Sign in Subscribe

CISA widens KEV as edge-system risk keeps climbing

CISA expanded KEV with GitLab and Dell vulnerabilities, while researchers detailed large-scale FortiGate compromise activity and a critical Grandstream VoIP flaw.

william murray

2 min read

From The Bit Baker Daily Briefing - February 22, 2026

PLUS: Dell long-dwell activity, FortiGate campaign scale, and a critical VoIP fix path

Good morning, Dave.

The defensive workload is shifting back to the edge. KEV updates, persistent infrastructure exploitation, and communications device vulnerabilities all point to one pattern: internet-adjacent systems remain the shortest path from exposure to compromise.

In today's security Bit Baker:

  • CISA adds GitLab and Dell flaws to KEV
  • Google tracks UNC6201's extended Dell exploitation timeline
  • AWS documents AI-assisted compromise of 600+ FortiGate devices
  • Rapid7 highlights critical Grandstream VoIP RCE

CISA adds GitLab and Dell flaws to KEV

The Bit Baker: CISA's February 18 KEV update added CVE-2021-22175 (GitLab SSRF) and CVE-2026-22769 (Dell RecoverPoint hard-coded credentials).

Unpacked:

  • KEV inclusion confirms active exploitation and elevates patch priority immediately.
  • GitLab SSRF and Dell credential flaws both impact systems that often sit close to privileged workflows.
  • KEV changes are now one of the fastest operational signals defenders can use for patch sequencing.

Bottom line: If it lands in KEV, treat it like an incident-level priority. Policy and threat reality are now moving on similar timelines.

Read the full deep dive ->

Google tracks UNC6201's extended Dell exploitation timeline

The Bit Baker: Mandiant and Google Threat Intelligence reported UNC6201 exploitation of CVE-2026-22769 dating back to mid-2024.

Unpacked:

  • Researchers tied the activity to persistent access and malware families including SLAYSTYLE, BRICKSTORM, and GRIMBOLT.
  • The timeline underscores how infrastructure compromise can remain undetected across long operational windows.
  • Organizations should scope hunting efforts backward, not just from disclosure date forward.

Bottom line: This is a dwell-time warning for every SOC. Patch now, then investigate historical compromise paths with equal urgency.

Read the full deep dive ->

AWS documents AI-assisted compromise of 600+ FortiGate devices

The Bit Baker: Amazon Threat Intelligence said a financially motivated actor compromised more than 600 FortiGate devices in 55 countries using AI-assisted workflows.

Unpacked:

  • The campaign shows how attackers can use commercial AI tools to increase operational velocity without inventing new exploit classes.
  • Edge firewall compromise remains one of the highest-leverage initial access paths.
  • Hardening management interfaces and isolating backup systems are immediate defensive controls.

Bottom line: AI-assisted operations are compressing attacker timelines. Teams need to shorten detection and containment loops to keep pace.

Read the full deep dive ->

Rapid7 highlights critical Grandstream VoIP RCE

The Bit Baker: Rapid7 disclosed CVE-2026-2329, a critical unauthenticated stack buffer overflow in Grandstream GXP1600 VoIP devices.

Unpacked:

  • The flaw allows remote code execution with root privileges on affected models.
  • Vendor remediation is available in firmware 1.0.7.81.
  • Voice infrastructure often sits outside mainstream patch cycles, creating avoidable exposure.

Bottom line: Treat VoIP endpoints like core infrastructure. If patch ownership is unclear, exposure remains guaranteed.

Read the full deep dive ->

The Shortlist

  • CISA adds RoundCube CVE-2025-49113 to KEV: Messaging infrastructure remains an attractive target for attackers exploiting delayed patching. (Source)
  • Roundcube patch path is straightforward but often delayed: Version 1.6.11 and 1.5.10 contain the security fixes defenders should already have deployed. (Source)

References

  1. CISA Adds Two Known Exploited Vulnerabilities to Catalog (2026-02-18)
  2. UNC6201 Exploiting a Dell RecoverPoint for Virtual Machines Zero-Day
  3. AI-augmented threat actor accesses FortiGate devices at scale
  4. CVE-2026-2329: Critical Unauthenticated Stack Buffer Overflow in Grandstream GXP1600 VoIP Phones
  5. CISA Adds Two Known Exploited Vulnerabilities to Catalog (2026-02-20)
  6. Roundcube Security updates 1.6.11 and 1.5.10 released

Sign up for more like this.

Enter your email
Subscribe