By examining the major cybersecurity incidents reported in February 2026, it becomes clear that infrastructure essential to organizational operations has increasingly become a primary target for attackers. From SD-WAN devices responsible for network connectivity, to mobile device management (MDM) servers, and file transfer servers, the core issues this month centered on systems that directly support enterprise operations.
While these systems are typically designed for internal use, they are often exposed to the public internet in real-world environments due to management convenience and remote operation requirements. Once this access point becomes visible to attackers, a single vulnerability can evolve from a simple software flaw into a direct entry path into an organization’s internal network.
This article reviews three major security issues reported in February 2026, analyzing the attack patterns demonstrated in each case and the practical risks they pose in operational environments. In addition, we summarize the exposure status of related assets identified using Criminal IP, along with security insights drawn from each case, to provide a realistic perspective for evaluating potential risks.
1. Cisco SD-WAN: A Zero-Day That Breaks the Perimeter (CVE-2026-20127)
Summary
One of the most impactful security issues in February was a zero-day vulnerability discovered in the Cisco SD-WAN solution (CVE-2026-20127, CVSS 9.8). SD-WAN serves as a critical component of modern enterprise infrastructure, connecting branch offices to headquarters networks. The vulnerability stems from a command-injection flaw in the vManage management console, allowing unauthenticated attackers to remotely gain system-level access and potentially manipulate or intercept network traffic across the entire environment. Shortly after its discovery, CISA added the vulnerability to the KEV catalog and urged organizations to take immediate action.
What makes this vulnerability particularly alarming is that attackers are not limited to compromising a single server. Instead, they can effectively gain control over an organization’s entire network system. If SD-WAN administrative privileges are compromised, attackers can intercept traffic between branches or disable security policies, creating pathways to move deeper into internal networks.
Analysis of Internet-Accessible Cisco Assets
Criminal IP Search Query: service:https AND product:Cisco
Cisco devices and services are widely used across diverse network infrastructure environments, and their management interfaces or service portals are often operated over HTTPS. The query above identified 17,976 instances of Cisco-related assets providing HTTPS services. These search results are not limited to a specific product or vulnerability; rather, they are intended to determine the existence of Cisco infrastructure assets that are directly accessible from the internet. In particular, when management interfaces for network control devices such as SD-WAN are discoverable on the internet, the likelihood increases that attackers will attempt to identify them as potential entry points, regardless of whether a vulnerability is currently known.
Criminal IP Insights
If vulnerabilities such as the zero-day discovered in the Cisco SD-WAN solution are exploited, it effectively hands attackers the “master key” to an organization’s network security. Because SD-WAN devices reside in the management plane that controls network policies and connectivity across the entire organization, the compromise of a single device can quickly lead to broader access throughout the internal network.
As demonstrated in the Criminal IP Asset Search results above, the mere ability to identify related asset instances externally indicates the presence of a potential initial access path. In real-world environments, management interfaces are frequently exposed to the internet without the organization’s awareness. Therefore, the starting point of vulnerability response should not be patching alone, but gaining visibility into how corporate assets are identified and exposed from the outside. Early detection and restriction of externally accessible management interfaces is one of the most practical strategies for fundamentally reducing the risk of compromise affecting critical infrastructure such as SD-WAN.
2. Ivanti EPMM: Pre-Auth RCEs (CVE-2026-1281 / CVE-2026-1340)
Summary
Code injection vulnerabilities CVE-2026-1281 and CVE-2026-1340 were disclosed in Ivanti’s Endpoint Manager Mobile (EPMM). In particular, CVE-2026-1281 was observed being targeted by large-scale automated scanning and real-world exploitation shortly after its public disclosure. One of the most notable aspects of this issue is the activity of Initial Access Brokers (IABs). Instead of immediately exfiltrating data from vulnerable servers, these actors implant memory-resident malicious code known as “Sleeper” webshells to establish persistent access.
This approach is designed to secure long-term access while avoiding immediate detection. Attackers may later sell the access to other threat actors or use the compromised system as a foothold for subsequent attacks. In observed incidents, the malware was not executed immediately but was instead configured to activate only when specific conditions or triggers were met.
Analysis of Internet-Exposed Ivanti-Related Assets
Criminal IP Search Query: title: Ivanti
A search for Ivanti-related exposed assets using Criminal IP Asset Search identified a total of 190,275 instances. This indicates that a significant number of Ivanti-based systems are exposed to the internet, making them likely priority targets for attacker reconnaissance. In addition, some assets were found to have both high risk scores and multiple vulnerabilities, suggesting the need for immediate security inspection.
Criminal IP Insights
Ivanti EPMM is a core MDM (Mobile Device Management) infrastructure used to manage mobile device policies and authentication systems within organizations. If the management interface is exposed and accessible from the internet, the risk of vulnerability exploitation increases significantly. In many cases, such management platforms are unintentionally exposed to the public internet due to operational convenience or remote administration requirements. Therefore, the key response measure is not only applying vulnerability patches but also verifying whether externally accessible management interfaces exist. Additionally, considering the possibility of compromise prior to patching, organizations should conduct access log reviews and IOC-based investigations. If necessary, procedures such as restarting application servers should also be carried out to remove potential traces of malicious code.
3. SolarWinds Serv-U: Four Critical RCE Vulnerabilities Targeting File Transfer Servers
Summary
Four critical RCE (Remote Code Execution) vulnerabilities have been patched simultaneously in SolarWinds Serv-U, a platform commonly used by organizations to transfer confidential data.
- CVE-2025-40538
- CVE-2025-40539
- CVE-2025-40540
- CVE-2025-40541
These vulnerabilities allow attackers to create system administrator accounts or execute arbitrary code with root privileges. Although exploitation requires a relatively high level of initial access, if even a single account is compromised through methods such as phishing or credential stuffing, the entire file server can effectively become controlled by the attacker. Because file transfer servers sit at a critical gateway where internal organizational data moves externally, a compromise can lead not only to service disruption but also to large-scale data exfiltration.
Analysis Results of Internet-Exposed Serv-U Assets
Criminal IP Search Query: product:Serv-U
The query above is designed to identify Serv-U software and discover Serv-U instances visible on the internet. The search identified 263,382 instances in total. This result indicates that Serv-U–based file transfer servers are widely deployed across various enterprise and organizational environments. Because file transfer servers often handle data exchange between internal systems and external users or partners, the scale of internet-identifiable instances itself can be interpreted as an indicator of the potential attack surface.
However, the results above represent the total number of assets where Serv-U is identified, and it is still necessary to determine how many of those services are directly accessible from the internet. To examine this more closely, an additional analysis was conducted on Serv-U instances where web-based services respond externally.
Criminal IP Search Query: product:”Serv-U” AND service:https
The filtered query above identifies systems where Serv-U software is detected and HTTPS-based services respond externally. Since Serv-U often provides web-based management interfaces or file transfer portals over HTTPS, this query helps identify Serv-U service endpoints that are directly accessible from the internet.
The results showed 2,271 exposed assets. This indicates that a portion of Serv-U-based file transfer servers are operating in a configuration that allows direct access from the public internet. If these systems are running vulnerable versions or have weak administrative account security, a compromise could lead not only to a single service breach but also to internal data access or additional intrusion pathways.
Criminal IP Insights
File transfer servers such as Serv-U serve as critical infrastructure for exchanging data between internal systems and external partners, which means a compromise can easily lead to the leakage of sensitive information. These services are often directly exposed to the internet to support operational convenience or external collaboration, making them attractive targets for attackers.
For Serv-U environments, it is therefore important to apply the latest software updates while strengthening administrative account security, such as enabling multi-factor authentication (MFA) and restricting access by authorized IP addresses. Organizations should also verify whether file transfer servers are directly identifiable from the public internet and minimize unnecessary external access wherever possible.
FAQ
Q1 Why do operational infrastructures such as SD-WAN, MDM, and file transfer servers become major targets for attackers?
These systems function as core operational infrastructure responsible for network connectivity, device management, and data exchange within an organization. If attackers gain control of such systems, the impact can extend far beyond a single compromised server. They may be able to modify network configurations, control user devices, or access internal data across the organization.
In particular, when management interfaces or control planes are exposed externally, even a single vulnerability can significantly increase the likelihood of attackers obtaining high-privilege access. For this reason, attackers often prioritize these infrastructures as primary targets.
Q2 What actions should organizations prioritize once a vulnerability has been disclosed?
The first and most basic response is to apply the relevant security patch as quickly as possible. However, in cases where real-world exploitation has already been observed, such as the Ivanti EPMM incident, it is important to consider the possibility that a compromise may have occurred before the patch was applied. Therefore, even after patching, organizations should conduct additional verification procedures, including reviewing access logs, checking for unauthorized account changes, and investigating suspicious administrative login activity to determine whether a breach has occurred.
It is also important to verify whether the management interface is directly accessible from the public internet. If necessary, appropriate access controls or network restrictions should be implemented.
Conclusion
The security issues observed in February 2026 highlight not the emergence of entirely new attack techniques, but how quickly internet-exposed operational infrastructure can become an attack pathway. SD-WAN manages the control plane of an organization’s network, EPMM serves as the core platform for mobile device management, and Serv-U operates as a data transfer gateway connecting internal systems with external parties. Once these critical systems become identifiable from the internet, vulnerabilities are no longer just technical flaws, they can quickly evolve into real-world intrusion scenarios.
Ultimately, the starting point of effective security defense is not simply applying patches, but gaining visibility into how an organization’s infrastructure appears from the outside. By using attack surface management solutions such as Criminal IP ASM, organizations can first identify assets that are externally discoverable and continuously verify whether management interfaces are exposed. A security framework built on this level of visibility represents one of the most practical defense strategies for protecting modern enterprise infrastructure today.
In relation to this, you can refer to Cybersecuri-Tea Time: Brewing January 2026’s Issues
You can subscribe to Criminal IP (criminalip.io/register) and start detecting vulnerable assets right away. You can also request a demo using the button below and explore Criminal IP’s threat intelligence (TI) analysis of externally exposed assets at the enterprise level.
This report is based on data from Criminal IP, a Cyber Threat Intelligence search engine. Sign up for a free Criminal IP account today to explore the search results mentioned in the report and delve into comprehensive threat intelligence.
Source: Criminal IP(https://www.criminalip.io/ko), SECURITYWEEK(https://www.securityweek.com/solarwinds-patches-four-critical-serv-u-vulnerabilities/), The Hacker News (https://thehackernews.com/2026/02/cisco-sd-wan-zero-day-cve-2026-20127.html), HELP NET SECURITY (https://www.helpnetsecurity.com/2026/02/11/ivanti-epmm-sleeper-webshell/)
Related article: https://www.criminalip.io/knowledge-hub/blog/32523