Microsoft Patches 6 Actively Exploited Zero-Days in February

Executive Summary

Microsoft's latest security update, February 2026 Patch Tuesday, addresses 59 CVEs—including six zero-days currently under active exploitation across Windows and Azure environments. This threat intelligence report highlights the critical need for CISOs to rapidly assess risk exposure and ensure enterprise systems are fortified against ongoing attacks.

What Happened

Microsoft’s February 2026 Patch Tuesday release includes fixes for 59 vulnerabilities, with six zero-day flaws confirmed as actively exploited. The most significant issues span bypasses to core Windows protections, local privilege escalation exploits, and one impactful denial-of-service vulnerability. Affected components include Windows Shell, MSHTML, Microsoft Word, Remote Desktop Services, and the Azure SDK and Front Door service.

Among these, CVE-2026-21510 and CVE-2026-21513 each bypass Windows and MSHTML security features with a CVSS score of 8.8, leveraging social engineering to degrade built-in protections like SmartScreen and Office warnings. Two local privilege escalation vulnerabilities (CVE-2026-21519 impacting Desktop Window Manager and CVE-2026-21533 in Remote Desktop Services) allow attackers with limited access to gain SYSTEM-level privileges. Microsoft also patched denial-of-service in Remote Access Connection Manager and two Azure-critical CVEs rated at 9.8.

Why This Matters for CISOs

This month’s update cycle underscores the operational risk of unpatched, business-critical endpoints running outdated security mechanisms. Exploits targeting Windows SmartScreen, Office rendering engines, and Remote Desktop Services represent high-impact entry points for malware, ransomware, data theft, and lateral movement—particularly in hybrid work environments.

For organizations relying on Microsoft’s wider ecosystem, including Azure services and embedded systems with MSHTML, this release emphasizes governance gaps in patch oversight. Timely adoption of these patches is vital to mitigate both short-term exploitation and longer-term persistence mechanisms common with these attack classes.

Given the nature of active exploitation, this qualifies as a critical vulnerability alert requiring policy-level prioritization by patch management teams.

Threat & Risk Analysis

Several of the patched vulnerabilities have broad implications for attacker capability:

• CVE-2026-21510: A key vulnerability in Windows Shell allows attackers to bypass SmartScreen prompts. It requires the victim to click on a malicious link or shortcut—a typical initial attack vector for phishing or rogue document delivery.

• CVE-2026-21513: By abusing the MSHTML rendering engine, malicious HTML files or shortcut links can evade browser and Office sandbox protections. Often used in phishing kits, this flaw could degrade trust boundaries normally upheld by Office security configurations.

• CVE-2026-21514: A Microsoft Word flaw enables embedded malicious macros or objects to execute by bypassing normal validation on untrusted content—useful in attachment-based spearphishing campaigns.

• CVE-2026-21519 and CVE-2026-21533: Privilege escalation vulnerabilities that allow lateral movement or full system compromise post-access. These are tactically aligned with ransomware operator objectives and nation-state persistence playbooks.

• CVE-2026-21525: Denial-of-service targeting RasMan can interrupt VPN or remote work infrastructure availability, impacting user connectivity across enterprise systems.

• Azure Vulnerabilities (CVE-2026-21531 & CVE-2026-24300): Rated CVSS 9.8, the Azure SDK and Azure Front Door bugs could lead to cloud escalation risks if left unfixed. While no exploitation confirmed, their presence in environments handling multi-tenant workloads or public APIs demands attention.

These vulnerabilities elevate exposure for enterprises using Microsoft systems with internet-facing or employee-touch interfaces. Unpatched systems risk malware deployment, ransomware staging, data exfiltration, or full domain compromise.

Critically, the reliance on user interaction—opening links, documents, or HTML files—aligns with common spearphishing, maldoc, and watering hole tactics. As these attacks shift toward reducing friction and evading detection, bypass vulnerabilities give adversaries a stealth advantage.

For teams monitoring the evolving cyber threat landscape, these updates are a key component of daily threat briefing cycles. For more on maintaining timely visibility, read our daily cyber threat briefings.

MITRE ATT&CK Mapping

• T1203 — Exploitation for Client Execution
  Delivered files exploit MSHTML or Word processing to bypass local protections during execution.
• T1566.001 — Phishing: Spearphishing Attachment
  Word and HTML documents designed to trigger bypasses rely on luring targets.
• T1548.002 — Abuse Elevation Control Mechanism: Bypass User Account Control
  Exploits in Desktop Window Manager and RDP concentrate on SYSTEM escalation post-access.
• T1078 — Valid Accounts
  Once privilege escalation is achieved, stolen or escalated credentials can be used for persistence.
• T1499 — Endpoint Denial of Service
  CVE-2026-21525 crash of RasMan service can disrupt endpoint connectivity.
• T1204.002 — User Execution: Malicious File
  Multiple vulnerabilities initiate execution through user interaction with a crafted file or link.

Key Implications for Enterprise Security

• Security feature bypasses negate protective prompts and sandboxing—eroding trust in interactive file validation.
• Local privilege escalations pose high risk for lateral movement and ransomware payload deployment.
• Azure vulnerabilities highlight the risk of delayed patching in cloud-based CI/CD pipelines.
• Denial-of-service attack potential could impact remote access or hybrid work availability.
• Social engineering remains a reliable delivery channel—any vulnerability requiring user action remains high-risk.

Recommended Defenses & Actions

Immediate (0–24h)

• Identify all endpoints running affected Windows components or Azure SDK/Front Door services.
• Initiate emergency patch deployment windows for systems exposed to external access or high-privileged users.
• Circulate threat bulletin to user base, particularly high-risk departments, warning of document-based threats.

Short Term (1–7 days)

• Audit patch posture across distributed endpoints to close coverage gaps.
• Review Group Policy and endpoint configurations suppressing SmartScreen or Office Protected View.
• Validate that cloud integration points using Azure SDKs are patched by CI/CD or build operations teams.

Strategic (30 days)

• Conduct a security control effectiveness review for SmartScreen, Office macro policies, and RDP service exposure.
• Improve enterprise metrics reporting via patch SLAs and lateral movement simulation exercises.
• Embed comprehensive patch management strategy into security program governance with CISO oversight.

Conclusion

The February 2026 Patch Tuesday serves as a clear indicator of current adversary priorities: chaining user-based exploits with local privilege escalation to bypass layered defenses. These six zero-days show attackers adapting to enterprise hardening strategies—targeting remaining weak links through document delivery, embedded rendering engines, and under-protected privilege paths. A proactive defense posture, informed by updated cybersecurity report metrics, remains essential to stay ahead of exploitation trends.