Weekly Cyber Threat Advisory (9–15 Feb 2026)
Reading time: 5 minutes
Organizations are facing an increasingly volatile cyber threat landscape, with new zero‑day vulnerabilities, VPN weaknesses, data breaches, and large‑scale malware campaigns emerging every week.
1. Vulnerability Details
1.1: Microsoft Word zero‑day bypasses protections
Microsoft disclosed a high-severity zero-day vulnerability in Word (CVE-2026-21514, CVSS 7.8) on February 10, 2026, actively exploited in the wild to bypass OLE security mitigations, allowing malicious documents to evade Protected View and "Enable Content" prompts for silent phishing infections. Affected products include Microsoft 365 Apps for Enterprise and Office LTSC 2021/2024 (Windows/Mac); Microsoft has released patches, while CISA added it to its Known Exploited Vulnerabilities catalog with a March 3 federal patching deadline. Organizations must immediately apply updates, block suspicious Office attachments at email gateways, and train users on unsolicited documents lacking warnings.
Ref: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21514
1.2: FortiOS LDAP authentication bypass in VPN and SSO
Fortinet disclosed CVE-2026-22153, a critical authentication bypass (CVSS 7.5) in FortiOS 7.6.0–7.6.4 affecting SSL-VPN, Agentless VPN, and FSSO via flawed fnbamd daemon handling of LDAP unauthenticated binds. Remote attackers could gain unauthorized VPN/SSO access, posing high risk to financial, government, and critical infrastructure relying on Fortinet; unaffected branches include 8.0, 7.4, 7.2, 7.0, and 6.4. Upgrade immediately to 7.6.5+, and as interim mitigation, disable unauthenticated LDAP binds (e.g., DenyUnauthenticatedBind in Active Directory).
Ref: https://fortiguard.fortinet.com/psirt/FG-IR-25-1052
1.3: Ivanti Endpoint Manager: credential exposure and SQL injection
Ivanti patched two critical flaws in Endpoint Manager (EPM) 2024 SU4 SR1 and earlier on February 9, 2026, fixed in version 2024 SU5: CVE-2026-1603 (CVSS 8.6 High), an unauthenticated bypass leaking stored credentials for lateral movement, and CVE-2026-1602 (CVSS 6.5 Medium), an authenticated SQL injection exposing arbitrary database data. These threaten crown-jewel credentials and configs in enterprises/governments using Ivanti for endpoint/privileged access management; prioritize upgrades to SU5, audit auth/database logs, and segment management interfaces.
Ref: https://hub.ivanti.com/s/article/Security-Advisory-EPM-February-2026-for-EPM-2024?language=en_US
2. Global attack campaigns and regional implications
2.1: Data Breach at Dutch Telecom Carrier Odido
A major data breach at Dutch telecom provider Odido exposed personal and financial data of approximately 6.2 million customers, including bank account and government ID numbers. While services remained operational, the incident demonstrates how attackers target telecoms for rich identity data that can fuel advanced phishing and fraud campaigns worldwide.
Ref: https://www.odido.nl/veiligheid
2.2: BADIIS SEO Poisoning Campaign
Researchers uncovered the BADIIS malware campaign, which compromised over 1,800 Windows servers globally via a malicious IIS module used for SEO poisoning. The malware manipulates HTTP traffic to inject keywords and backlinks for gambling and cryptocurrency sites, while remaining invisible to administrators by serving clean content to normal users.
3. Security News
3.1: Russia Blocks WhatsApp: Digital Sovereignty Escalates
Russia escalated its digital sovereignty push on February 12, 2026, by throttling WhatsApp nationwide via Roskomnadzor’s removal from the online services directory, disrupting over 100 million users’ messaging and calls—partially mitigated by VPNs now facing throttling. The move promotes the Kremlin-backed MAX super-app, a WeChat-style platform integrating chat, banking, documents, and state services but lacking end-to-end encryption, sparking surveillance and phishing concerns for users and businesses. Following curbs on Signal and Telegram over data compliance disputes, organizations in Russia must prioritize secure comms planning, MFA, and contingency strategies amid tightening geopolitical controls on encrypted platforms.
Refer: https://x.com/WhatsApp/status/2021749165835829485
3.2: 300 Malicious Chrome Extensions
More than 300 malicious Chrome extensions with a combined 37.4 million downloads were exposed for large‑scale data theft and tracking, including exfiltration of browsing history, search data, and even Gmail content via full‑screen iframes and aggressive permissions abuse.
These developments reinforce the need for strict third‑party risk management, hardened browser extension policies, and continuous monitoring of public‑facing Windows and IIS servers.
Ref: https://github.com/qcontinuum1/spying-extensions/blob/main/report.pdf
3.3: Apple zero‑day reinforces patching discipline
Apple also released critical security updates for CVE‑2026‑20700, a memory corruption zero‑day in dyld affecting iOS, iPadOS, macOS, tvOS, watchOS, and visionOS. Exploitation allows arbitrary code execution, and Apple confirmed targeted attacks against specific individuals using versions of iOS prior to iOS 26.
Updated versions such as iOS 26.3, macOS Tahoe 26.3, and corresponding releases for legacy systems are now available, and organizations should include Apple devices in their formal vulnerability management programs rather than treating them as lower‑risk consumer platforms. Enforcing timely updates and monitoring for suspicious device behaviour are essential to protect executives, high‑net‑worth individuals, and sensitive operational staff.
Ref: https://support.apple.com/en-us/100100 & https://support.apple.com/en-us/126346
The priorities for IT leaders are clear: accelerate patching, harden VPN and SSO, audit public‑facing servers, and enforce strict browser extension policies. If you’d like the full advisory, feel free to reach out. Take Complimentary Cyber Threat Assessment & Consultation: https://forms.gle/215oZk1AE2BSpu9P9