Microsoft’s February Patch Tuesday Fixes 6 Zero-Days Under Attack
Microsoft on Tuesday released security updates addressing 58 vulnerabilities across Windows and related products.
Among them are six zero-day flaws that the company confirmed are actively exploited. Three of those were publicly disclosed before patches became available. The breakdown of vulnerabilities includes:
- 25 Elevation of Privilege
- 12 Remote Code Execution
- 7 Spoofing
- 6 Information Disclosure
- 5 Security Feature Bypass
- 3 Denial of Service
Five of the vulnerabilities are rated Critical, with the majority classified as Important. The six actively exploited vulnerabilities span across Windows, Office, and Remote Desktop components:
CVE-2026-21510 affects the Windows Shell and allows attackers to bypass SmartScreen security warnings. Users just need to click a malicious link or shortcut file, and the attacker’s code runs without any warning prompts. Microsoft’s security teams, along with Google Threat Intelligence Group and an anonymous researcher, caught this one.
“Bypassing Windows Shell and SmartScreen protections significantly increases the success rate of malware delivery and phishing campaigns,” said Mike Walters, president and co-founder of Action1, in an email to TechRepublic.“Because Windows Shell is a core component used by nearly all users, the attack surface is broad and difficult to fully restrict without patching.”
CVE-2026-21513 hits the MSHTML Framework with a similar security bypass. “In enterprise environments, this flaw can lead to unauthorized code execution, malware deployment, credential theft, and system compromise,” explained Jack Bicer, director of vulnerability research at Action1. Even though Microsoft moved to Chromium-based Edge years ago, MSHTML still lurks in Windows shell components and third-party apps.
CVE-2026-21514 targets Microsoft Word and Office 365, bypassing protections against malicious embedded objects. The other three zero-days enable privilege escalation and service disruptions. CVE-2026-21519 exploits Desktop Window Manager to grant attackers SYSTEM-level privileges. CVE-2026-21533 does the same through Windows Remote Desktop Services.
Finally, CVE-2026-21525 affects Windows Remote Access Connection Manager, a denial-of-service flaw that ACROS Security stumbled upon while hunting for exploits in a public malware repository back in December 2025.
Walters told TechRepublic that a “simple local trigger can knock critical Windows networking services offline without warning.” He added, “Repeated exploitation could be used as a distraction or to degrade system reliability during broader attack activity.”
Federal agencies face March 3 deadline
The US Cybersecurity and Infrastructure Security Agency (CISA) has now added all six vulnerabilities to its Known Exploited Vulnerabilities catalog. Federal agencies now have until March 3, 2026, to patch their systems.
To put this month’s haul in perspective, Microsoft disclosed 41 zero-days across all of 2025. Six in a single month is a significant spike.
The February release patches 58 total flaws, far below the nearly 200 vulnerabilities fixed last October. But security researchers say the number of patches is irrelevant when attackers are already weaponizing a half-dozen of them. “The presence of six zero-days makes this release more urgent than the numbers alone might suggest,” Bicer said.
This Patch Tuesday also kicks off Microsoft’s rollout of updated Secure Boot certificates to replace the original 2011 versions expiring in late June 2026. The new certificates install automatically through regular Windows updates, with Microsoft using a phased approach to ensure stability.
For more on how attackers are targeting Windows networking services, read our full breakdown of the RasMan VPN vulnerability and what it means for enterprise security.
About Author
