This Month in Security: February 2026 - BeyondTrust RCE Mass Exploitation, Medical PHI Alterations, and AI Copilot Vulnerabilities

"Threat Spotlight" by IStockPhoto is licensed under IStockPhoto.

‍

February 2026 was marked by mass exploitation of critical enterprise infrastructure vulnerabilities and a number of actively exploited zero-days from major vendors. From a critical WebSocket vulnerability in BeyondTrust granting attackers direct access to credential vaults, to Microsoft patching six zero-days simultaneously, the attack surface proved highly volatile this month. Meanwhile, data breaches continued to impact millions across the healthcare and food service sectors, and AI assistants themselves became the newly weaponized vector for remote code execution.

‍

‍

Critical Zero-Day Exploits

‍

Threat actors heavily targeted core operating system components and privileged access management tools this month, leveraging zero-day flaws before patches were available.

• BeyondTrust Remote Support RCE (CVE-2026-1731): A CVSS 9.9 flaw allows unauthenticated remote code execution via crafted WebSocket messages. Because it targets Privileged Remote Access (PRA) appliances, attackers gain direct access to sensitive credential vaults and session tokens. A mass exploitation was observed within 24 hours of the release of the public PoC (Orca Security).
• Windows Shell Security Bypass (CVE-2026-21510): This was one of six zero-days patched by Microsoft this month. The actively exploited flaw allows attackers to bypass Windows SmartScreen and Shell security prompts. A single click on a malicious shortcut (.lnk) file can execute attacker-controlled content without warning (Outpost24).
• Google Chromium Use-After-Free (CVE-2026-2441): A memory corruption flaw in Chromium's CSS component allows remote code execution if a user visits a maliciously crafted HTML page, impacting Chrome, Edge, and embedded enterprise tool (Cyber Press).
• Windows Remote Desktop Privilege Escalation (CVE-2026-21533): This flaw allows an authenticated attacker to modify service configuration keys and elevate their privileges to SYSTEM locally, enabling them to add new users to the Administrator group (CrowdStrike).
• GitHub Copilot RCE via Prompt Injection (CVE-2026-21516 / CVE-2026-21523): Microsoft patched multiple command injection flaws in GitHub Copilot for JetBrains, VS Code, and Visual Studio. Threat actors could trigger these vulnerabilities via malicious prompts to execute code on a developer's machine and steal sensitive API keys (Krebs on Security).

‍

‍

Notable Threats and Incidents

‍

Data breaches this month affected tens of millions with attackers not just stealing data, but destructively altering it.

• Conduent Ransomware Fallout: Technology contractor Conduent is facing immense legal pressure following a ransomware attack by the SafePay group. The breach exposed the medical records, Social Security numbers, and claims data of an estimated 25 million people across the U.S., prompting an investigation by the Texas Attorney General (SWK Technologies).
• Panera Bread Mega-Breach: Restaurant chain Panera Bread faces multiple class-action lawsuits after the ShinyHunters hacking group published a 760 MB archive containing the personal information of 5.1 million customers. The data was dumped in retaliation for Panera refusing to pay an extortion demand (SWK Technologies).
• MediMap Health App Defacement: A major New Zealand healthcare app, MediMap, was taken offline after an unauthorized intrusion. Threat actors altered patient records within the system which included maliciously marking living patients as "deceased”. This highlights the severe real-world impacts of altering medical data integrity (RNZ).
• French National Bank Registry (FICOBA) Hack: The French Ministry of Finance disclosed a breach affecting 1.2 million accounts in its national bank account registry. Attackers used credentials stolen from a civil servant to access sensitive data, including international bank account numbers (IBANs) and taxpayer identification numbers (Bleeping Computer).
• Substack Data Scraping Incident: The newsletter platform disclosed that a threat actor known as "w1kkid" spent four months, undetected inside its systems, scraping the personal data and internal metadata of nearly 700,000 users. The dataset was subsequently posted on BreachForums (SWK Technologies).

‍

‍

Policy and Framework Updates

‍

Government agencies and industry leaders shifted their focus toward securing AI deployments and addressing the realities of modern identity-based attacks.

• Treasury's AI Cybersecurity Initiative: The U.S. Department of the Treasury announced a major public-private initiative to strengthen AI risk management in the financial sector. Throughout February, the agency is releasing new resources to help financial institutions deploy AI securely and defend against AI-driven threats (U.S. Department of the Treasury).
• Recorded Future 2026 State of Security: A new report released at the Munich Security Conference warned that cyber operations have fully integrated into global physical conflict. The report highlights that "identity is the new attack surface," with major intrusions now overwhelmingly starting with stolen credentials rather than technical exploits (PR Newswire).

‍

Patches and Vulnerabilities

‍

Microsoft Patch Tuesday: Fixed 59 vulnerabilities, an unusually high 6 of which were actively exploited zero-days.

• Security Bypass Flaws Dominate: Half of the actively exploited zero-days (CVE-2026-21510 in Windows Shell, CVE-2026-21513 in MSHTML, and CVE-2026-21514 in Microsoft Word) involved bypassing native Windows protections like SmartScreen and OLE mitigations, allowing attackers to execute code with minimal user interaction (SANS ISC).
• Desktop Window Manager (DWM) EoP (CVE-2026-21519): An actively exploited type-confusion vulnerability allows local attackers to elevate to SYSTEM privileges. This marks the second month in a row that a zero-day in DWM required emergency patching (Krebs on Security).

‍

Key Takeaways for Staying Secure

‍

• Restrict PRA/Remote Support Access: The BeyondTrust (CVE-2026-1731) mass exploitation highlights the extreme risk of exposing privileged access appliances to the open internet. Implement IP allowlists, geoblocking, and monitor WebSocket connections for anomalous behavior immediately.
• Aggressively Patch Windows OS: With six actively exploited zero-days fixed this month. Three of these were bypasses of SmartScreen or Word protections. These patches should be a priority.
• Secure AI Coding Assistants: Treat developer tools like GitHub Copilot as high-risk attack vectors. With new RCE vulnerabilities triggered via prompt injection, apply least-privilege principles to ensure compromised developer AI agents cannot access critical cloud infrastructure secrets.
• Prioritize Identity Defense: As noted in the 2026 State of Security report, credential theft has overtaken technical exploits as the primary initial access vector. Enforce phishing-resistant MFA and closely monitor for session hijacking and credential stuffing.
• Monitor Health and Medical Data Integrity: The MediMap incident demonstrates that attackers are no longer just stealing data; they are actively altering it. Implement strict database auditing and integrity checks for systems holding life-critical information.
• Review Your Security Posture: When needed, reach out to a trusted provider to review your security posture, like Cloud Security Partners. 

‍

‍

About the Author

‍

Jordan Darrah is a Security Consultant at Cloud Security Partners. Jordan's interest in IT started when she was working as a menswear fashion designer and bridal seamstress. Since then, she has built a diverse technical background spanning hardware repair, systems administration, regulatory compliance, and penetration testing.

‍

Currently, Jordan specializes in application and cloud security assessments, where she evaluates system vulnerabilities and conducts penetration tests. Jordan holds multiple industry certifications, including CISSP, eJPT, and CompTIA PenTest+. She also runs an OSCP study group and maintains a blog where she breaks down concepts and tools for new security professionals.

‍