Patch Now: Microsoft Fixed 6 Zero-Days in The Patch Tuesday Updates

Published Date: February 11, 2026
Category: ShadowOpsIntel
Share:

Microsoft’s February 2026 Patch Tuesday addresses 58 security vulnerabilities, including six actively exploited zero-day flaws. The zero-days include security feature bypasses in Windows Shell (CVE-2026-21510), MSHTML (CVE-2026-21513), and Microsoft Word (CVE-2026-21514), as well as elevation-of-privilege flaws in Desktop Window Manager (CVE-2026-21519) and Windows Remote Desktop Services (CVE-2026-21533), and a denial-of-service vulnerability in Windows Remote Access Connection Manager (CVE-2026-21525).

Severity: High

The Six Actively Exploited Zero-Days

1. CVE-2026-21510 (CVSS Score: 8.8) – Windows Shell Security Feature Bypass

  • Allows bypass of Windows SmartScreen and Windows Shell security prompts.
  • Triggered by opening a malicious link or shortcut file.
  • Impacts all supported Windows versions.
  • Likely enables bypass of Mark-of-the-Web (MoTW) protections.

2. CVE-2026-21513 (CVSS Score: 8.8) – MSHTML Security Feature Bypass

  • Affects the legacy browser rendering engine in Windows.
  • Allows bypass of security mechanisms over a network by tricking a user to open a malicious HTML file or shortcut (.lnk) file.
  • Actively exploited; no exploitation details publicly released.

3. CVE-2026-21514 (CVSS Score: 7.8) – Microsoft Word Security Feature Bypass

  • Allows bypass of OLE mitigations in Microsoft 365 and Office.
  • Exploitation requires the user to open a malicious Office file.
  • Cannot be exploited via Preview Pane.

4. CVE-2026-21519 (CVSS Score: 7.8) – Desktop Window Manager Elevation of Privilege

  • DWM is a core Windows graphical component. Allows attackers to escalate to SYSTEM privileges.
  • This bug is actively exploited and can be paired with a code execution bug to take over a system.

5. CVE-2026-21525 (CVSS Score: 6.2) – Windows Remote Access Connection Manager DoS

  • A null pointer dereference vulnerability.
  • An unauthorized attacker can produce local denial-of-service impacting VPN connectivity.
  • Exploit was discovered in a public malware repository by Kolsek while searching for an exploit for CVE-2025-59230.

6. CVE-2026-21533 (CVSS Score: 7.8) – Windows Remote Desktop Services EoP

  • Allows authorized attackers to elevate privileges locally.
  • Exploit binary modifies service configuration keys and enables actors to add a new user to the Administrator group.

Additional High-Risk Areas

Beyond the zero-days, Microsoft patched:

  • 12 Remote Code Execution vulnerabilities
  • 25 Elevation of Privilege vulnerabilities
  • 5 Security Feature Bypass vulnerabilities
  • Multiple Azure, Hyper-V, Kernel, Exchange, and Office flaws

Critical Azure-related vulnerabilities include privilege escalation and information disclosure issues affecting Azure Arc, Azure Front Door, and Azure Function .
GitHub Copilot and IDE-related RCE vulnerabilities (CVE-2026-21516, CVE-2026-21523, CVE-2026-21256) stem from command injection and prompt injection risks within AI-assisted development workflows.

Recommendations

  1. Deploy February 2026 cumulative updates across all Windows endpoints and servers.
  2. Prioritize systems exposed to internet-facing RDP, VPN, and Office usage.
  3. Restrict RDP exposure via firewall rules and conditional access.
  4. Review AI-assisted coding workflows.
  5. Enforce least privilege for developers using GitHub Copilot and related IDE integrations.

Source:

  • https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2026-21510
  • https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2026-21513
  • https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2026-21514
  • https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2026-21519
  • https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2026-21525
  • https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2026-21533
  • https://krebsonsecurity.com/2026/02/patch-tuesday-february-2026-edition/
  • https://www.zerodayinitiative.com/blog/2026/2/10/the-february-2026-security-update-review
  • https://www.bleepingcomputer.com/news/microsoft/microsoft-february-2026-patch-tuesday-fixes-6-zero-days-58-flaws/

    Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

    No related posts found.

    Talk to an expert