Home
A surge of zero-day exploits, sophisticated AiTM phishing chains, critical infrastructure compromises, and actively exploited CVEs targeted enterprises from February 3-9, 2026—impacting network edges, cloud workflows, energy sectors, and DevOps pipelines worldwide. These incidents reveal attackers’ relentless focus on unpatched appliances, workflow automation flaws, and end-of-support hardware, creating massive operational disruptions, regulatory headaches, and national security risks for CISOs everywhere.
>>Outpace Attackers With AI-Based Automated Penetration Testing
1. Cisco Unified CM Zero-Day (CVE-2026-20045, Disclosed Feb 3, 2026)
Overview
Attackers launched widespread exploitation of an unauthenticated remote code execution vulnerability in Cisco Unified Communications Manager (Unified CM), achieving full system compromise across thousands of enterprise deployments worldwide. CISA added this to its Known Exploited Vulnerabilities (KEV) catalog with a federal patching deadline of February 11, 2026, signaling imminent nation-state and ransomware activity.
Explanation
The flaw resides in the Webex Suite integration interface where specially crafted network packets trigger memory corruption, bypassing all authentication mechanisms to execute arbitrary code with root privileges. Once inside, attackers enumerate SIP configurations, harvest call logs containing executive communications, and pivot laterally through integrated PBX systems and voice gateways—often chaining to ransomware deployment or persistent C2 beacons.
Impact
Complete network takeover potential across 100k+ Unified CM instances globally; voice traffic interception exposes sensitive executive calls; serves as ransomware gateway to core infrastructure. Enterprises face headline-grabbing outages, compliance violations, and multimillion-dollar recovery costs.
Details
MITRE ATT&CK: T1190 (Exploit Public-Facing Application), T1059.007 (Command and Scripting Interpreter: JavaScript), T1021.001 (Remote Desktop Protocol).
IOCs: Anomalous SIP traffic over TLS to Webex endpoints; unexpected API burst patterns from UC Manager IPs; memory residency indicators in process dumps.
Timeline: Active exploitation confirmed February 2; Cisco emergency patch released February 3.
Remediation
Immediately apply Cisco’s critical security update; temporarily isolate Unified CM edge services from internet exposure; deploy YARA rules to hunt crafted Webex payloads in access logs; enable comprehensive SIP traffic monitoring.
Takeaway for CISO
Voice and collaboration appliances represent the soft underbelly of enterprise networks—deploy ephemeral reverse proxies instead of direct exposure, implement behavioral API monitoring for anomaly detection, and enforce mandatory 72-hour patching cycles for all CVSS 9.0+ infrastructure flaws.
2. Romania National Oil Pipeline Attack (Reported Feb 6, 2026)
Overview
Romania’s national oil infrastructure suffered a sophisticated perimeter compromise through end-of-support (EoS) network appliances, mirroring identical attack patterns against Poland’s energy sector the same week. Attackers achieved operational technology (OT) network access amid escalating geopolitical tensions in Eastern Europe.
Explanation
Perimeter takeover began with unpatched Cisco ASA and Fortinet FortiGate appliances running EoS firmware, enabling Adversary-in-the-Middle (AiTM) session hijacking that bypassed multi-factor authentication on operator consoles. Attackers then proxied industrial control protocols (Modbus, DNP3) to manipulate SCADA systems, demonstrating physical process interference capabilities before operators detected anomalous flow rates.
Impact
Immediate fuel supply chain disruptions across national distribution; multi-day operational shutdowns cost millions in lost production; triggered national security incident response with potential cascading physical safety failures in pipeline pressure systems.
Details
MITRE ATT&CK: T1078.003 (Valid Accounts: Local Accounts), T1557 (Adversary-in-the-Middle), T0832 (Precedence Scanning).
IOCs: Legacy appliance HTTPS connections to modern C2 infrastructure; anomalous Modbus TCP traffic patterns; rogue industrial protocol sessions from operator workstations.
Remediation
Air-gap all end-of-support perimeter hardware immediately; deploy OT-specific Adversary-in-the-Middle detection sensors; implement comprehensive ICS network micro-segmentation with unidirectional protocol gateways.
Takeaway for CISO
Energy sector perimeter security demands zero-trust architecture—replace EoS hardware quarterly regardless of vendor support status, log every proxy session comprehensively, and maintain separate OT threat intelligence feeds from IT security operations.
3. n8n Workflow Automation RCE Chain (CVE-2026-XXXX, Feb 4-6)
Overview
A Content-Type confusion vulnerability in the popular n8n workflow automation platform enabled completely unauthenticated remote command execution, allowing attackers to chain exploits achieving cloud environment lateral movement in under 8 minutes across thousands of enterprise deployments.
Explanation
Malicious HTTP requests exploit parser discrepancies where Content-Type header manipulation tricks the Node.js application into treating JSON payloads as executable JavaScript. The vulnerability escalates immediately through environment variables containing AWS IAM credentials, GCP service account tokens, and Kubernetes configmaps—enabling complete cloud workload compromise and data exfiltration pipelines.
Impact
Massive workflow hijacking across 10k+ enterprise n8n instances; automated data exfiltration from integrated SaaS platforms (Salesforce, ServiceNow, etc.); supply chain compromise potential affecting downstream business partners.
Details
MITRE ATT&CK: T1190 (Exploit Public-Facing Application), T1608.001 (Dynamic Resolution), T1059.007 (Command and Scripting Interpreter: JavaScript).
IOCs: Port 5678/tcp exposures; malformed Content-Type headers in access logs; unexpected Node.js process forking patterns.
Remediation
Immediately firewall all n8n management endpoints from internet access; conduct comprehensive audit of environment variables and connected secrets in all workflows; force-rotate credentials across all linked cloud providers.
Takeaway for CISO
Workflow automation platforms serve as silent RCE gateways into cloud environments—prohibit all public internet exposure, embed behavioral analytics directly within CI/CD pipelines, and treat automation platforms as high-privilege infrastructure requiring air-gapped deployment models.
4. GitLab Self-Hosted RFI (CVE-2026-1868, Feb 5)
Overview
Critical Remote File Inclusion vulnerability in GitLab Runners compromises all self-hosted GitLab instances, enabling attackers to execute arbitrary code within CI/CD pipelines and escape containerized build environments to achieve full host system compromise.
Explanation
Path traversal vulnerability in repository webhook processing allows loading of remote malicious payloads through specially-crafted repository hooks. Attackers chain this with container breakout techniques to escape GitLab Runner containers, achieving persistent shell access on underlying build servers and complete codebase manipulation capabilities.
Impact
Complete codebase poisoning potential; build pipeline takeover enabling malicious software distribution; intellectual property theft from development teams; supply chain compromise of customer deployments.
Details
MITRE ATT&CK: T1190 (Exploit Public-Facing Application), T1548 (Abuse Elevation Control Mechanism), T1611 (Container Administration).
IOCs: Unexpected file read operations in GitLab Runner logs; anomalous container networking patterns; suspicious webhook payload sizes.
Remediation
Apply GitLab security update immediately; deploy all GitLab Runners within air-gapped network segments; implement repository scanning for path traversal payloads at commit time.
Takeaway for CISO
Self-hosted development platforms require military-grade isolation—deploy ephemeral build environments exclusively, implement continuous behavioral scanning of all CI/CD pipelines, and maintain separate security tooling stacks for development infrastructure.
5. lighttpd HTTP Request Smuggling RCE (CVE-2026-22903, Feb 7)
Overview
HTTP request smuggling vulnerability in widely-deployed lighttpd web servers enables full remote code execution, particularly dangerous in embedded systems, IoT gateways, and lightweight edge deployments common across critical infrastructure.
Explanation
Classic Content-Length/Transfer-Encoding (CL.TE) mismatch exploitation desynchronizes front-end and back-end parsers, enabling SSRF injection directly to internal services. Attackers chain smuggling with path traversal to execute commands on underlying operating systems, frequently achieving persistence through cron job manipulation.
Impact
Internal network pivoting from edge devices; IoT device recruitment into botnets; DDoS amplification via compromised lightweight servers; critical infrastructure edge compromise gateway.
Details
MITRE ATT&CK: T1190 (Exploit Public-Facing Application), T1608.002 (Dynamic Resolution: Domain).
IOCs: Request smuggling signatures in access logs; unexpected internal service connections from lighttpd processes.
Remediation
Deploy lighttpd security patches urgently; implement HTTP request normalization at edge proxies; deploy recursive SSRF protection rules blocking internal service access.
Takeaway for CISO
Lightweight web servers amplify request smuggling risks exponentially—route all edge traffic through fortified application gateways with protocol normalization, and standardize on battle-tested web server implementations for internet-facing services.
6. Zimbra Collaboration Suite KEV Persistence (Feb 3 CISA Alert)
Overview
CISA’s Known Exploited Vulnerabilities catalog continues listing Zimbra Collaboration Suite’s PHP Remote File Inclusion as actively exploited worldwide, with federal agencies facing strict patching deadlines while commercial exploitation continues unabated.
Explanation
Specially-crafted email attachments containing PHP remote file inclusion payloads execute arbitrary code when processed by vulnerable Zimbra installations. Attackers achieve persistence through scheduled task abuse and leverage email infrastructure for phishing campaign amplification and executive spear-phishing operations.
Impact
Complete email infrastructure compromise; weaponization of corporate email relays for phishing; executive communications interception and exfiltration; regulatory compliance failures across GDPR/HIPAA frameworks.
Details
MITRE ATT&CK: T1203 (Configuration File), T1053.005 (Scheduled Task/Job: Scheduled Task).
IOCs: Rogue PHP processes spawned from Zimbra services; anomalous external file fetch patterns; unexpected cron job entries.
Remediation
Execute CISA-mandated patching immediately; implement email relay micro-segmentation; deploy cron job behavioral monitoring across all mail infrastructure.
Takeaway for CISO
KEV catalog entries represent active nation-state exploitation—implement weekly automated vulnerability scanning against CISA’s catalog, phase out all legacy email infrastructure within 90 days, and maintain parallel monitoring systems for email security operations.
FireCompass is a single platform for AI-Powered Continuous Automated Red Teaming (CART), Pen Testing & NextGen Attack Surface Management
