Executive Summary

In February 2026, over 60 leading software vendors, including Microsoft, SAP, Intel, and Adobe, issued critical security updates addressing a broad spectrum of vulnerabilities across operating systems, cloud services, and network platforms. This unprecedented, coordinated patch release cycle targets both newly discovered and actively exploited zero-day vulnerabilities, with several flaws already leveraged by advanced persistent threat (APT) groups for initial access, privilege escalation, and lateral movement within enterprise environments. The vulnerabilities span a diverse array of products, from core operating system components and cloud orchestration tools to business-critical enterprise applications and creative software suites. This advisory provides a comprehensive technical breakdown of the most significant vulnerabilities, exploitation trends, APT group activity, affected product versions, and actionable mitigation strategies. Executives and technical teams alike should prioritize rapid patch deployment and continuous monitoring to mitigate the heightened risk posed by these vulnerabilities.

Technical Information

The February 2026 patch cycle is notable for its breadth and severity, with over 60 vendors releasing security fixes. The most critical vulnerabilities are concentrated in products from Microsoft, SAP, Intel, and Adobe, but the update wave also includes security advisories from vendors such as Apple, Cisco, Google, VMware, Fortinet, Check Point, Linux distributions (including Red Hat, Ubuntu, SUSE, Debian), Zoom, Mozilla, SolarWinds, and many others.

Microsoft

Microsoft addressed 59 vulnerabilities, including six zero-days confirmed as actively exploited in the wild. These vulnerabilities affect a wide range of components, including Windows Shell, MSHTML Framework, Microsoft Word, Desktop Window Manager, Windows Remote Access Connection Manager, and Windows Remote Desktop Services. The zero-days, such as those tracked as CVE-2026-21510, CVE-2026-21513, CVE-2026-21514, CVE-2026-21519, CVE-2026-21525, and CVE-2026-21533, enable attackers to bypass security features, escalate privileges, execute arbitrary code, and trigger denial-of-service conditions. The affected product versions include Windows 10 (22H2, 21H2, 1809 LTSC), Windows 11 (23H2, 22H2, 21H2), Microsoft Office (2016, 2019, 2021, Microsoft 365 Apps for Enterprise, Office for Mac), Microsoft Exchange Server (2016, 2019), Microsoft Edge (Chromium-based), and a variety of Azure services and developer tools.

SAP

SAP released patches for several high-severity vulnerabilities, most notably CVE-2026-0488 (CVSS 9.9) and CVE-2026-0509 (CVSS 9.6). CVE-2026-0488 is a code injection flaw in SAP CRM and SAP S/4HANA (Scripting Editor), allowing authenticated attackers to execute arbitrary SQL and potentially compromise the entire database. CVE-2026-0509 is a missing authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform, enabling low-privileged users to perform unauthorized background Remote Function Calls (RFCs). The affected versions span a wide range of SAP modules, including S4FND, SAP_ABA, WEBCUIF, KRNL64NUC, KRNL64UC, KERNEL, SAP_BASIS, SCMAPO, SAP_APPL, S4CORE, and others. Mitigation requires kernel updates, profile parameter changes, and review of user roles and UCON settings.

Intel

Intel addressed multiple vulnerabilities in its Trust Domain Extensions (TDX) 1.5 module, including CVE-2025-32007, CVE-2025-27940, CVE-2025-30513, CVE-2025-27572, and CVE-2025-32467. These flaws introduce new attack surfaces in confidential computing environments, potentially allowing privilege escalation or data leakage. The vulnerabilities affect all TDX module versions prior to 1.5.24, particularly on 4th and 5th Generation Intel Xeon Scalable processors with TDX enabled.

Adobe

Adobe released security updates for 44 vulnerabilities across products such as Audition, After Effects, InDesign Desktop, Substance 3D Designer, Substance 3D Stager, Bridge, Lightroom Classic, and DNG SDK. Of these, 27 are rated critical, with the potential for arbitrary code execution. The affected versions include Audition 24.2 and earlier, After Effects 24.1 and earlier, InDesign Desktop 19.1 and earlier, Substance 3D Designer 13.0.1 and earlier, Substance 3D Stager 2.1.2 and earlier, Bridge 14.0.4 and earlier, Substance 3D Modeler 1.4.1 and earlier, Lightroom Classic 13.1 and earlier, and DNG SDK 1.6 and earlier.

Other Vendors

A wide array of additional vendors released security updates, including ABB, AWS, AMD, AMI, Apple, ASUS, AutomationDirect, AVEVA, Broadcom (VMware), Canon, Check Point, Cisco, Citrix, Commvault, ConnectWise, D-Link, Dassault Systèmes, Dell, Devolutions, dormakaba, Drupal, F5, Fortinet, Foxit, FUJIFILM, Fujitsu, Gigabyte, GitLab, Google (Android, Chrome, Cloud, Pixel), Grafana, Hikvision, Hitachi Energy, HP, HPE (Aruba, Juniper), IBM, Ivanti, Lenovo, Linux distributions (AlmaLinux, Alpine, Amazon Linux, Arch, Debian, Gentoo, Oracle, Mageia, Red Hat, Rocky, SUSE, Ubuntu), MediaTek, Mitsubishi Electric, MongoDB, Moxa, Mozilla (Firefox, Thunderbird), n8n, NVIDIA, Phoenix Contact, QNAP, Qualcomm, Ricoh, Rockwell, Samsung, Schneider, ServiceNow, Siemens, SolarWinds, Splunk, Spring Framework, Supermicro, Synology, TP-Link, WatchGuard, Zoho ManageEngine, Zoom, and Zyxel.

Exploitation in the Wild

The most significant exploitation activity centers on the six Microsoft zero-days, which are confirmed as actively exploited in the wild. These vulnerabilities are being leveraged for privilege escalation, security feature bypass, and remote code execution, often as part of sophisticated attack chains. While specific CVEs exploited by APT groups are not always disclosed, the attack patterns align with those historically used by groups such as APT28 and APT29, as well as ransomware operators. Recent campaigns have also exploited vulnerabilities in Ivanti VPN (CVE-2024-21887, CVE-2023-46805), WinRAR, and SolarWinds, indicating a continued focus on remote access and supply chain attack vectors.

No public exploitation has been reported for the latest SAP, Intel TDX, or Adobe vulnerabilities as of this advisory. However, the criticality and potential impact of these flaws warrant immediate attention and proactive mitigation.

APT Groups using this vulnerability

While direct attribution for the current wave of exploitation is limited, historical data and TTP (Tactics, Techniques, and Procedures) mapping suggest that APT28 (Fancy Bear), APT29 (Cozy Bear), and various ransomware groups are likely actors exploiting Microsoft zero-days. These groups have previously targeted government, defense, critical infrastructure, and enterprise sectors across the US, Europe, and Asia. Their operations typically involve exploiting privilege escalation and security bypass vulnerabilities to gain initial access, establish persistence, and move laterally within target environments. No evidence currently links APT activity to the newly disclosed SAP, Intel, or Adobe vulnerabilities, but these platforms remain high-value targets for future campaigns.

Affected Product Versions

The affected product landscape is extensive. For Microsoft, vulnerable versions include Windows 10 (22H2, 21H2, 1809 LTSC), Windows 11 (23H2, 22H2, 21H2), Microsoft Office (2016, 2019, 2021, Microsoft 365 Apps for Enterprise, Office for Mac), Microsoft Exchange Server (2016, 2019), Microsoft Edge (Chromium-based), and a broad set of Azure services and developer tools. SAP vulnerabilities impact versions of SAP CRM, SAP S/4HANA, SAP NetWeaver Application Server ABAP, and related modules, with specific kernel and application versions detailed in SAP's official patch documentation. Intel TDX vulnerabilities affect all module versions prior to 1.5.24 on 4th and 5th Generation Intel Xeon Scalable processors. Adobe vulnerabilities span multiple creative and productivity applications, with affected versions including Audition 24.2 and earlier, After Effects 24.1 and earlier, InDesign Desktop 19.1 and earlier, and others as listed above.

Workaround and Mitigation

Immediate patching is the most effective mitigation strategy. Organizations should prioritize the deployment of all relevant security updates from Microsoft, SAP, Intel, Adobe, and other vendors as soon as possible. For Microsoft products, apply all Patch Tuesday updates and monitor for suspicious privilege escalation and security bypass activity. For SAP, implement kernel updates, adjust profile parameters, and review user roles and UCON settings in accordance with the latest advisories from Onapsis and SAP Security Patch Day. For Intel, update to the latest TDX 1.5 firmware and monitor for anomalous virtualization or confidential computing activity. For Adobe, apply all available security updates to affected products. In addition to patching, organizations should enhance monitoring for indicators of compromise (IOCs), such as unusual privilege escalation events, unauthorized SQL queries, or anomalous virtualization activity. Where immediate patching is not feasible, consider network segmentation, access control restrictions, and disabling vulnerable features as temporary risk reduction measures.

References

• The Hacker News: Over 60 Software Vendors Issue Security Fixes

• Microsoft Security Update Guide

• BleepingComputer Patch Tuesday

• Qualys Patch Tuesday Review

• SAP Security Patch Day

• Onapsis SAP Advisory

• Intel Security Center

• NVD - National Vulnerability Database

• Adobe Security Bulletins

• SecurityWeek Adobe Patch Tuesday

Rescana is here for you

Rescana empowers organizations to manage third-party risk and supply chain security with our advanced TPRM platform, providing continuous monitoring, automated risk assessment, and actionable intelligence across your vendor ecosystem. Our team of cybersecurity experts is dedicated to helping you navigate the evolving threat landscape and respond rapidly to emerging vulnerabilities. For any questions or to discuss how Rescana can support your security operations, please contact us at ops@rescana.com.