Sorry for the late send. With the holiday yesterday, it threw off my schedule. Let’s get into it!

We keep investing in controls that are supposed to close the window after initial compromise, but this week’s stories make one thing uncomfortably clear: the window never really closes. It just moves.

Microsoft patched six actively exploited zero-days, three of which systematically dismantled the security feature stack enterprises rely on to validate external content. Fortinet released a patch bypass for vulnerabilities from 2022 to 2024, meaning organizations that remediated years ago were still carrying forward attacker access. Intel’s confidential computing technology failed precisely when workloads migrated, the operational event most enterprises treat as routine and trusted. The pattern isn’t about individual failures. It’s about the persistent gap between “we fixed it” and “the adversary is actually gone.”

Most of us have been in the room when leadership asks if we’re exposed after a major disclosure, and the honest answer is increasingly complicated. Did we patch? Yes. Did patching actually eliminate the attack surface? Maybe. Do our controls validate that trust boundaries held during the compromise window? Probably not. This week is a reminder that remediation confidence and actual adversary eviction are not the same thing, and our architectures still assume they are.

Top Story

Microsoft Patches Six Actively Exploited Zero-Days in February

Source: https://www.bleepingcomputer.com/news/microsoft/microsoft-february-2026-patch-tuesday-fixes-6-zero-days-58-flaws/​

TLDR

Microsoft’s February 2026 Patch Tuesday addressed 58 vulnerabilities, including six zero-days already being exploited in the wild. Three of the exploited flaws bypass security features in Windows Shell, MSHTML, and Word, likely part of a coordinated campaign attributed to multiple threat intelligence groups. The remaining three enable privilege escalation and denial of service attacks, with one discovered in a public malware repository.

Why it Matters to Enterprises

This isn’t about patch volume. It’s about the collapse of assumed safety boundaries. Three security feature bypasses exploited simultaneously suggest attackers are systematically dismantling the controls enterprises rely on to validate external content. When SmartScreen, Mark of the Web, and OLE mitigations fail together, the implicit trust model behind “users can open files if they see a warning” breaks. The Desktop Window Manager and Remote Desktop Services privilege escalation flaws expose how deeply attackers can move laterally once initial access succeeds, especially in environments where RDP remains widely deployed. Most concerning: one exploit was publicly available in malware repositories for months before Microsoft patched it, meaning your detection stack may have missed activity that looked like legitimate system behavior.

What to do this Week

• Audit which systems still rely on SmartScreen or Mark of the Web warnings as primary controls for external content
• Review privilege boundaries around Desktop Window Manager and Remote Desktop Services across jump hosts and administrator workstations
• Check detection coverage for service configuration key modifications and unauthorized user additions to privileged groups
• Validate whether security tooling logged any RASMAN service anomalies between December 2025 and now
• Pressure-test assumptions about Office Preview Pane protections and where users actually open attachments in your environment

Big Stories

Intel TDX Vulnerability Allowed Full Confidential VM Compromise

Source: https://www.securityweek.com/google-intel-security-audit-reveals-severe-tdx-vulnerability-allowing-full-compromise/​

What Happened

A five-month security audit by Google and Intel uncovered a critical vulnerability in Intel’s Trust Domain Extensions (TDX) 1.5 that allowed a malicious host operator to fully compromise confidential virtual machines. CVE-2025-30513 exploited a time-of-check to time-of-use flaw during VM migration, enabling attackers to convert migratable VMs into debuggable ones and access their entire decrypted state.

The collaborative audit identified five vulnerabilities total, plus 35 additional bugs and weaknesses. Intel has patched all issues, but the most severe flaw undermined TDX’s core promise: protecting workloads even against compromised hypervisors.

Why it Matters

This breaks the foundational trust model for confidential computing in public cloud. Enterprises adopting TDX specifically to isolate sensitive workloads from cloud providers now face the reality that migration operations created a window where those protections vanished entirely. Worse, the attack could trigger post-attestation, meaning secrets provisioned after trust establishment were exposed. If your threat model assumes hardware-based isolation protects against insider or hypervisor compromise, you’re now validating controls that failed under adversarial operator access. Every workload migration became a potential exfiltration event, and detection would have been nearly impossible since the attack surface lived below guest visibility.

Fortinet Patches Include Bypass for Previously Exploited SSL-VPN Flaws

Source: https://www.securityweek.com/fortinet-patches-high-severity-vulnerabilities/​

What happened

Fortinet released patches for eight vulnerabilities across FortiOS, FortiGate, FortiSandbox, and other products, including two high-severity flaws enabling command execution and authentication bypass. The most concerning issue is CVE-2025-68686, explicitly described as a patch bypass for symbolic link persistence mechanisms used in post-exploitation of three previously weaponized FortiOS SSL-VPN vulnerabilities from 2022 to 2024.

The bypass requires prior compromise through a different vulnerability but allows attackers to maintain read-only filesystem access despite earlier remediation efforts. Fortinet also patched CVE-2026-22153, an LDAP authentication bypass affecting Agentless VPN and FSSO policy configurations.

Why it matters

When a patch for a known exploit chain gets bypassed, it confirms what many enterprises fear: remediation without architectural change just moves the problem. Organizations that patched CVE-2022-42475, CVE-2023-27997, or CVE-2024-21762 and assumed persistence mechanisms were eliminated now discover attackers retained filesystem access through a different path. This isn’t about missing a patch cycle. It’s about the gap between “vulnerability closed” and “attack surface eliminated.” If your security model treats patching as sufficient to terminate attacker access rather than as one step in validating trust boundaries, you’re carrying forward compromise without visibility. The fact that this bypass emerged two years after the original exploitation means post-breach validation windows are far longer than most incident response playbooks assume.

Quick Hits

Ransomware Group 0APT Launches With Fabricated Victim List

New ransomware operation 0APT claimed 200 victims out of the gate, but researchers confirm the group is running a massive hoax with fake victim data while possessing genuine, capable encryptors designed to attract affiliates and build momentum before launching real attacks. https://cyberscoop.com/0apt-ransomware-group-hoax-technical-capabilities/​

Apple Patches Zero-Day Exploited in Targeted Spyware Campaign

CVE-2026-20700 in Apple’s Dynamic Link Editor was exploited alongside two previously patched WebKit flaws in a coordinated, extremely sophisticated attack against specific individuals, discovered by Google’s Threat Analysis Group and attributed to commercial spyware operators targeting high-value victims. https://www.bleepingcomputer.com/news/security/apple-fixes-zero-day-flaw-used-in-extremely-sophisticated-attacks/​

Conduent Breach Impact Balloons to 25 Million as Volvo Confirms 17,000 Employees Affected

Volvo learned in January 2026 that a breach discovered by Conduent a full year earlier exposed employee health plan data, highlighting how third-party incidents create notification delays that extend attacker dwell time assumptions and complicate breach scope validation across vendor customer bases. https://www.securityweek.com/conduent-breach-hits-volvo-group-nearly-17000-employees-data-exposed/​

Wrapping it up

The uncomfortable truth this week exposes is that we’ve been measuring security success by the wrong metric. Patch deployment, incident closure, and control implementation all create the appearance of progress, but none of them validate whether the adversary actually left. When Intel’s hardware isolation failed during migration, when Fortinet’s patches left persistence mechanisms intact, and when Microsoft’s security features collapsed under coordinated bypass, the common thread wasn’t poor engineering. It was the assumption that closing a known vulnerability equals eliminating the attack surface it enabled.

This shows up in every post-incident review where the timeline ends at “systems patched and restored” rather than “adversary access validated as terminated.” It surfaces in architecture reviews where we debate control placement but rarely validate whether those controls can detect the gap between remediation and actual eviction. Most enterprise security programs are optimized to respond to disclosure, not to confirm that response actually ended adversary capability. The Conduent breach taking a full year to surface at Volvo isn’t an outlier. It’s what happens when notification timelines assume breaches are discrete events rather than persistent states that require active validation to exit.

The shift isn’t about doing more. It’s about recognizing that remediation creates an obligation to validate, not an assumption of safety. The question after every patch cycle, every incident closure, every third-party attestation should be: what would we see if the adversary was still here? If the answer is “probably nothing,” that’s the gap.