Threat Intel Weekly #08 — Week ending 24 Feb 2026
This week's digest covers 8 critical and 6 high-severity CVEs published between 2026-02-17 and 2026-02-24, plus 8 new CISA Known Exploited Vulnerabilities. Add your summary here.
📅 Coverage period: 2026-02-17 → 2026-02-24 | 14 CVEs reviewed | 8 CISA KEV additions
🔴 Critical Vulnerabilities (CVSS ≥ 9.0)
🔴 CVE-2026-22208 (CVSS 9.6)
OpenS100 (the reference implementation S-100 viewer) prior to commit 753cf29 contains a remote code execution vulnerability via an unrestricted Lua interpreter. The Portrayal Engine initializes Lua using luaL_openlibs() without sandboxing or capability restrictions, exposing standard libraries.
Severity: Critical | Attack Vector: NETWORK
References: NVD · CVE Detail
⚠️ Action Required:
Analysis: Loading all default Lua libraries enables OS command execution if portrayal scripts or datasets are attacker-controlled. This can result in full remote code execution.Mitigation:
- Upgrade to a version including commit
753cf29or later.- Disable or restrict Lua portrayal processing if not required.
- Run the service under a least-privileged account.
- Apply OS-level sandboxing (AppArmor/SELinux) or container isolation.
- Validate and strictly control any external S-100 datasets.
🟠 CVE-2026-2616 (CVSS 8.8)
A vulnerability has been found in Beetel 777VR1 up to 01.00.09. The impacted element is an unknown function of the component Web Management Interface. The manipulation leads to hard-coded credentials. The attack must be initiated within the local network.
Severity: High | Attack Vector: ADJACENT_NETWORK
References: NVD · CVE Detail
⚠️ Action Required:
Analysis: Hard-coded credentials allow unauthorized administrative access from within the LAN. This enables lateral movement and network compromise.Mitigation:
- Upgrade firmware beyond 01.00.09 (if available).
- Disable remote/web management from non-admin VLANs.
- Restrict access via firewall ACLs.
- Rotate all network credentials.
- Replace the device if no patch is available.
🔴 CVE-2026-23647 (CVSS 9.8)
Glory RBG-100 recycler systems using the ISPK-08 software component contain hard-coded operating system credentials allowing remote authentication to the underlying Linux system.
Severity: Critical | Attack Vector: NETWORK
References: NVD · CVE Detail
⚠️ Action Required:
Analysis: Embedded Linux credentials (including administrative accounts) allow full system takeover. In financial or cash-handling environments, this presents operational disruption and fraud risk.Mitigation:
- Apply vendor security updates immediately.
- Isolate devices in a dedicated VLAN.
- Block internet exposure and restrict management ports.
- Monitor SSH and admin authentication logs.
- Use jump hosts for administrative access.
🟡 CVE-2025-33089 (CVSS 6.5)
IBM Concert 1.0.0 through 2.1.0 could allow a remote attacker to obtain sensitive information or perform unauthorized actions due to the use of hard-coded user credentials.
Severity: Medium | Attack Vector: NETWORK
References: NVD · CVE Detail
⚠️ Action Required:
Analysis: Hard-coded credentials may enable unauthorized access to orchestration workflows and integrated systems.Mitigation:
- Upgrade to IBM Concert 2.1.1 or later.
- Rotate all application/service account credentials.
- Review audit logs for suspicious access.
- Enforce least privilege on integration accounts.
🔴 CVE-2026-22769 (CVSS 10)
Dell RecoverPoint for Virtual Machines (prior to 6.0.3.1 HF1) contains a hardcoded credential vulnerability allowing unauthenticated remote access.
Severity: Critical | Attack Vector: NETWORK
References: NVD · CVE Detail
⚠️ Action Required:
Analysis: CVSS 10.0 and added to CISA KEV. Compromise could allow backup tampering, ransomware staging, or full virtual infrastructure takeover.Mitigation (PRIORITY 1):
- Upgrade to 6.0.3.1 HF1 or later immediately.
- Restrict management access to dedicated admin networks.
- Rotate all credentials post-upgrade.
- Validate backup integrity and access logs.
- Treat backup infrastructure as Tier 0 critical systems.
🟠 High Severity Vulnerabilities (CVSS 7.0–8.9)
| CVE ID | CVSS | Summary |
|---|---|---|
| CVE-2026-1216 | 7.2 | The RSS Aggregator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting. |
| CVE-2025-7631 | 8.6 | SQL Injection vulnerability allowing database compromise. |
| CVE-2026-2617 | 6.3 | Beetel 777VR1 web component vulnerability. |
| CVE-2026-23648 | 7.8 | Glory RBG-100 system binaries vulnerability. |
| CVE-2026-2618 | 3.7 | Beetel 777VR1 component issue. |
🚨 CISA Known Exploited Vulnerabilities — Added This Week
The following vulnerabilities were added to CISA's KEV Catalog and are actively exploited in the wild:
| CVE ID | Product | Vulnerability | Due Date |
|---|---|---|---|
| CVE-2025-49113 | Roundcube Webmail | Deserialization of Untrusted Data | 2026-03-13 |
| CVE-2025-68461 | Roundcube Webmail | Cross-Site Scripting | 2026-03-13 |
| CVE-2021-22175 | GitLab | Server-Side Request Forgery (SSRF) | 2026-03-11 |
| CVE-2026-22769 | Dell RP4VMs | Hard-coded Credentials | 2026-02-21 |
| CVE-2020-7796 | Zimbra Collaboration Suite | Server-Side Request Forgery | 2026-03-10 |
| CVE-2024-7694 | ThreatSonar Anti-Ransomware | Unrestricted File Upload | 2026-03-10 |
| CVE-2008-0015 | Microsoft Windows | Video ActiveX Control RCE | 2026-03-10 |
| CVE-2026-2441 | Google Chromium | CSS Use-After-Free | 2026-03-10 |
Federal agencies must remediate these by the due dates listed. Non-federal organizations should prioritize them accordingly.
📌 This Week's TL;DR
- Patch CVE-2026-22208 — Upgrade or sandbox Lua immediately to prevent RCE.
- Patch CVE-2026-2616 — Update or replace affected Beetel routers; restrict management access.
- Patch CVE-2026-23647 — Segment and patch Glory systems urgently.
- Patch CVE-2025-33089 — Upgrade IBM Concert and rotate credentials.
- URGENT: Patch CVE-2026-22769 (KEV, CVSS 10) — Immediate update required; backup infrastructure is a ransomware target.
--
Next edition publishes next Friday. Have a threat feed, IOC, or CVE you want covered? Reach me at the contact page.