MSP cybersecurity news digest, February 23, 2026

Google issued emergency updates for Chrome to fix CVE-2026-2441, a high-severity zero day with confirmed in-the-wild exploitation, making it an immediate priority for managed endpoint populations and shared workstation environments.

The flaw is a “use after free” in CSS (Chrome versions prior to the fixed releases), meaning malicious web content can potentially trigger memory corruption paths; even without detailed public exploitation telemetry, “exploited in the wild” warrants rapid patch rollout and verification.

Operationally, browser zero days compress the window between exposure and compromise and can become an initial access vector that bypasses perimeter controls — especially on endpoints used for admin portals, PSA / RMM consoles, and Microsoft 365 / SaaS workflows.

CISA directed federal agencies to remediate BeyondTrust Remote Support / Privileged Remote Access CVE-2026-1731 within three days due to active exploitation, emphasizing that exposed remote-support infrastructure is a high-value, high-velocity target class.

The issue is an OS command injection leading to unauthenticated remote code execution, affecting specified on-premises versions; BeyondTrust noted exploitation can enable system compromise, including unauthorized access, data exfiltration and service disruption.

The broader implication is repeatable: Remote-access and support tooling often sits close to privileged workflows, so a single pre-auth RCE can become a stepping stone to domain compromise, credential theft and ransomware staging — especially where external exposure and patch latency overlap.

Researchers disclosed that UNC6201 exploited CVE-2026-22769 in Dell RecoverPoint for Virtual Machines via a hardcoded credential, with activity dating back to mid-2024, demonstrating long-lived exploitation paths when “infrastructure-grade” components are overlooked.

Dell warned the weakness can allow an unauthenticated remote attacker who knows the embedded credential to gain unauthorized OS access and establish root-level persistence; once inside, the actor deployed multiple payloads including Grimbolt and referenced lineage from Brickstorm.

The security implication is that backup / recovery-adjacent systems and hypervisor-connected components can be used as durable pivots for lateral movement, stealthy persistence and “living-off-the-environment” operations, complicating containment in hybrid VMware estates.

Researchers described how AI assistants (e.g., Grok, Microsoft Copilot) with URL fetching / web browsing can be repurposed as an intermediary layer for C2 traffic, allowing attacker instructions and responses to blend into legitimate enterprise application usage.

In the proof-of-concept model, malware avoids direct C2 calls and instead drives an AI web interface (including via WebView2 scenarios) to fetch attacker-controlled resources and return content through AI outputs, supporting command delivery and potential data retrieval workflows.

The implication is a growing class of “legitimate service as transport” techniques, where defenders must rely more heavily on endpoint behavior, identity signals and cross-domain correlation — because network indicators can resemble normal SaaS access patterns.

Advantest disclosed that an intruder accessed parts of its corporate network and deployed ransomware, with unusual activity detected on February 15 and a continuing investigation into whether customer or employee data was affected.

The company stated it isolated impacted systems and engaged third-party specialists; at the time of reporting, data theft was not confirmed, reflecting a common operational reality where encryption/impact is observed before exfiltration conclusions are finalized.

The broader implication for MSPs and enterprises is that ransomware response hinges on speed: Rapid isolation, clean restore paths and evidence preservation reduce downtime and limit escalation, especially when attacker dwell time and lateral movement are still being established.