Microsoft patches 6 zero-days under active exploitation

From The Bit Baker newsletter — February 14, 2026

PLUS: BeyondTrust CVSS 9.9 RCE hits CISA KEV, a new Chinese malware framework targets cloud, and ransomware claims hit 21 in one day

Good morning, Dave. Microsoft's February Patch Tuesday just dropped, and it's a rough one. Six zero-days — every single one exploited in the wild before the patches shipped. On top of that, a CVSS 9.9 flaw in BeyondTrust has attackers racing a CISA deadline that expires in two days, and a Chinese-linked threat actor is using AI to build malware at a pace that should make every defender uncomfortable.

In today's security Bit Baker:

• Microsoft patches 59 flaws including 6 zero-days under active exploitation
• BeyondTrust CVE-2026-1731 (CVSS 9.9) draws active attacks with a February 16 CISA deadline
• VoidLink malware framework targets cloud with eBPF rootkits and container escapes
• Ransomware groups post 21 claims in one day as attacks surge 30% in 2026

Microsoft Patch Tuesday Drops 59 Fixes — 6 Zero-Days Already Under Attack

The Bit Baker: Microsoft's February 2026 Patch Tuesday tackled 59 vulnerabilities including 6 actively exploited zero-days — all now sitting in CISA's Known Exploited Vulnerabilities catalog with a March 3 fix deadline for federal agencies.

Unpacked:

• Two bypass flaws lead the pack: CVE-2026-21510 (Windows Shell SmartScreen bypass, CVSS 8.8) and CVE-2026-21513 (MSHTML bypass, CVSS 8.8) both let attackers sneak malicious files past Windows trust controls without a single warning prompt. Both were publicly known before Microsoft released the patch.
• CrowdStrike discovered CVE-2026-21533, a local privilege escalation in Remote Desktop Services. A standard user tweaks a registry key and walks away with SYSTEM privileges — full host control through a laughably simple modification.
• Rounding out the six: a Word security bypass (CVE-2026-21514), a Remote Access denial-of-service (CVE-2026-21525, CVSS 6.2), and an Outlook spoofing flaw via deserialization (CVE-2026-21511, CVSS 7.5). All three were already being exploited when Microsoft pushed the update, per CISA's KEV catalog addition.

Bottom line: Six zero-days in the wild before the patch even arrived. That's not a normal Tuesday — it's a fire drill. If you're running Windows, deploy this now. And if Remote Desktop Services is active anywhere in your environment, CVE-2026-21533 should be at the top of your list — privilege escalation doesn't get much easier than a registry key edit.

Read the full deep dive →

BeyondTrust RCE Flaw Hits CVSS 9.9 — Attackers Are Already Inside

The Bit Baker: An unauthenticated RCE in BeyondTrust Remote Support and Privileged Remote Access (CVE-2026-1731, CVSS 9.9) is being actively exploited after a proof-of-concept surfaced on February 10. CISA added it to the KEV catalog February 13 with a February 16 remediation deadline.

Unpacked:

• No login required. Attackers fire crafted requests at BeyondTrust RS (versions 25.3.1 and prior) and PRA (versions 24.3.4 and prior) to execute OS commands — and roughly 8,500 on-prem instances are sitting exposed on the internet right now.
• Within 24 hours of the PoC going public, Arctic Wolf and Darktrace spotted real attacks in progress: exploitation followed by Active Directory enumeration via AdsiSearcher, SimpleHelp RMM deployment for persistence, and PSExec-driven lateral movement across victim networks.
• SaaS customers got auto-patched on February 2; on-prem fixes shipped February 6 through advisory BT26-02. GreyNoise tracked the scanning and found 86% of it coming from a single Frankfurt VPN IP — pointing to a focused campaign, not scattered opportunism.

Bottom line: Unauthenticated RCE, a working PoC, and confirmed in-the-wild exploitation. For a remote access platform, that's about the worst-case scenario. Self-hosted BeyondTrust customers have until February 16 to patch before they're both compromised and non-compliant.

Read the full deep dive →

VoidLink: A New Malware Framework Built by AI, Designed to Own Your Cloud

The Bit Baker: Check Point and Cisco Talos have published research on VoidLink — a modular, Zig-based malware framework built to operate inside Linux cloud environments. It targets technology and financial sector infrastructure with eBPF rootkits, container escape capabilities, and was largely assembled using LLM coding assistance.

Unpacked:

• This thing is cloud-first from the ground up. VoidLink detects whether it's on AWS, GCP, Azure, Alibaba Cloud, or Tencent Cloud and pivots its behavior to match. It pulls instance metadata, identifies Docker and Kubernetes runtimes, and assigns a risk score based on whatever security products are installed — then dials its stealth up or down accordingly.
• Over 30 plugin modules handle everything from credential harvesting to lateral movement. The C2 stack spans HTTP/HTTPS, DNS tunneling, ICMP, and mesh P2P relay between compromised hosts, which makes it exceptionally hard to cut off at the network perimeter.
• Behind VoidLink is UAT-9921, a Chinese-origin threat actor active since 2019. Deployments were first spotted between September 2025 and January 2026. The kicker: a coding agent reportedly produced the framework's 88,000+ lines of Zig code in under a week.

Bottom line: VoidLink is the exact threat cloud security teams have been bracing for — malware that was born in the cloud, breaks out of containers, and buries itself in eBPF hooks where most tools can't see it. And the speed at which it was built? That rewrites the math on how quickly adversaries can spin up custom offensive tooling.

Read the full deep dive →

Ransomware Groups Post 21 Claims in a Single Day as 2026 Attacks Surge 30%

The Bit Baker: Eight ransomware groups dumped 21 victim claims in a single day on February 12, hitting organizations in 10 countries. It's part of a broader wave — ransomware attacks are running 30% above last year's pace through early 2026.

Unpacked:

• Qilin topped the board with 7 victims: Anchor Computer Systems, Derbez, Sakata Seed America, and Segue Manufacturing among them. INC Ransom notched 6, Akira claimed 2, and five smaller groups filled in the rest across the US, UK, Turkey, Brazil, and six other countries.
• Zoom out and the picture gets worse. GuidePoint Security counted 2,287 ransomware victims in Q4 2025 — the biggest quarter on record — while 124 distinct ransomware groups were active last year, up 46% from the year before.
• Qilin has pulled away from the field with over 1,115 victims in 2025, running Rust-based encryption that hits Windows, Linux, and VMware ESXi simultaneously. And here's the part that should keep you up at night: BlackFog estimates 86% of all ransomware attacks are never reported. What we see on leak sites is the tip of the iceberg.

Bottom line: Twenty-one claims from eight groups in one day is just what a Wednesday looks like now. Ransomware has gone from criminal enterprise to industrial operation. With 124 groups running, Qilin averaging 75 victims a month, and the vast majority of attacks never making headlines, the question for your organization isn't "if" — it's "when."

Read the full deep dive →

The Shortlist

• World Economic Forum dropped its Global Cybersecurity Outlook 2026, naming AI-related vulnerabilities the fastest-growing risk category. Eighty-seven percent of respondents flagged it, while 77% of organizations now deploy AI for phishing detection and defense.
• Under Armour confirmed 72 million customer records wound up on the dark web after an Everest ransomware attack in November 2025 — 191.5 million total records with full names, emails, phone numbers, and purchase histories attached.
• Dragonforce hit Turkish firm Betesan on February 13 and claimed data exfiltration within nine hours of initial access. That breakneck timeline shows just how fast modern ransomware crews move from door to data.
• AI healthcare apps from providers like OpenAI and Anthropic are running outside HIPAA's reach, which creates a widening privacy gap as patients share medical information with tools that have no legal obligation to protect it.

References

1. Krebs on Security — Patch Tuesday, February 2026 Edition
2. Tenable — Microsoft's February 2026 Patch Tuesday Addresses 54 CVEs
3. The Hacker News — Microsoft Patches 59 Vulnerabilities
4. CrowdStrike — Patch Tuesday Analysis February 2026
5. SecurityWeek — 6 Actively Exploited Zero-Days Patched
6. Rapid7 — February 2026 Patch Tuesday
7. Sophos — February's Patch Tuesday Assumes Battle Stations
8. The Hacker News — BeyondTrust In-Wild Exploitation
9. Rapid7 — CVE-2026-1731 BeyondTrust RCE
10. Arctic Wolf — BeyondTrust CVE-2026-1731 Campaign
11. GreyNoise — Reconnaissance Activity for BeyondTrust RCE
12. BeyondTrust Security Advisory BT26-02
13. Horizon3.ai — CVE-2026-1731 Attack Research
14. Cisco Talos — VoidLink
15. Check Point Research — VoidLink Cloud-Native Malware Framework
16. PolySwarm — VoidLink Linux Malware Framework
17. The Hacker News — VoidLink Built with AI
18. Security Affairs — UAT-9921 Deploys VoidLink
19. Dark Web Informer — Ransomware Attack Update February 12
20. GuidePoint Security — Ransomware Hits Record High, Qilin Tops List
21. BlackFog/SecurityBrief — AI-Driven Ransomware Attacks Surge
22. Breached Company — Ransomware Attacks Soar 30% in 2026
23. WEF Global Cybersecurity Outlook 2026
24. Malwarebytes — Under Armour Ransomware Breach
25. HookPhish — Dragonforce Hits Betesan