News
Microsoft Addresses 6 Actively Exploited Zero-Days in February's Patch Tuesday
Microsoft's February Patch Tuesday release addresses 58 vulnerabilities across Windows, Office and several other products, with six zero-day flaws highlighting the monthly release.
Out of the six actively exploited vulnerabilities, three are security feature bypass flaws affecting Windows Shell (CVE-2026-21510), MSHTML Framework (CVE-2026-21513) and Microsoft Word (CVE-2026-21514) allow attackers to circumvent protection mechanisms that would normally warn users before opening malicious files.
CVE-2026-21510, rated Important with a CVSSv3 score of 8.8, enables attackers to bypass Windows SmartScreen and Windows Shell security prompts by convincing users to open a crafted link or shortcut file. The flaw was both publicly disclosed and exploited in the wild before Microsoft issued a patch.
"An attacker must send a user a malicious Office file and convince them to open it," Microsoft's advisory states for CVE-2026-21514, another security feature bypass flaw in Microsoft Word that carries a CVSSv3 score of 7.8.
CVE-2026-21513 affects the MSHTML Framework and can be triggered through malicious HTML files or shortcut files delivered via links, email attachments or downloads. Like the other security feature bypass vulnerabilities, it enables attackers to execute code without triggering standard security warnings.
Two elevation of privilege vulnerabilities exploited zero-days were also addressed this month. CVE-2026-21519 affects Desktop Window Manager and CVE-2026-21533 impacts Windows Remote Desktop Services. Both flaws allow authenticated attackers to gain SYSTEM-level privileges, though exploitation requires attackers to first establish a foothold on target systems.
The sixth actively exploited vulnerability, CVE-2026-21525, is a denial of service flaw in Windows Remote Access Connection Manager rated as Moderate with a CVSSv3 score of 6.2. The null pointer dereference vulnerability allows local attackers to create denial-of-service conditions on affected systems.
"Security features operate as gatekeepers like Heimdall protecting Asgard, protecting users from opening malicious files," said Satnam Narang, senior staff research engineer at Tenable. "Users have grown accustomed to receiving these alerts, so when vulnerabilities can bypass those protection mechanisms, users are more at risk of compromise."
Beyond the zero-days, Microsoft addressed five Critical-rated vulnerabilities this month. Three affect Azure Compute Infrastructure (ACI) Confidential Containers, including CVE-2026-24302 and CVE-2026-24300, both remote code execution flaws, and CVE-2026-21532, an elevation of privilege vulnerability. All three are marked as requiring no customer action.
The remaining Critical flaws include CVE-2026-21522, another elevation of privilege issue in ACI Confidential Containers with a CVSSv3 score of 6.7, and CVE-2026-23655, an information disclosure vulnerability that could expose sensitive tokens and keys. Both carry a CVSSv3 score of 6.5.
Tyler Reguly, associate director of security research and development at Fortra, noted the shift in patching responsibilities for cloud-based vulnerabilities. "With on-prem deployments, the vulnerability resolution process is mature – we know what patches look like, how to find unpatched software, and how to roll out the standard patch to multiple systems," Reguly said. "With the cloud, we rely on scripts, full app replacements, and manual configuration to resolve a lot of the vulnerabilities."
The February release includes 10 Azure-related CVEs. While three require no customer action, the remaining seven demand attention from cloud operations teams.
"While February was a smaller month in terms of the number of CVEs patched at 58, it was extremely busy, with Microsoft patching six zero-day vulnerabilities," Narang said. "Of the six zero days disclosed this month, five were exploited in the wild and three were publicly disclosed ahead of a patch being available."
Security researchers credited Google Threat Intelligence Group, Microsoft Threat Intelligence Center, Microsoft Security Response Center, the Office Product Group Security Team and an anonymous researcher with discovering several of the actively exploited flaws. CrowdStrike's Advanced Research Team identified CVE-2026-21533.
The update affects all currently supported Windows versions, including systems enrolled in Extended Security Updates programs. Microsoft recommends deploying patches immediately, particularly for the actively exploited vulnerabilities that require no post-patch configuration steps.
Updates are available now through Windows Update, Windows Server Update Services and the Microsoft Update Catalog. A complete list of security bulletins can be found here.