68

Actively utilized Enterprise CVEs: Focus of the last 7 days

Posted on by
23
Feb

Actively utilized Enterprise CVEs: Focus of the last 7 days

The past seven days have provided a clear picture of the situation for companies: Priority is not given to „the latest“ reports, but to vulnerabilities with high technical severity and direct operational relevance that are proven to be actively exploited. Based on CISA KEV, NVD/CVE and vendor bulletins, five topics stand out in particular: two Roundcube cases in productive mail environments, a critical hardcoded credentials vulnerability in Dell RecoverPoint for VMs, an actively exploited Chromium flaw on endpoints and a Windows legacy component via ActiveX/ATL that is once again operationally relevant.

Methodology: Only verified sources were considered. In terms of content, this article prioritizes vulnerabilities with confirmed active exploitation (KEV), CVSS ≥ 8.0 and clear enterprise impact on availability, integrity, access control or restartability.

Table of contents

#1 Roundcube RCE (CVE-2025-49113): critical mail infrastructure under pressure

CISA added CVE-2025-49113 to the KEV catalog on 20.02.2026. This officially confirms active exploitation. Technically, this is a deserialization vulnerability in Roundcube Webmail, which, according to the NVD API, can enable remote code execution for authenticated users in affected versions. The severity is rated high to critical (NVD: CVSS 8.8, additional CNA rating 9.9).

This is particularly sensitive for companies because webmail systems are often operated close to the internet and are also closely linked to identities, communication histories and internal workflows. Just one compromised account can be enough to establish persistence on the mail host, siphon off confidential communication or attack other systems in the same segment. What's more, mail environments are business-critical in many companies. A successful attack therefore not only affects key security figures, but also direct operational processes.

Prioritized measures: immediate version comparison against manufacturer fixes, hardening of authentication (MFA, session controls), evaluation of upload and admin activities in the relevant time window and targeted search for webshell and process anomalies on the affected hosts.

#2 Dell RecoverPoint for VMs (CVE-2026-22769): Root persistence via hardcoded credentials

The most critical development from an enterprise perspective in the period under review is CVE-2026-22769. CISA has listed the case in KEV since 18.02.2026, NVD rated with CVSS 10.0. According to Dell Advisory DSA-2026-079, the vulnerability affects RecoverPoint for Virtual Machines in versions prior to 6.0.3.1 HF1. The cause is hardcoded credentials that can allow an unauthenticated remote attacker unauthorized access up to root persistence.

Backup, replication and recovery components in particular are the „crown jewels“ of operability in incident scenarios. If this layer is compromised, the risk of double damage increases: primary systems can be attacked while recovery paths are manipulated or sabotaged at the same time. Accordingly, this case is not just a classic patch issue, but a business continuity risk.

Operationally, this means that affected RP4VM instances must be inventoried immediately, manufacturer measures must be prioritized, management access and network reach must be restrictively limited and subsequent checks for unknown accounts, changed configurations and anomalous root activity must be carried out.

#3 Chromium UAF (CVE-2026-2441): actively exploited endpoint entry point

CVE-2026-2441 was added to KEV on 17.02.2026 and is classified as high according to NVD with CVSS 8.8. The bug concerns a use-after-free vulnerability in the CSS processing of Chromium/Chrome. In practice, this means that prepared websites or web content can be used as initial access - a pattern that recurs in many real-life attack chains.

The enterprise relevance is high because browsers are used across all roles: Office, IT, admin, external service providers. Even if it is initially executed in a sandbox context, it can lead to data theft, session misuse or follow-up attacks at endpoint level in combination with other techniques. In addition, the widespread use of Chromium-based browsers acts as a multiplier across heterogeneous endpoint landscapes.

It is therefore not only important to roll out quickly, but also to verify the rollout: Which clients have actually been updated? Where are ring deployments hanging? Which special environments (VDI, kiosk, legacy images) have been left behind? At the same time, EDR telemetry should be checked for conspicuous browser follow-up processes and suspicious child process chains.

#4 Windows ActiveX/ATL (CVE-2008-0015): old vulnerability, new operational priority

With CVE-2008-0015, the current period shows an important pattern: „old“ does not mean „irrelevant“. CISA added the vulnerability to KEV on 17.02.2026. NVD continues to have a high severity rating (CVSS 8.8 via v3.1 metric; historically v2 9.3). In terms of content, it concerns a remote code execution issue in the context of ActiveX/ATL components, documented in Microsoft bulletin MS09-037, among others.

For companies with legacy systems, special applications or incompletely modernized workplace images, this is more than just a historical special case. Such components often remain active in niches and only become visible in an incident. As soon as active exploitation is confirmed, it is not the age of the CVE that counts, but the actual exposure in the company's own inventory.

Recommendation: targeted identification of legacy dependencies, restrictive browser and zone guidelines, deactivation of unneeded legacy components and segmentation of particularly risky systems. Where short-term replacement is not possible, compensating controls and close monitoring are mandatory.

#5 Zimbra SSRF (CVE-2020-7796): Groupware as a pivot risk

CVE-2020-7796 was also added to KEV on 17.02.2026. NVD rates the case with CVSS 9.8 (critical). Affected is Zimbra Collaboration Suite before 8.8.15 Patch 7 in certain constellations (e.g. with WebEx zimlet/JSP components). Technically it is SSRF, but operationally it is more: potential access to internal resources via an exposed communication platform.

In modern corporate networks, groupware acts as a central hub for identities, appointments, contacts and internal communication. If SSRF can be exploited in this layer, it can serve as a bridge into areas that are actually shielded. This is particularly critical in environments with weak egress control or less restrictive internal approvals.

Priority is therefore given to clear patch detection on all Zimbra nodes, the restriction of unnecessary server-side outgoing connections and log and proxy analyses for unusual internal request patterns from the mail segment.

#6 What companies should implement now in 48 hours

1) Exploited-first instead of CVSS-only: Immediately transfer KEV-listed cases with CVSS ≥ 8 to an accelerated remediation queue - including technical and functional responsibility per asset group.

2) Internet-related core systems first: Prioritize mail, recovery, remote management and browser fleets. Where patches are not immediately possible: Temporarily reduce the attack surface (access restriction, segmentation, limit admin access).

3) Verification instead of ticket conclusion: Measure success not by the „job done“, but by the real status: Version, service status, telemetry, ancillary systems, exceptions.

4) Retroactive check (at least 7 days): For the CVEs mentioned, search specifically for indicators of compromise (unusual authentication, new persistence artifacts, anomalous process chains, suspicious internal requests).

5) Management report suitable for management: Brief report for each topic with status „affected/not affected“, degree of implementation, residual risk and next milestone. This speeds up decisions and prevents operational friction.

#7 Sources & SEO block

  • CISA - Known Exploited Vulnerabilities Catalog (entries with Date Added 17.-20.02.2026): https://www.cisa.gov/known-exploited-vulnerabilities-catalog (retrieved: 23.02.2026)
  • CISA Alert - Adds Two Known Exploited Vulnerabilities (Roundcube): https://www.cisa.gov/news-events/alerts/2026/02/20/cisa-adds-two-known-exploited-vulnerabilities-catalog (published: 20.02.2026; retrieved: 23.02.2026)
  • NVD API - CVE-2025-49113: https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2025-49113 (lastModified: 20.02.2026; retrieved: 23.02.2026)
  • NVD API - CVE-2026-22769: https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-22769 (published: 17.02.2026; retrieved: 23.02.2026)
  • Dell Security Advisory DSA-2026-079: https://www.dell.com/support/kbdoc/en-us/000426773/dsa-2026-079 (retrieved: 23.02.2026)
  • NVD API - CVE-2026-2441: https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-2441 (lastModified: 20.02.2026; retrieved: 23.02.2026)
  • NVD API - CVE-2008-0015: https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2008-0015 (lastModified: 18.02.2026; retrieved: 23.02.2026)
  • Microsoft Security Bulletin MS09-037: https://learn.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-037 (retrieved: 23.02.2026)
  • NVD API - CVE-2020-7796: https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2020-7796 (lastModified: 18.02.2026; retrieved: 23.02.2026)
  • Zimbra Releases - 8.8.15 Patch 7: https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P7 (retrieved: 23.02.2026)
  • BSI press image (featured image): https://www.bsi.bund.de/SharedDocs/Bilder/DE/Pressebilder_download/IT-Lagezentrum_1.jpg?__blob=poster&v=3 (retrieved: 23.02.2026)

META-TITLE: Actively utilized Enterprise CVEs: 5 priorities this week

META-DESCRIPTION: Threat Intel update (last 7 days): actively exploited vulnerabilities with CVSS ≥ 8 in Roundcube, Dell RecoverPoint, Chromium, Windows and Zimbra - including 48h action plan.

URL-SLUG: actively-utilized-enterprise-cves-kw9-2026

Keywords: CISA KEV, CVE-2025-49113, CVE-2026-22769, CVE-2026-2441, CVE-2008-0015, CVE-2020-7796, Enterprise Security, Vulnerability Management, Patch Management

    🎉

    BLACKSOC

    MDR Security

    24/7 Managed Detection & Response

    Endpoint Security
    Sophos Intercept X Advanced
    Sophos Intercept X with XDR
    BLACKSOC Elite XDR/MDR
    Server & Firewall
    Sophos Server Protection
    Sophos XGS Firewalls
    Email & PhishThreat
    Sophos Email Advanced
    Sophos Email Monitoring
    Sophos Phish Threat
    Training
    Security Awareness
    GDPR
    Workshops & Webinars
    Browse All Products →

    Security

    Operations Center

    Your Partner for Cybersecurity

    Managed Services
    Managed Detection & Response
    SIEM & SOAR
    Endpoint & Network Security
    Consulting
    Security Strategy
    Compliance & Audit
    Risk Assessment
    Professional Services
    Penetration tests
    Training
    Infrastructure
    Do you have any questions about products or services? We are happy to help!
    Book an appointment