Microsoft Patch Tuesday February 2026: Critical Update Fixes 6 Zero-Day Vulnerabilities Under Attack

Microsoft has released its February 2026 Patch Tuesday updates, addressing a concerning security landscape with fixes for 58 vulnerabilities across Windows, Office, and other products. Most critically, the Microsoft Patch Tuesday February 2026 release patches six zero-day vulnerabilities that were already being actively exploited by attackers in the wild before fixes became available—representing one of the most serious Patch Tuesday releases in recent memory.

What is Microsoft Patch Tuesday February 2026?

The Microsoft Patch Tuesday February 2026 security update, released on February 10, marks the company’s monthly security maintenance cycle. This particular release stands out due to the unprecedented number of actively exploited zero-days—vulnerabilities that hackers were already using to compromise systems before Microsoft could deploy patches.

According to BleepingComputer, the 58 fixed vulnerabilities break down into critical categories: 5 rated “Critical” severity, 52 “Important,” with types ranging from elevation of privilege flaws to remote code execution risks. Three of the six zero-days were also publicly disclosed before patches were available, meaning attackers had access to technical details about how to exploit them.

SecurityWeek reports that Microsoft defines a zero-day as either publicly disclosed or actively exploited while no official fix exists. Having six zero-days in a single monthly release signals sophisticated attack campaigns targeting Windows systems globally.

The Six Zero-Day Vulnerabilities Explained

The Microsoft Patch Tuesday February 2026 addresses these six actively exploited zero-days:

• CVE-2026-21510 – Windows Shell Security Feature Bypass: This vulnerability allows attackers to bypass Windows SmartScreen and Windows Shell security prompts. By convincing users to open specially crafted links or shortcut files, attackers can execute malicious content without triggering security warnings. According to Krebs on Security, this flaw affects all currently supported Windows versions and likely allows bypass of the Mark of the Web (MoTW) security mechanism that protects users from potentially dangerous downloaded files.
• CVE-2026-21513 – MSHTML Framework Security Feature Bypass: Targeting the proprietary browser engine in Windows Internet Explorer, this zero-day allows attackers to bypass security controls. Exploitation requires convincing victims to open malicious HTML or shortcut (.lnk) files crafted to manipulate browser and Windows Shell handling. Microsoft attributes discovery to its own Threat Intelligence Center (MSTIC), Microsoft Security Response Center (MSRC), Office Security Team, and Google Threat Intelligence Group—suggesting coordinated investigation of ongoing attacks.
• CVE-2026-21514 – Microsoft Word Security Feature Bypass: Similar to CVE-2026-21513, this Word vulnerability allows attackers to bypass OLE (Object Linking and Embedding) mitigations in Microsoft 365 and Office. Exploitation requires tricking users into opening malicious Office files. Notably, Microsoft recently released an emergency update for a similar Word vulnerability, indicating threat actors are actively targeting Office documents as attack vectors.
• CVE-2026-21519 – Desktop Window Manager Elevation of Privilege: This type confusion flaw in Desktop Window Manager grants attackers SYSTEM-level privileges on already compromised systems. Local attackers who have gained initial access can exploit this to elevate their permissions to the highest level, enabling them to install programs, view all data, create new administrator accounts, and completely control affected systems.
• CVE-2026-21525 – Windows Remote Access Connection Manager DoS: Discovered by the 0patch research team in a public malware repository, this vulnerability triggers a null pointer dereference that crashes the Remote Access Connection Manager service. According to Help Net Security, attackers with standard non-admin user access can run a simple script that crashes VPN connections, creating significant disruption for organizations relying on always-on VPN infrastructure. The attack requires no elevated privileges and can disconnect endpoints configured with “fail close” policies, preventing IT teams from reaching machines to apply patches.
• CVE-2026-21533 – Windows Remote Desktop Services Elevation of Privilege: CrowdStrike researchers discovered this critical flaw affecting Windows Remote Desktop Services. The exploit modifies service configuration keys, replacing them with attacker-controlled keys that enable privilege escalation to add new users to the Administrator group. CrowdStrike reported finding exploit binaries for this vulnerability, suggesting professional development and imminent widespread use.

Additional Critical Vulnerabilities

Beyond the six zero-days, Microsoft Patch Tuesday February 2026 addresses five Critical-severity vulnerabilities not currently exploited but requiring urgent attention:

• 3 Elevation of Privilege vulnerabilities allowing attackers to gain higher system privileges
• 2 Information Disclosure vulnerabilities enabling unauthorized access to sensitive data

The remaining vulnerabilities span categories including remote code execution (12 total), spoofing (7), information disclosure (6 beyond the Critical ones), security feature bypass (5), and denial of service (3).

Who Discovered These Vulnerabilities?

The coordinated discovery of multiple zero-days by Microsoft’s own security teams alongside Google Threat Intelligence Group suggests sophisticated, organized attack campaigns. When multiple security research organizations simultaneously identify related vulnerabilities being exploited, it typically indicates well-resourced threat actors—possibly nation-state groups or advanced persistent threat (APT) organizations—conducting coordinated campaigns.

According to Qualys, the fact that three zero-days were publicly disclosed before patches became available increases urgency exponentially. Public disclosure means technical details about exploiting these flaws are available to any attacker, not just the original discoverers.

Secure Boot Certificate Updates

The Microsoft Patch Tuesday February 2026 also begins rolling out updated Secure Boot certificates to replace the original 2011 certificates expiring in late June 2026. According to the Windows 11 update notes, Microsoft is implementing a phased rollout approach.

“With this update, Windows quality updates include targeting data that identifies devices and their ability to receive new Secure Boot certificates,” Microsoft explains. “Devices will receive the new certificates only after they show sufficient successful update signals, which helps ensure a safe rollout.”

Secure Boot protects systems from malicious bootloaders and rootkits by verifying that only trusted operating system loaders execute during startup. If these certificates expire without replacement, startup security protections would weaken, potentially allowing sophisticated malware to infect systems at the firmware level.

Impact on Enterprise and Individual Users

For enterprises, the Microsoft Patch Tuesday February 2026 represents an emergency-level security event requiring accelerated deployment. Organizations face immediate risks across multiple attack vectors:

• Phishing Campaigns: CVE-2026-21510, CVE-2026-21513, and CVE-2026-21514 can all be exploited through social engineering—sending users malicious links or files disguised as legitimate documents. Email filtering and user training become critical defenses while patches roll out.
• Privilege Escalation Attacks: CVE-2026-21519 and CVE-2026-21533 allow attackers who gain initial access through other means to escalate privileges and take complete control. This compounds the risk of successful phishing or vulnerability exploitation elsewhere in the network.
• VPN Disruption: CVE-2026-21525 poses unique operational risks for remote workforces. Automox Security Manager Ryan Braunstein warns that in larger environments, crashing the Remote Access Connection Manager service creates cascading failures taking hours to resolve. Organizations where endpoints lose network access entirely when VPNs crash face particularly acute risk, as IT can’t remotely patch affected machines.
• For individual users, the greatest risks come from security feature bypasses. These vulnerabilities defeat the built-in protections that normally warn when opening suspicious files or clicking dangerous links. Users accustomed to trusting Windows security warnings may unknowingly execute malware.

How to Apply Microsoft Patch Tuesday February 2026 Updates

For Individual Users:

1. Navigate to Settings > Windows Update
2. Click “Check for updates”
3. Install all available updates, including optional updates
4. Restart your computer to complete installation

Windows 10 and Windows 11 both receive automatic updates by default, but users who have disabled auto-updates must manually install these critical patches.

For Enterprise Administrators:

According to SANS Internet Storm Center, enterprises should:

1. Prioritize systems exposed to phishing, remote desktop, or high-risk email traffic
2. Test patches in staging environments before broad deployment
3. Use Windows Server Update Services (WSUS) or similar tools for controlled rollout
4. Monitor Microsoft Security Response Center for any issues or patch revisions

AskWoody.com often has early reports about problematic updates, helping administrators identify potential compatibility issues before widespread deployment.

Other Vendors’ February 2026 Updates

Microsoft wasn’t alone in releasing security updates this month:

• Adobe: Released security updates for Audition, After Effects, InDesign, Substance 3D, Lightroom Classic, and other software. None of the addressed flaws were actively exploited, according to Adobe Security Bulletin.
• BeyondTrust: Fixed a critical remote code execution flaw in Remote Support (RS) and Privileged Remote Access (PRA) software.
• CISA: Issued a new binding operational directive requiring federal agencies to remove network edge devices that have reached end of support—highlighting the security risks of outdated infrastructure.
• Cisco: Released security updates for Secure Web Appliance, Cisco Meeting Management, and other products. Separately, Cisco announced new AI networking chips.
• Fortinet: Patched vulnerabilities in FortiOS and FortiSandbox.
• Google: Released Android’s February security bulletin, which included no security fixes—a maintenance release only.
• n8n: Fixed critical vulnerabilities acting as a patch bypass for the previously fixed CVE-2025-68613 RCE flaw.

Historical Context: February Follows Difficult January

The Microsoft Patch Tuesday February 2026 comes after an exceptionally challenging January 2026 that saw 114 vulnerabilities patched—one of the largest January releases in Microsoft history. That release included 8 critical vulnerabilities and 3 zero-days, one of which (CVE-2026-20805 Desktop Window Manager) was actively exploited and added to CISA’s Known Exploited Vulnerabilities catalog.

The back-to-back months with high zero-day counts suggest 2026 may be a particularly active year for Windows-targeting threat actors. Security researchers and analysts are watching closely for patterns indicating coordinated campaigns or new techniques being deployed at scale.

Mitigation for Organizations That Can’t Patch Immediately

Not every organization can deploy patches immediately due to operational constraints. Qualys TruRisk™ Eliminate enables security teams to apply mitigation controls that immediately lower exposure and reduce risk scores even before patches are applied.

According to Qualys, they’ve created mitigations for 34 of the February 2026 vulnerabilities, including all six actively exploited zero-days. These mitigations don’t replace patching but provide temporary protection while organizations complete testing and deployment.

Additional interim protections include:

• Restricting admin privileges to limit elevation of privilege attacks
• Implementing application whitelisting to block unauthorized executables
• Enhancing email filtering to catch phishing attempts
• Monitoring for suspicious RDP and VPN activity
• Segmenting networks to contain potential breaches

Expert Analysis and Recommendations

Tyler Reguly, Associate Director at Fortra, told Cybersecurity News: “On first pass, this month looks pretty reasonable – 60 CVEs. When you look a little more closely, you start to realize that there is a lot going on here. We can’t ignore the fact that there are 6 actively exploited vulnerabilities. 10% of this month’s vulnerabilities are listed by Microsoft as exploit detected.”

The concentration of zero-days in core Windows components—Shell, MSHTML, Desktop Window Manager, Remote Desktop Services—indicates attackers are targeting fundamental operating system functionality rather than obscure features. This suggests well-researched campaigns designed for maximum impact.

Acros Security CEO Mitja Kolsek noted regarding CVE-2026-21525: “We found an exploit for this issue in December 2025 in a public malware repository while searching for an exploit for CVE-2025-59230. This issue turned out to be a 0day at the time, so we patched it and reported it to Microsoft. The quality of the combined exploit for both issues suggested professional work.”

This revelation that exploit code was circulating in malware repositories before Microsoft’s patch underscores the importance of threat intelligence and proactive security monitoring.

Looking Ahead: What This Means for 2026

The Microsoft Patch Tuesday February 2026 sets a concerning tone for the year. With 6 actively exploited zero-days in February following 3 in January, organizations must prepare for an elevated threat landscape throughout 2026.

Key takeaways for security teams:

• Patch Velocity Matters: The time between patch availability and deployment directly correlates with risk. Organizations with faster patch cycles face shorter exposure windows.
• Defense in Depth is Essential: No single security control prevents all attacks. Layered defenses—endpoint protection, network segmentation, user training, application whitelisting—compensate when one layer fails.
• Threat Intelligence Drives Prioritization: Understanding which vulnerabilities are actively exploited helps security teams prioritize limited resources effectively.
• Zero-Days Will Continue: As defensive capabilities improve, sophisticated attackers increasingly rely on zero-day exploits. Organizations should assume zero-days exist and build resilience accordingly.

Conclusion: Urgent Action Required

The Microsoft Patch Tuesday February 2026 represents one of the most critical security events in recent Windows history. With 6 actively exploited zero-day vulnerabilities affecting core Windows components, Office applications, and system security features, organizations face immediate and serious threats.

The coordination between Microsoft’s Threat Intelligence Center, Security Response Center, Office Security Team, and Google’s Threat Intelligence Group in discovering these vulnerabilities suggests sophisticated attack campaigns may be underway. The fact that 3 of these zero-days were publicly disclosed before patches were available further increases urgency.

The silver lining is that Microsoft has now released patches for all 6 actively exploited vulnerabilities. Organizations that deploy rapidly can close these attack vectors before threat actors expand their campaigns. Individual users should install updates immediately, and enterprises should treat this as an emergency security event requiring accelerated deployment timelines.

As we progress through 2026, the frequency and severity of zero-day vulnerabilities remind us that cybersecurity is not a solved problem but an ongoing challenge requiring constant vigilance, rapid response, and comprehensive defense strategies.

Stay vigilant, deploy urgently but carefully, and keep your security teams on high alert. This is one Patch Tuesday that demands immediate and full attention.

 

Read more tech related articles here.