February 2026 security update: AI‑driven attacks surge alongside OT targeting and critical vulnerabilities

Today’s threat landscape 

An evolving playbook: Harnessing AI while targeting OT 

January confirmed a continued acceleration in the sophistication of threat actors, with several recurring attack patterns and emerging vectors becoming evident across Europe. A dominant theme is the growing combination of automation, AI-driven techniques, and the exploitation of complex vulnerabilities to enable faster, more scalable attack chains with reduced manual effort. 

For instance, threat actors are leveraging prompt-injection attacks against AI-powered services and AI-assisted tooling to automate reconnaissance, tailor phishing content, and even generate customized malicious code. The rapid pace of AI adoption is introducing new attack surfaces tied to AI integration, where defensive controls are still maturing. Closely related is the abuse of browser-based AI and automation features. Recent reporting highlights techniques such as “prompt poaching” via malicious browser extensions, where cybercriminals silently extract sensitive prompts, credentials, or session data from users interacting with AI-enabled tools, further expanding the scope of AI-adjacent threats.  

Moreover, AI-enhanced phishing campaigns and automated social engineering increasingly combine AI-generated lures with advanced credential-harvesting and adversary-in-the-middle techniques to bypass traditional multi-factor authentication and significantly improve intrusion success rates.  

Finally, analysis of national and international vulnerability reporting indicates continued targeting of OT and ICS environments. According to European incident reporting, IT-level vulnerabilities combined with weak network segmentation allow cybercriminals to pivot from standard enterprise intrusions into operational systems, increasing the likelihood of service disruption and business impact rather than purely data-driven breaches. 

Top 3 vulnerabilities 

Cisco issues patch for critical email appliance vulnerability   

Cisco has addressed a critical vulnerability in its AsyncOS software (CVE-2025-20393 with CVSS 10.0), which has been actively exploited in the wild since late November 2025, if not earlier.  

It affects the Spam Quarantine component of Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances running AsyncOS. Stemming from improper input validation, the software did not correctly check specially-formed web requests, allowing cybercriminals to run any system command on the device with full administrative rights. Because these devices sit at a key point in many organizations’ email infrastructure, successful exploitation could allow cybercriminals to alter emails, install malware, or use the compromised appliance as a foothold into internal networks.   

Cisco has published updated AsyncOS releases to mitigate the vulnerability. These remain the only reliable solutions, as there are no workarounds. 

FortiCloud SSO faces critical bypass issue 

Fortinet has released urgent updates to fix a critical authentication bypass vulnerability (CVE-2026-24858 with CVSS 9.4), which has been actively exploited in the wild and has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog. 

The vulnerability lies in FortiCloud Single Sign-On (SSO), a feature in several Fortinet security products that lets users access devices with a single login. Due to improper access checks in this system, cybercriminals who control any FortiCloud account and have a registered device can trick vulnerable systems into allowing them to log in to other networks without credentials when FortiCloud SSO is enabled.   

Products confirmed affected include FortiOS, FortiManager, FortiAnalyzer, FortiProxy, and FortiWeb across multiple version branches. While FortiCloud SSO is not active by default, it can be automatically enabled during device registration, increasing exposure for some organizations. Fortinet has published updated firmware versions for each affected product line that remove the vulnerability.   

Multiple Node.js packages hit by critical vulnerabilities  

A series of high-severity vulnerabilities has been discovered in popular Node.js packages, affecting developers and organizations worldwide. 

Key vulnerabilities include: CVE‑2025‑54313 (ESLint Config Prettier); CVE‑2026‑21858, CVE‑2026‑21877, CVE‑2025‑68613, CVE‑2025‑68668, CVE‑2026‑1470, and CVE‑2026‑0863 (n8n); CVE‑2026‑22709 (vm2 sandbox) – all with CVSS scores ranging from 7.5 to 10.0.

These vulnerabilities vary in nature but mainly allow remote code execution or sandbox escape. In practice, this means a malicious actor could trick a vulnerable Node.js application into running harmful code, potentially taking control of systems or exposing sensitive data. For example, the Ni8mare vulnerabilities in n8n let cybercriminals exploit unauthenticated endpoints to execute arbitrary commands. Meanwhile, the vm2 flaw enables cybercriminals to escape the secure execution sandbox built into Node.js applications. 

Affected users should upgrade immediately. 

Industry news   

The EU takes major regulatory steps despite significant breaches 

Among the most widely reported cyber incidents last month was a breach involving the European space sector, where more than 700 GB of sensitive data was reportedly extracted from systems used for collaborative engineering and research. The compromised material included source code and authentication tokens, underscoring the trend of data-intensive organizations being prime targets. 

At the same time, large-scale exploitation of newly disclosed vulnerabilities continued across multiple sectors. Threat intelligence firm GreyNoise reported observing more than 8.1 million attack sessions linked to the React2Shell vulnerability (CVE-2025-55182) within weeks of its disclosure. The activity involved over 8,000 unique source IPs across more than 1,000 autonomous systems worldwide, with tens of thousands of unique payloads indicating rapid experimentation and widespread adoption by diverse threat actors. 

On the regulatory and standards front, several significant developments took place across Europe. MITRE introduced a new framework for embedded systems security, the Embedded System Threat Matrix (ESTM), designed to support threat modeling and protection of critical hardware and software components. Moreover, the EU announced its launch of the Global Cybersecurity Vulnerability Enumeration (GCVE), a new vulnerability database intended to reduce long-term reliance on US-based CVE services and provide added analytical value for vulnerability tracking across European ecosystems. 

At the same time, the European Commission presented a new cyber security package strengthening the role of ENISA, the EU Cybersecurity Agency. The package introduces a risk-based framework for managing cyber security across ICT supply chains, reflecting growing concern over systemic dependencies and third-party exposure. 

Overall, January’s developments show that cyberattacks in Europe remain both technically sophisticated and strategically targeted, while regulatory and policy responses remain on the offensive.