Microsoft Fixes 59 Vulnerabilities, Including Six Under Active Exploitation

Microsoft’s February 2026 Patch Tuesday addresses 59 vulnerabilities across its software portfolio, including 6 zero-days confirmed as exploited in the wild.

Of the total, 5 are rated Critical, 52 Important, and 2 Moderate.

Privilege escalation flaws account for 25 patches, followed by remote code execution (12), spoofing (7), information disclosure (6), security feature bypass (5), denial of service (3), and cross-site scripting (1).

The exploited vulnerabilities affect Windows Shell, the MSHTML framework, Microsoft Office Word, Desktop Window Manager, Windows Remote Desktop, and the Remote Access Connection Manager.

Google Threat Intelligence Group and Microsoft security teams reported the first 3, which were publicly known at the time of release.

CISA has added all 6 to its Known Exploited Vulnerabilities catalog, requiring Federal Civilian Executive Branch agencies to apply patches by March 3, 2026.

Why It Matters: These vulnerabilities are already being used in attacks and now carry formal remediation deadlines under CISA’s KEV program. For organizations that align vulnerability management with federal guidance or related industry benchmarks, this raises patch priority and shortens acceptable remediation timelines.

• 6 Zero-Days Confirm Active Exploitation Across Key Windows Components: The exploited flaws include CVE-2026-21510, CVE-2026-21513, CVE-2026-21514, CVE-2026-21519, CVE-2026-21525, and CVE-2026-21533, with CVSS scores ranging from 6.2 to 8.8. They affect components responsible for file handling, web content rendering, desktop management, and remote connectivity. Confirmed use in real-world attacks increases risk for unpatched systems and introduces compliance deadlines through CISA’s KEV catalog.

• Security Feature Bypass Weakens File and Web-Based Trust Controls: CVE-2026-21513 in MSHTML allows crafted HTML files to bypass execution prompts, while CVE-2026-21514 in Microsoft Word enables similar behavior through malicious Office documents. CVE-2026-21510 in Windows Shell involves a related protection failure. Researchers say these flaws reduce the reliability of built-in warning prompts designed to prevent unintended execution of untrusted content.

• Local Privilege Escalation Can Lead to SYSTEM Access: CVE-2026-21519 in Desktop Window Manager and CVE-2026-21533 in Windows Remote Desktop allow attackers with existing access to elevate privileges locally. CrowdStrike reported that exploitation of CVE-2026-21533 involves modifying a service configuration registry key and replacing it with an attacker-controlled value, potentially enabling the addition of a user to the Administrator group and granting high-level system control.

• Denial-of-Service and Remote Access Issues Expand the Attack Surface: CVE-2026-21525 involves a null pointer dereference in the Windows Remote Access Connection Manager that can allow local denial of service. The flaw was linked to research from ACROS Security’s 0patch service during analysis of a related vulnerability discovered in late 2025. These issues point to ongoing risks in components tied to remote connectivity and access management.

• Edge Updates and Secure Boot Certificate Changes Add Long-Term Considerations: In addition to the 59 patches, Microsoft addressed 3 Edge browser vulnerabilities since January, including CVE-2026-0391, a Moderate spoofing issue affecting Edge for Android due to user interface misrepresentation. The company is also deploying updated Secure Boot certificates to replace 2011 certificates that expire in June 2026. Systems that do not install the new certificates will continue operating, but will not receive future boot-level security mitigations. Microsoft also announced Windows Baseline Security Mode and User Transparency and Consent to strengthen default runtime integrity enforcement and improve visibility into application access to sensitive resources.

Go Deeper -> Microsoft Patches 59 Vulnerabilities Including Six Actively Exploited Zero-Days – The Hacker News