(TLP:CLEAR) Weekly Vulnerabilities to Prioritize – February 12, 2026
Created: Thursday, February 12, 2026 - 14:13
Categories: Cybersecurity, Security Preparedness
The below vulnerabilities have been identified by WaterISAC analysts as important for water and wastewater utilities to prioritize in their vulnerability management efforts. WaterISAC shares critical vulnerabilities that affect widely used products and may be under active exploitation. WaterISAC draws additional awareness in alerts and advisories when vulnerabilities are confirmed to be impacting, or have a high likelihood of impacting, water and wastewater utilities. Members are encouraged to regularly review these vulnerabilities, many of which are often included in CISA’s Known Exploited Vulnerabilities (KEV) Catalog.
Ivanti Vulnerabilities
CVSS v3.1: 9.8,
CVE: CVE-2026-1340, CVE-2026-1281
Description: A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution. And a code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution.
Source: https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340?language=en_US
SmarterTools SmartMail Vulnerability
CVSS v3.1: 9.3,
CVE: CVE-2026-23760
Description: SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability in the password reset API. The force-reset-password endpoint permits anonymous requests and fails to verify the existing password or a reset token when resetting system administrator accounts. An unauthenticated attacker can supply a target administrator username and a new password to reset the account, resulting in full administrative compromise of the SmarterMail instance. NOTE: SmarterMail system administrator privileges grant the ability to execute operating system commands via built-in management functionality, effectively providing administrative (SYSTEM or root) access on the underlying host.
Source: https://www.smartertools.com/smartermail/release-notes/current
Rapid7 Nexpose Insecure Java Keystore Password Generation
CVSS v4.0: 6.8
CVE: CVE-2026-1814
Description: Rapid7 Nexpose versions 6.4.50 and later are vulnerable to an insufficient entropy issue in the CredentialsKeyStorePassword.generateRandomPassword() method. When updating legacy keystore passwords, the application generates a new password with insufficient length (7-12 characters) and a static prefix ‘p’, resulting in a weak keyspace. An attacker with access to the nsc.ks file can brute-force this password using consumer-grade hardware to decrypt stored credentials.
Source: https://www.cve.org/CVERecord?id=CVE-2026-1814
Microsoft Vulnerabilities
CVSS 3.1: 6.8 – 8.8
CVEs: CVE-2026-21510, CVE-2026-21513, CVE-2026-21514, CVE-2026-21519, CVE-2026-21525, CVE-2026-21533
Description: Microsoft has rolled out fixes for vulnerabilities in Windows and Office, which are under active exploitation. CISA has added these vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog.
Source: https://techcrunch.com/2026/02/11/microsoft-says-hackers-are-exploiting-critical-zero-day-bugs-to-target-windows-and-office-users/