Weekly Cyber Update: 20 February 2026

The Cyber Threat Intelligence Briefing is a weekly round-up of the latest cybersecurity news, trends and indicators, curated by our CISO, Nick Harris. Here’s our pick of the top stories, and why you should care.

---

Chinese hackers exploit Dell zero-day since 2024

A suspected Chinese APT group has been exploiting a zero-day vulnerability in Dell RecoverPoint for Virtual Machines since 2024, a new Mandiant report has revealed. CVE-2026-22769 is a hardcoded credential bug with a maximum CVSS score of 10.0. It could allow an unauthenticated attacker with knowledge of the credential to access the underlying OS and gain root-level persistence. The cyber-espionage group (UNC6201) may have achieved initial access by compromising edge devices.

Why it matters

The report highlights the sophistication of state-backed groups, and their targeting of backup/resilience infrastructure like the Dell product. UNC6201 created ‘Ghost NICs’ (temporary network ports) on VMware VMs to bypass traditional network monitoring.

Assured’s recommended action

Follow the remediation guidance in Dell’s security advisory. Look for indicators of compromise (IoCs) published by Mandiant.

---

More security woes for OpenClaw users

Researchers have found more reasons for CISOs to be on high alert for OpenClaw use in the enterprise. Hudson Rock discovered what it claims to be the first live infostealer attack on an instance. It was able to capture the “entire operational context” of the victim’s AI assistant. Separately, six new vulnerabilities were patched by OpenClaw, fixing a range of server-side request forgery (SSRF), missing authentication and path traversal issues.

Why it matters

By compromising OpenClaw, threat actors can gain access to enterprise secrets, calendar items, internal messages and employee activities/schedules.

Assured’s recommended action

Treat OpenClaw as a security risk. Update acceptable use policy to ban installations. Contain the threat by blocking outbound traffic to openclaw.ai, and enforcing zero trust network access. Hunt for shadow usage with EDR or network-based tools (default port 18789).

---

Microsoft bug bypasses customers’ DLP policies

A bug in Microsoft 365 Copilot has led to the AI assistant summarising emails in contravention of customers’ corporate data loss prevention (DLP) policies. Tracked under CW1226324 and first detected on January 21, the issue relates to the Copilot ‘work tab’ chat feature. It is now reading and summarising sensitive emails in sent items and draft folders.  

Why it matters

This represents a potentially serious compliance and legal risk, especially for organisations in heavily regulated industries.

Assured’s recommended action

Monitor the Microsoft 365 admin centre for updates to CW1226324 and review Copilot logs for suspicious activity (eg access to sensitive content). Consider suspending or limiting use of Copilot until the issue is resolved.

---

Security issues highlighted at major password managers

New research has revealed vulnerabilities in four popular cloud-based password managers (PWMs) that could enable attackers to view and change victims’ passwords. The ETH Zurich study reveals 27 successful attack scenarios affecting PWMs from Bitwarden, LastPass, Dashlane and 1Password.

Why it matters

The findings challenge PWM provider claims of offering “zero-knowledge encryption” and show how attackers could steal and/or modify enterprise passwords stored in supposedly secure vaults.

Assured’s recommended action

Audit PWM use and ensure every user is on the latest version of the PWMs mentioned in the report. Always use passwords in combination with MFA for extra security. Use hardware-based keys for PWM log-ins. Consider auditing your PWM suppliers using the questions provided in the paper.