83% of Ivanti EPMM Exploitation From Single IP; CISA KEV adds SolarWinds WHD, MS Config Manager, and BeyondTrust Flaws

Research from the GreyNoise Global Observation Grid indicates that a single threat actor may account for at least 83% of the active exploitation of recently disclosed vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM). CVE-2026-1281 and CVE-2026-1340 (both CVSS 9.8) were already known to be exploited at the time of Ivanti's disclosure and patch on January 29, 2026. Both flaws allow an unauthenticated attacker to achieve remote code execution (RCE) through code injection. Within a week, breaches of mobile infrastructure had been reported by the European Commission and by government organizations in the Netherlands and Finland, with some attacks seemingly taking place within 24 hours of Ivanti's advisory and watchTowr's proof-of-concept exploit description. "Between February 1 and February 9, GreyNoise sensors recorded 417 exploitation sessions from 8 unique source IPs," 346 of which originated from a single IP, registered to "PROSPERO OOO," labeled bulletproof by Censys, and ostensibly located in Russia. This malicious IP does not appear on the widely circulated indicators of compromise (IoCs) lists, and conversely the circulated IoCs do not appear in the exploitation GreyNoise observed. GreyNoise notes that "defenders benefit from a confidence-scoring framework for IOCs that accounts for infrastructure type, observed behavior concentration, and temporal proximity to the vulnerability window." The report offers analysis of the activity and exploitation techniques, and gives detailed recommendations for security leadership, security operations, and EPMM administrator teams for mitigation, threat hunting, and defense.

On Thursday, February 12, 2026, the US Cybersecurity and Infrastructure Security Agency (CISA) added four CVEs to the Known Exploited Vulnerabilities (KEV) catalog, including a critical security control bypass vulnerability in SolarWinds Web Help Desk (CVE-2025-40536) with a mitigation due date of February 15, 2026 for Federal Civilian Executive Branch (FCEB) agencies. The other three February 12 KEV additions are a critical SQL injection in vulnerability in Microsoft Configuration Manager (CVE-2024-43468), initially disclosed and patched in October 2024, that could lead to remote code execution; a high-severity update integrity verification vulnerability in Notepad++ versions prior to 8.8.9 (CVE-2025-15556); and a memory corruption issue in multiple Apple products (CVE-2026-20700). All three have mitigation due dates of March 5, 2026, for FCEB agencies. In addition, CISA added six Patch Tuesday-related Microsoft CVEs to the KEV on February 10, 2026. CISA also added a critical RCE vulnerability in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) to the KEV on February 13, which is addressed in a separate story in this issue of NewsBites.

On Friday, February 13, 2026, the US Cybersecurity and Infrastructure Security Agency (CISA) has added a vulnerability in internet-facing instances of BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) to the Known Exploited Vulnerabilities (KEV) catalog. The critical OS command injection vulnerability (CVE-2026-1731) has a mitigation due date of February 16, 2026 for Federal Civilian Executive Branch (FCEB) agencies. On February 12, watchTowr Head of Threat Intelligence Ryan Dewhurst posted on social media that the company had "observed first in-the-wild exploitation of BeyondTrust across our global sensors. Attackers are abusing get_portal_info to extract the x-ns-company value before establishing a WebSocket channel." Dewhurst said that unpatched systems should assume compromise. BeyondTrust "issued and automatically deployed to all instances with BeyondTrust’s update service enabled" on February 2, 2026. On February 4, BeyondTrust emailed vulnerability notifications to self-hosted customers who had not already patched, and on February 6, BeyondTrust published a vulnerability advisory and sent follow-up emails to unpatched, self-hosted customers.

Google released a security fix in the Stable Desktop channel for Chrome on February 13, 2026, addressing a flaw known to be exploited in the wild. CVE-2026-2441, CVSS score 8.8, allows a remote attacker to execute arbitrary code inside a sandbox using a crafted HTML page, due to a use-after-free flaw in CSS in Chrome before version 145.0.7632.75. Google thanks Shaheen Fazim for reporting the vulnerability on February 11. BleepingComputer observed that the Chromium commit history indicates that the flaw stems from "an iterator invalidation bug in CSSFontFeatureValuesMap, Chrome's implementation of CSS font feature values," and that the commit message suggests work on this fix is ongoing.

Researchers at ReversingLabs have observed a campaign to deliver remote-access Trojan (RAT) malware through a fraudulent job recruiting process targeting applicants for Python and JavaScript developer positions related to cryptocurrency. The campaign leverages a fake company with an established presence online to lend credibility to recruiters who approach targets directly on social media or lure them via job advertisements. Applicants are directed to GitHub repositories containing innocuous "test task" code instructing the developer to "run, debug, and improve the system as a DevOps engineer." The repositories themselves are not malicious, but once compiled and run they immediately pull malicious downloaders from dependencies legitimately hosted in npm and PyPI packages. One of the GitHub repositories, "bigmathutils", contained nothing malicious until it had been downloaded over ten thousand times, at which point an updated version was released including malicious payloads, before being quickly deprecated to conceal the malicious version. The final payload is a RAT, which notably uses token-protected communication with its command-and-control (C2) server, "something that was previously observed in campaigns attributed to North Korean state-sponsored actors." ReversingLabs offers indicators of compromise (IoCs), and posits that this is a state-sponsored campaign due to its "modularity, long-lived nature, patience in building trust across different campaign elements, and the complexity of the multilayered and encrypted malware."

Researchers at ETH Zurich (Eidgenössische Technische Hochschule Zürich/Federal Institute of Technology Zurich) and Università della Svizzera Italiana (USI) have published a paper detailing security vulnerabilities in password managers. The researchers examined the security architecture of the Bitwarden, LastPass, and Dashlane cloud-based password managers. The researchers write that they were able to successfully demonstrate 12 attacks against Bitwarden, seven attacks against LastPass, and six attacks against Dashlane. Although all three services claim to offer "zero-knowledge encryption," meaning that the stored passwords are encrypted and the providers have no access to further stored data, the researchers were able to view and in some cases change passwords in the tested password managers, and have offered suggestions for improving their security, including "updating the systems for new customers in line with the latest cryptographic standards." The researchers also recommend "choosing a password manager that is transparent about potential security vulnerabilities, undergoes external audits and, at the very least, has end-to-end encryption enable by default."

Researchers at Hudson Rock have observed infostealer malware targeting OpenClaw AI Agent configuration files. The data associated with OpenClaw (previously known as Clawdbot and Moltbot) is a tempting target for data thieves because the files are likely to contain secrets, including authentication tokens and API keys. OpenClaw is an AI assistant that is usually configured to be able to access local files, email, and communications apps. Hudson Rock writes that they observed the malware stealing openclaw.json files, device.json files containing cryptographic keys, and soul.md memory files.

Researchers from several Brazilian universities along with a researcher from the University of Notre Dame and two researchers from Siemens Corporation examined the GitHub security advisory (GHSA) review pipeline. Of the more than 288,604 GHSAs published between 2019 and 2025, just 23,563, or roughly 8.2 percent of those, were reviewed by GitHub. In a paper published earlier this month, the researchers "characterize which advisories are more likely to be reviewed, quantify review delays, and identify two distinct review-latency regimes: a fast path dominated by GitHub Repository Advisories (GRAs) and a slow path dominated by NVD-first advisories.” The paper “further develop[s] a queueing model that accounts for this dichotomy based on the structure of the advisory processing pipeline."

According to the HIPAA Journal's 2025 Healthcare Data Breach Report, the number of healthcare-related data breaches reported to the UDS Department of Health and Human Services Office for Civil Rights (HHS OCR) fell 4.3 percent from the number of breaches reported in 2024. HIPAA Journal notes that breaches that occurred in 2025 are still being added to the HHS OCR database, so that number could change. Data sets addressed in the report include number of individuals affected by large healthcare breaches (down over the last year, even when the nearly 193 million people affected by the Change Healthcare breach in 2024 are not included); largest breaches of 2025 (Aflac, with 13.9 million individuals affected, followed by Yale New Haven Health System and Episource, both with more than 5 million affected individuals); causes of healthcare data breaches (the majority were due to hacking or an IT incident); and the location of breached protected health information (PHI), with the majority of breaches occurring on network servers. The report also looks at geographical distribution of breaches and HIPAA violation penalties.