Microsoft’s February 2026 Patch Tuesday updates fix roughly 60 vulnerabilities found in the company’s products, including six actively exploited zero-days.
The zero-days are:
- CVE-2026-21510: a Windows SmartScreen and Windows Shell security prompts bypass that can be exploited by convincing the targeted user to open a malicious link or shortcut file.
- CVE-2026-21514: a vulnerability that allows an attacker to bypass OLE mitigations in Microsoft 365 and Office by tricking the target into opening a malicious Office file.
- CVE-2026-21513: an Internet Explorer issue that allows an attacker to bypass security controls and potentially execute code by convincing the victim to open a malicious HTML or LNK file.
- CVE-2026-21519: a Windows Desktop Window Manager flaw that can be exploited by a local attacker for privilege escalation.
- CVE-2026-21533: a Windows Remote Desktop Services vulnerability that allows an attacker to escalate privileges to System.
- CVE-2026-21525: a Windows Remote Access Connection Manager bug that can be exploited for local DoS attacks.
There appears to be no public information about attacks exploiting these zero-days.
However, it’s worth noting that for the discovery of both CVE-2026-21510 and CVE-2026-21514 Microsoft credited Google Threat Intelligence Group (GTIG), its own security teams, and an anonymous researcher. CVE-2026-21513 was discovered by Microsoft and GTIG.
This suggests that some of these vulnerabilities may have been exploited by the same threat actors or in the same attacks. Google has been tracking attacks conducted by commercial spyware vendors, state-sponsored APTs, and profit-driven cybercriminals, but nation-state hackers are often behind campaigns involving these types of zero-days.
CVE-2026-21510, CVE-2026-21514 and CVE-2026-21513 are all flagged as ‘publicly disclosed’ in Microsoft’s advisories.
CVE-2026-21519 was discovered by Microsoft’s own researchers. The tech giant has credited the cybersecurity firm CrowdStrike with the discovery of CVE-2026-21533 and Acros Security with CVE-2026-21525.
SecurityWeek has reached out to both Acros and CrowdStrike for information on the attacks exploiting the zero-days and will update this article if they respond.
In addition to Windows and Office, Microsoft has patched vulnerabilities in Azure, Windows Defender, Exchange Server, .NET, GitHub Copilot, Edge, and Power BI.
Related: Patch Tuesday: Adobe Fixes 44 Vulnerabilities in Creative Apps
Related: Russia’s APT28 Rapidly Weaponizes Newly Patched Office Vulnerability
Related: SmarterTools Hit by Ransomware via Vulnerability in Its Own Product
