The Hard Grid Report: February 2026 Patch Tuesday
Our take on the latest Patch Tuesday notes
By: Zima Korolev | Caduceus Security Group Architecture

The February 2026 Patch Tuesday cycle is not a routine update; it is a signal of shifting infrastructure priorities. For defenders managing hybrid environments, the focus this month must move beyond the endpoint and into the core of the cloud management plane.
At Caduceus Security Group, we prioritize “Trust but Verify.” A patch is a promise; telemetry is the proof. Here is the tactical breakdown of what matters right now.
1. The Management Plane Under Fire: Azure Front Door and Azure Arc
The most critical vulnerabilities this month target the very fabric of how we distribute and manage global infrastructure.
- Azure Front Door (CVE-2026-24300): A CVSS 9.8 Elevation of Privilege (EoP). If you are using Front Door to secure your perimeter, an attacker could theoretically bypass the intended security boundaries.
- Azure Arc (CVE-2026-24302): As we bridge on-premises hardware with cloud logic, Azure Arc becomes a high-value target. This EoP allows for lateral movement into the hybrid management layer.
Tactical Action: Do not just verify the patch status. Monitor your VNet Flow Logs and Azure Activity Logs for unusual service principal activity or unauthorized administrative calls originating from Azure Front Door edge locations.
2. The Death of NTLM: Auditing the Sunset
Microsoft has officially begun the phased disablement of NTLM. This is a significant architectural shift that will break legacy systems that haven’t migrated to Kerberos.
- The Blueprint: Windows Server 2025 and Windows 11 24H2 are now enforcing enhanced auditing.
- The Risk: Attackers will likely intensify NTLM relay and “Pass-the-Hash” campaigns before the window closes permanently.
- Defensive Posture: Use this month to audit your NTLM authentication logs. Identify every legacy service still clinging to this protocol. If it isn’t Kerberos, it is a vulnerability.
3. Zero-Days in the Wild: The “Noise” in the Logs
Multiple industry roundups report six actively exploited zero-days this cycle, including a critical RDP Elevation of Privilege (CVE-2026-21533). These are the “noisy” exploits. They leave footprints in the Desktop Window Manager (DWM) and local event logs.
If your “Hard Grid” monitoring isn’t alerting on SYSTEM privilege escalations within RDP sessions via Azure Monitor or Log Analytics, your visibility is incomplete.
Cross-Cloud Correlation: The Universal Pattern
Defenders must recognize that while the nomenclature changes (VPC vs. VNet, CloudTrail vs. Activity Logs) the adversarial objective remains constant: the exploitation of identity and management planes. Whether an attack unfolds in AWS or Azure, the “machine-speed” signatures of reconnaissance and privilege escalation are functionally identical. The telemetry is the only universal language.
Conclusion: Sanare, Protegere, Restituere
We do not patch because a vendor told us to; we patch to restore the integrity of the grid. Whether you are a student at one of our upcoming workshops or a future client, remember: the data never lies. Look for the infrastructure anomaly.
Zima Korolev specializes in network topology, infrastructure anomalies, and tactical intelligence. As the lead architect for Caduceus Security Group, she provides the mathematical anchors for modern threat detection, focusing on raw telemetry, PCAP analysis, and the identification of C2 patterns within massive data pipelines. Her work centers on the principle of ‘Trust but Verify,’ ensuring that cloud security strategies are backed by defensible evidence and that infrastructure remains resilient against the most precise adversarial movements.