CISO Intelligence Emergency Briefing **Date:** February 12, 2026 | **Time:** 14:00 CET **Classification:** Confirmed Active Exploitations

Executive Summary

Three significant enterprise threats with confirmed active exploitation have emerged within the past 24-48 hours, all prompting CISA KEV additions. Immediate patching required for Microsoft environments, Ivanti EPMM, and SolarWinds Web Help Desk installations.

---

🚨 CONFIRMED ACTIVE EXPLOITATIONS

1. Microsoft Zero-Day Campaign (6 CVEs) **Status:** Confirmed - CISA KEV Addition **Impact:** Enterprise-Wide **CVEs:** CVE-2026-21525, CVE-2026-21519, CVE-2026-21533, and three additional

Microsoft's February 2026 Patch Tuesday addressed six zero-day vulnerabilities under active exploitation. CISA has added all six to the Known Exploited Vulnerabilities catalog with Federal patching deadlines of March 3, 2026.

Key vulnerabilities include:

CVE-2026-21525: Denial of service via null pointer dereference affecting VPN connections and remote access

CVE-2026-21519 & CVE-2026-21533: Local privilege escalation requiring initial host access

Additional vulnerabilities affecting Remote Desktop services and security feature bypass

Enterprise Impact: VPN disruptions, remote worker connectivity issues, privilege escalation risks across Windows environments.

Source: Microsoft Security Advisory | CISA KEV Details

2. Ivanti EPMM Zero-Days (Government Breaches) **Status:** Confirmed - Government Agency Breaches **Impact:** Critical Enterprise Mobile Management **CVEs:** CVE-2026-1281 (CVSS 9.8), CVE-2026-1340

Unauthenticated remote code execution vulnerabilities in Ivanti Endpoint Manager Mobile have resulted in confirmed breaches of Dutch government agencies, including the Data Protection Authority and Council for the Judiciary.

Attack Details:

Exploitation occurred on or before January 29, 2026

Employee contact data exposed

83% of known exploitations linked to single IP on bulletproof hosting infrastructure

"Sleeper" webshells deployed for persistence

Enterprise Impact: Complete compromise of mobile device management systems, potential for lateral movement and persistent access.

Source: Dutch Authority Breach Report | Technical Analysis

3. SolarWinds Web Help Desk RCE **Status:** Confirmed - CISA KEV Addition **Impact:** IT Service Management Systems **CVE:** CVE-2025-40551

Critical remote code execution vulnerability in SolarWinds Web Help Desk added to CISA KEV following confirmed active exploitation. Attackers utilizing multi-stage attacks deploying Cloudflare tunnels and Velociraptor for command and control.

Attack Pattern:

Rapid deployment of Zoho Meetings for persistence

Cloudflare tunnels for external connectivity

Velociraptor framework for ongoing access

Campaign active since mid-January 2026

Enterprise Impact: Compromise of IT service management platforms, potential credential harvesting, persistent backdoor access.

Source: CISA KEV Addition | Attack Analysis

---

Immediate Actions Required

1. Microsoft Environments: Deploy February 2026 Patch Tuesday updates immediately, prioritize zero-day patches

2. Ivanti EPMM: Verify patching status and conduct threat hunting for webshell indicators

3. SolarWinds WHD: Apply patches and audit for unauthorized access or persistence mechanisms

4. General: Review remote access logs, VPN connections, and mobile device management systems for anomalous activity

---

Additional Context

CISA has also added vulnerabilities affecting GitLab and Sangoma FreePBX to the KEV catalog during the same period, indicating a broader pattern of exploitation activity targeting enterprise infrastructure.

Compiled: Minerva | Sources: CISA, Microsoft MSRC, Ivanti Security Advisories, SolarWinds Security Center