Microsoft Patches Six Zero-Days Attackers Were Already Exploiting
Microsoft fixes six actively exploited zero-day vulnerabilities affecting Windows Shell, Remote Desktop, and Office applications in a critical February 2026 security update.
Introduction
Microsoft released its February 2026 Patch Tuesday updates on February 10, fixing 54 vulnerabilities across Windows, Office, Azure, and other products.
What makes this update different?
Six of those flaws are zero-days that attackers were actively exploiting before patches existed. Security researchers from CrowdStrike, Google Threat Intelligence Group, and Acros Security discovered the flaws—some by spotting them in live attacks.
What Happened?
The February patch fixes 54 security flaws total: two critical, 51 important, and one moderate. Elevation of privilege bugs make up almost half the list. But the six actively exploited zero-days deserve immediate attention.
CVE-2026-21510 (CVSS 8.8) hits Windows Shell. Attackers bypass Windows SmartScreen and Shell security prompts through improper handling in Windows Shell components. Translation: malicious files run without any warning to the user. Just convince someone to click a link or open a shortcut.
CVE-2026-21513 (CVSS 8.8) breaks MSHTML/Internet Explorer security controls. Attackers send malicious HTML or shortcut files, and the browser engine lets them through.
CVE-2026-21514 (CVSS 7.8) bypasses OLE protections in Microsoft Word. Open a weaponized document, and Office's built-in defenses don't fire.
CVE-2026-21519 (CVSS 7.8) affects Desktop Window Manager—the service that renders Windows' visual interface. Microsoft's own researchers found this one. Local attackers escalate to SYSTEM privileges, which means full control.
CVE-2026-21533 (CVSS 7.8) targets Windows Remote Desktop Services. CrowdStrike found that attackers were modifying service configuration keys to escalate privileges and add new users to the Administrator group. They spotted exploitation dating back to at least December 24, 2025.
CVE-2026-21525 (CVSS 6.2) crashes Windows Remote Access Connection Manager on demand. Acros Security found the exploit sitting in a public malware repository, meaning it's been floating around for anyone to grab.
What's the Impact?
The Windows Shell bypass makes phishing campaigns far more effective—no security warnings means users have no reason to stop and think twice. That's bad news for anyone who relies on those prompts to catch suspicious files.
The Remote Desktop Services privilege escalation is worse for enterprises. RDP is everywhere in corporate networks for remote administration. An attacker who gets in through phishing (or any other initial access method) can leverage CVE-2026-21533 to escalate privileges, move sideways through the network, and dig in for the long haul.
The RasMan denial-of-service flaw creates specific problems for organizations running always-on VPN connections. When the VPN service crashes, endpoints configured with "fail close" policies lose all network access. IT can't reach those machines to patch them or run automation. In large environments, that's a cascading failure that takes hours to untangle.
How to Avoid This
Deploy the February 2026 Patch Tuesday updates now. Start with systems running Remote Desktop Services, VPN infrastructure, and any Windows devices exposed to the internet.
Test patches in a staging environment first if you can—no one wants to fix six zero-days only to break production systems. But don't let testing slow you down too much. These flaws are already being exploited.
Check your Azure and Office configurations. Look through security logs for signs of privilege escalation or unusual administrator account creation. Some of these vulnerabilities need social engineering to work, so remind users (again) about opening unexpected files and clicking suspicious links.
Microsoft also started rolling out updated Secure Boot certificates to replace the 2011 versions expiring in June 2026. That's another reason to get these updates installed sooner rather than later.
