.9183)
CVE-2026-21525	2026-02-10	Microsoft	Windows 10 Version 1607	Medium (confidence: 0.9918)
CVE-2026-24423	2026-02-05	SmarterTools	SmarterMail	Critical (confidence: 0.9798)
CVE-2025-11953	2026-02-05	react-native-community	react_native_community_cli	Critical (confidence: 0.987)
CVE-2019-19006	2026-02-03	sangoma	freepbx	Critical (confidence: 0.6005)
CVE-2025-64328	2026-02-03	FreePBX	filestore	High (confidence: 0.7976)
CVE-2021-39935	2026-02-03	GitLab	GitLab	Medium (confidence: 0.8559)
CVE-2025-40551	2026-02-03	SolarWinds	Web Help Desk	Critical (confidence: 0.9385)

More KEV entries from the CISA Catalog.

CIRCL

CVE ID	Date Added	Vendor	Product	VLAI Severity
CVE-2026-25108	2026-02-26	Soliton Systems K.K.	FileZen	High (confidence: 0.8244)
CVE-2026-1340	2026-02-03	Ivanti	Endpoint Manager Mobile	Critical (confidence: 0.9791)
CVE-2026-1281	2026-02-03	Ivanti	Endpoint Manager Mobile	Critical (confidence: 0.9791)

More KEV entries from the CIRCL Catalog.

ENISA

No new entry in February.

More KEV entries from the ENISA Catalog.

Top 10 Weaknesses of the Month

Ghost CVE Report

A ghost CVE is a vulnerability identifier that's already popped up in the wild but is still listed as RESERVED or NOT_FOUND in official registries like NVD or MITRE.

Sightings detected between 2026-02-01 and 2026-02-28 that are associated with vulnerabilities without public records.

Vulnerability ID	Occurrences	Comment
CVE-2023-42344	5	OpenCMS Unauthenticated XXE Vulnerability
CVE-2026-1584	4	libgnutls: Fix NULL pointer dereference in PSK binder verification
CVE-2026-23456	3	YoSmart YoLink Smart Hub
CVE-2025-15576	2	FreeBSD 14.3 and 13.5 (Jail chroot escape via fd exchange with a different jail)
CVE-2026-3038	2	All supported versions of FreeBSD (Local DoS and possible privilege escalation via routing sockets)
CVE-2025-13050	2	Multiple vulnerabilities in Centreon products
CVE-2025-12523	2	Multiple vulnerabilities in Centreon products
CVE-2025-71210	2	Multiple vulnerabilities in Trend Micro products (KA-0022458)

Insights from Contributors

• Cisco Catalyst SD-WAN Vulnerabilities
• IceWarp14 X-File-Operation Command Injection Remote Code Execution Vulnerability
• MajorDoMo Revisited: What I Missed in 2023
• CVEs affecting the Svelte ecosystem
• TP-Link Systems Inc. VIGI Series IP Camera
• UAC-0001 (APT28) carries out cyberattacks against Ukraine and EU countries using the exploit CVE-2026-21509

Thank you

Thank you to all the contributors and our diverse sources!

If you want to contribute to the next report, you can create your account.

Feedback and Support

If you have suggestions, please feel free to open a ticket on our GitHub repository. Your feedback is invaluable to us!
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/

Funding

The main objective of Federated European Team for Threat Analysis (FETTA) is improvement of Cyber Threat Intelligence (CTI) products available to the public and private sector in Poland, Luxembourg, and the European Union as a whole.
Developing actionable CTI products (reports, indicators, etc) is a complex task and requires an in-depth understanding of the threat landscape and the ability to analyse and interpret large amounts of data. Many SOCs and CSIRTs build their capabilities in this area independently, leading to a fragmented approach and duplication of work.

The Computer Incident Response Center Luxembourg (CIRCL) is a government-driven initiative designed to provide a systematic response facility to computer security threats and incidents. The organization brings to the table its extensive experience in cybersecurity incident management, threat intelligence, and proactive response strategies. With a strong background in developing innovative open source cybersecurity tools and solutions, CIRCL’s contribution to the FETTA project is instrumental in achieving enhanced collaboration and intelligence sharing across Europe.

Press release

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.