Patch Tuesday: Microsoft Zero-Days; Apple dyld Flaw; Advisories for SAP, Adobe, ICS, & Fortinet

Following several out-of-band emergency security updates in 2026, Microsoft has fixed six additional actively exploited zero-day vulnerabilities in their February Patch Tuesday releases. CVE-2026-21510 and CVE-2026-21513 both carry CVSS score 8.8 and both allow an unauthorized attacker to bypass a security feature over a network due to failure of a protection mechanism, in Windows Shell and MSHTML, respectively. Three of the flaws are rated CVSS 7.8: CVE-2026-21514 affects Microsoft Word and allows local security feature bypass due to reliance on untrusted inputs, and both CVE-2026-21533 CVE-2026-21519 allow privilege escalation by an authorized attacker, due to improper privilege management in Windows Remote Desktop and type confusion in Desktop Window Manager, respectively. The sixth zero-day, CVE-2026-21525, is rated CVSS 6.2, and allows local denial of service (DoS) by an unauthorized attacker, due to null pointer dereference in Windows Remote Access Connection Manager. All the exploited flaws have been added to the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog (CISA KEV). Of the 59 total flaws addressed in the release, five are rated critical but are not known to be exploited: three vulnerabilities affecting Azure Arc, Azure Front Door, and Azure Function, and two affecting Microsoft Azure Container Instances (ACI) Confidential Containers.

Apple's Patch Tuesday release notably includes a fix for a zero-day flaw affecting all Apple operating systems (iOS, iPadOS, macOS Tahoe, watchOS, tvOS, and visionOS) before version 26.3, reportedly exploited in targeted attacks against iOS before iOS 26. CVE-2026-20700 allows an attacker with memory write capability to execute arbitrary code due to a memory corruption issue in the operating system's dynamic link editor (dyld); the flaw has not been given a CVSS rating at the time of this writing, and Apple states that it has been addressed with improved state management. These attacks also involved two related flaws reported in December 2025: CVE-2025-14174, out of bounds memory access in Chrome's ANGLE, and CVE-2025-43529, arbitrary code execution due to a use-after-free issue in WebKit.

On Tuesday, February 10, *SAP* published 27 security notes. Of those 26 are new and one is an update of an earlier note. The February release includes fixes for two critical flaws: CVE-2026-0488, a code injection vulnerability in SAP CRM and SAP S/4HANA (Scripting Editor); and CVE-2026-0509, missing authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform. *Adobe* released nine advisories that address a total of 44 security issues in Audition, After Effects, InDesign Desktop, Substance 3D Designer, Substance 3D Stager, Substance 3D Modeler, Bridge, Lightroom Classic, and the DNG SDK. And finally, this week, the US Cybersecurity and Infrastructure Security Agency (CISA) published 15 *Industrial Control System (ICS)* security advisories to address vulnerabilities in products from Airleader (1 advisory), Hitachi (1 advisory), Siemens (8 advisories), ZOLL (1 advisory), AVEVA (2 advisories), ZLAN (1 advisory), and Yokogawa (1 advisory).

Fortinet released security advisories on Tuesday, February 10, including a fix for CVE-2025-68686 (CVSS 5.9), which would allow a remote unauthenticated attacker to bypass Fortinet's existing patches for flaws known to be exploited in 2025 (CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762). Two of the new advisories address high-severity flaws. CVE-2025-52436, CVSS score 8.8, allows an unauthenticated attacker to execute commands by crafting requests in Fortinet FortiSandbox 4.0, 4.2, 4.4.0 to 4.4.7, and 5.0.0 to 5.0.1, due to a cross-site scripting flaw created by improper neutralization of input during web page generation. CVE-2026-22153, CVSS score 8.1, allows an unauthenticated attacker to bypass LDAP authentication of Agentless VPN or FSSO policy under a specific LDAP server configuration, due to an authentication bypass by primary weakness vulnerability in FortiOS 7.6.0 to 7.6.4. The previous Friday, Fortinet also released a patch for FortiClientEMS before 7.4.5, addressing CVE-2026-21643 (CVSS 9.1), which allows an unauthenticated attacker to execute code or commands using crafted HTTP requests, due to an SQL injection flaw.

An act of sabotage in early January 2026 caused power outages in Berlin that lasted for days, leaving more than 100,000 people without electricity and affecting 2,000 companies. Dr. Ralf Wintergerst, president of the German digital association Bitkom, said "Hybrid attacks on Germany, which operate in a gray area between war and peace, are not a potential risk; they are a reality. Therefore, we must massively increase the resilience of the economy, government, and society." Bitkom commissioned a survey of 604 companies that have 10 or more employees in Germany, and the responses show that a majority of German companies are not confident they could maintain operations for more than 20 hours during an internet outage; five percent said they would likely need to shut down operations immediately. Just eight percent of companies responded that they could maintain operations for more than 48 hours. Attacks against energy supply, the financial and insurance sectors, and telecommunications and IT were most likely to disrupt the ability to maintain operations, according to those surveyed. Other indicated sectors for concern include water supply, transportation, and traffic.

The Netherlands' largest mobile phone company has disclosed a data breach affecting as many as 6.2 million individuals. Odido says that on February 7, 2026, intruders downloaded a data file containing names, physical addresses, phone numbers, customer numbers, email addresses, account numbers, dates of birth, and passport and driver’s license information. The company has notified the Dutch Data Protection Authority (AP) and will contact affected customers via email or text message. Odido has roughly 7 million customers and has operated under several different names over the past few years, including T-Mobile Netherlands.

Microsoft introduced Secure Boot in 2011 to "ensure only trusted, digitally signed software can execute ... by blocking untrusted code at the earliest stage of the boot process." The original Secure Boot certificates begin expiring in June 2026. Microsoft writes that they have "begun rolling out new certificates as part of the regular monthly Windows updates to in-support Windows devices for home users, businesses and schools with Microsoft-managed updates. Organizations also have the option to manage the update process themselves using their preferred management tools." The new certificates will be installed automatically for users who have configured their systems to allow Microsoft to manage Windows updates. In some cases, devices may require firmware updates from their manufacturers prior to installing the new certificates. Users are advised to "check their OEM support pages to ensure they have the latest firmware updates." Microsoft urges users to update to Windows 11, as devices running Windows 10 and other unsupported versions of the operating system will not be receiving new certificates. Devices that do not receive updates certificates before the end of June 2026 will continue to operate, but "will enter a degraded security state that limits its ability to receive future boot-level protections."

In a February 9 blog post, Microsoft introduced two initiatives intended to improve user security: "With Windows Baseline Security Mode, Windows will move toward operating with runtime integrity safeguards enabled by default. These safeguards ensure that only properly signed apps, services and drivers are allowed to run, helping to protect the system from tampering or unauthorized changes." Users and admins will have the option of overriding the protections if and when they find it necessary. "User Transparency and Consent [brings] a more consistent and intuitive approach to how Windows communicates security decisions." The feature will alert users when apps attempt to access "sensitive resources" including files, cameras, and microphones. Both features are part of Microsoft's Secure Future Initiative.

Atlanta, Georgia-based ApolloMD has disclosed that a May 2025 ransomware attack resulted in the compromise of personal information belonging to 626,540 individuals. The company "provide[s] integrated, multispecialty physician, APC and practice management services" to more than 100 hospitals across the US. ApolloMD notified affected customers of the incident in September 2025, but did not inform the US Department of Health and Human Services Office for Civil Rights (HHS OCR) of the number of people affected until early February 2026. The intruders accessed information of individuals treated by doctors and practices served by ApolloMD; compromised data include names, birth dates, addresses, diagnoses, treatment information, dates of service, provider names, health insurance information, and Social Security numbers.

In a data breach notification filing with the Maine Attorney General's office, Volvo Group North America disclosed that the Conduent breach, which occurred in late 2024 and early 2025, exposed personal information of nearly 17,000 Volvo employees. Volvo Group North America manufactures commercial vehicles and heavy equipment, and passenger cars are manufactured by a separate division. Conduent detected the breach in January 2025; intruders had access to the systems of the benefits and back office outsourcing company starting in October 2024. Volvo's disclosure indicates that they learned company data were affected in the breach on January 21, 2026. Conduent has notified affected Volvo Group North America employees by mail, explaining that the incident involves " files associated with [their] current or former health plan." Recent reports indicate that the number of individuals believed to be affected by the Conduent breach has continued to grow. Numbers provided in filings with various US states suggest that tens of millions of individuals could be affected.