Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

By Dan Schiappa, President, Technology and Services, Arctic Wolf Security operations is undergoing a fundamental shift. For years, organizations have focused primarily on detecting and responding to threats after they occur. But as attack surfaces expand across endpoints, cloud, identity, SaaS, and infrastructure, that reactive model is no longer enough.

A notable statistic continues to shape the cybersecurity research landscape: the human element remains involved in roughly 60% of all confirmed breaches. That’s according to the 2025 Verizon Data Breach Investigations Report (DBIR), which found that social engineering actions like phishing, pretexting, and credential misuse are consistently intertwined with today’s most common attack paths, even when they are not the first visible technical vector.

Since our previous security bulletin, Arctic Wolf has observed malicious activities in the wild tied to suspected exploitation of CVE-2026-1731 of self-hosted BeyondTrust Remote Support and Privileged Remote Access deployments. We are sharing threat intelligence related to this activity to help defenders protect against this campaign. CVE-2026-1731 allows unauthenticated remote threat actors to execute operating system commands in the context of the site user via specially crafted requests.

Today, the government of Canada issued a statement announcing that Arctic Wolf will continue to co-chair the Counter Ransomware Initiative Public-Private Sector Advisory Panel in 2026, alongside Public Safety Canada and BlackBerry. The panel will also include member organizations such as Ensign InfoSecurity, the Institute for Security and Technology, Microsoft, Palo Alto Networks, and the Royal United Service Institute.

On February 6, 2026, Fortinet released fixes for a critical vulnerability in FortiClientEMS, tracked as CVE-2026-21643. The flaw arises from improper neutralization of special elements used in SQL commands in the FortiClientEMS GUI (web interface) that can allow an unauthenticated remote threat actor to execute unauthorized code or commands.

On February 6, 2026, BeyondTrust released fixes for a critical vulnerability affecting BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA), tracked as CVE‑2026‑1731. This vulnerability allows unauthenticated remote threat actors to execute operating system commands in the context of the site user via specially crafted requests.

Artificial intelligence (AI) is no longer an experimental capability in cybersecurity; it is foundational to modern security operations. Organizations are operating in environments defined by cloud-first infrastructure, remote and hybrid workforces, SaaS sprawl, and identity-centric attack patterns. At the same time, threat actors increasingly rely on automation and AI to accelerate reconnaissance, credential abuse, and post-compromise activity.

On February 2, 2026, the Notepad++ open source project disclosed new details about a supply chain compromise that impacted its update delivery infrastructure between June and December 2025. The attack was attributed to state-sponsored threat actors with links to China. In this campaign, the threat actors had gained access to a third-party hosting provider used by Notepad++ to distribute updates.

On January 29, 2026, Ivanti released fixes for two critical zero-day code injection vulnerabilities affecting Ivanti Endpoint Manager Mobile (EPMM). The vulnerabilities, tracked as CVE-2026-1281 and CVE-2026-1340, impact the In-House Application Distribution and Android File Transfer Configuration features and allow unauthenticated remote threat actors to achieve remote code execution.

On January 28, 2026, SolarWinds released fixes for multiple vulnerabilities impacting Web Help Desk (WHD). WHD is an IT service management platform that may contain sensitive information, making it a valuable target for threat actors if compromised. Among the vulnerabilities addressed, four were rated as critical: At the time of writing, Arctic Wolf has not observed exploitation of these vulnerabilities in the wild, nor identified a publicly available proof-of-concept exploit.