ThreatScope by DIAMATIX
Critical Vulnerabilities Actively Exploited (09–15 February 2026)
Between 09–15 February 2026, the analyzed vulnerabilities once again highlight a recurring operational theme: remote exposure + execution primitives + weak isolation = scalable compromise.
This week’s findings affect operating systems, routers, enterprise workflow platforms, web servers, CMS plugins, orchestration environments, and widely used developer libraries.
While the technologies differ, the pattern is consistent: remote code execution, injection, authentication bypass, and memory safety failures continue to dominate high-impact risk.
Below, vulnerabilities are grouped by attack surface and operational impact.
Summary Overview
| Affected Area | Vulnerability Type | Potential Impact |
|---|---|---|
| Operating systems | Security feature bypass | Network-level compromise |
| Network devices | OS command injection | Device takeover |
| Enterprise workflow platforms | Unauthenticated RCE | Full system compromise |
| Web servers | Stack buffer overflow | Remote code execution |
| CMS plugins | Arbitrary file upload | Webshell deployment |
| Orchestration platforms | Root-level RCE | Cluster-wide compromise |
| Developer libraries | Code injection | RCE / XSS |
1. Operating Systems. Security Feature Bypass
Observed vulnerability:
Microsoft Windows Shell – Security mechanism bypass
CVE-2026-21510 (CVSS 8.8)
A protection mechanism failure in Windows Shell allows an unauthorized attacker to bypass a security feature over the network.
Why this matters:
Security bypass vulnerabilities weaken assumptions that other controls depend on. Once a core OS-level boundary is bypassed, attackers can pivot more easily into lateral movement and persistence.
2. Network Devices. OS Command Injection
Observed vulnerability:
Totolink WA300 – OS command injection
CVE-2026-2167 (CVSS 8.8)
Manipulation of the Ipaddr argument in the setAPNetwork function allows remote OS command execution.
Why this matters:
Network devices are often under-monitored and exposed externally. Command injection here enables long-term persistence and traffic manipulation, frequently without detection.
3. Enterprise Workflow Platforms. Unauthenticated RCE
Observed vulnerability:
Hyland OnBase Workflow Timer Service – Unauthenticated .NET Remoting RCE
CVE-2026-26221 (CVSS 10.0)
An exposed .NET Remoting endpoint allows crafted requests that trigger unsafe object unmarshalling. Attackers can achieve arbitrary file read/write, remote code execution, or NTLM credential coercion.
Why this matters:
Enterprise workflow systems often process sensitive documents and run with elevated privileges. Unauthenticated RCE in such environments can rapidly escalate into full infrastructure compromise.
4. Web Servers. Memory Corruption
Observed vulnerability:
lighttpd server – Stack buffer overflow
CVE-2026-22903 (CVSS 9.8)
A crafted HTTP request containing an overly long SESSIONID cookie triggers a stack buffer overflow, potentially leading to remote code execution.
Why this matters:
Memory corruption vulnerabilities remain highly exploitable, especially in internet-facing services. Missing stack protections increase the likelihood of reliable RCE.
5. CMS Plugins. Arbitrary File Upload
Observed vulnerability:
WPvivid Backup & Migration (WordPress plugin) – Unauthenticated arbitrary file upload
CVE-2026-1357 (CVSS 9.8)
Improper error handling in RSA decryption combined with missing path sanitization allows attackers to upload arbitrary PHP files into publicly accessible directories, leading to remote code execution.
Why this matters:
CMS ecosystems remain a frequent entry point for attackers. Arbitrary file upload vulnerabilities almost always lead to webshell deployment and persistent compromise.
6. Orchestration & Deployment Platforms. Root-Level RCE
Observed vulnerability:
Catalyst platform – Remote code execution as root
CVE-2026-26009 (CVSS 10.0)
Server template install scripts execute directly via bash -c on the host operating system without sandboxing. Users with template permissions can define arbitrary commands that run as root across cluster nodes.
Why this matters:
When orchestration layers execute unsandboxed root commands, compromise scales horizontally across infrastructure. This transforms a single vulnerability into cluster-wide risk.
7. Developer Libraries. Code Injection
Observed vulnerability:
jsonpath package – Arbitrary code injection
CVE-2026-1615 (CVSS 9.8)
Unsafe evaluation of user-supplied JSON Path expressions allows execution of arbitrary JavaScript code. This affects Node.js backends and browser environments.
Why this matters:
Libraries often propagate risk across many applications simultaneously. Code injection at the dependency layer can impact multiple services at once, amplifying exposure.
Key Observations
Remote code execution remains the dominant high-impact class
Unauthenticated exposures continue to surface in enterprise software
Network devices and orchestration layers expand blast radius
Memory safety issues remain exploitable in modern deployments
Third-party dependencies introduce systemic risk across environments
ThreatScope by DIAMATIX analyzes how vulnerabilities cluster across infrastructure layers and how exploitation paths compound operational risk.
Trusted · Innovative · Vigilant
