Microsoft’s February 2026 Patch Tuesday updates fix roughly 60 vulnerabilities found in the company’s products, including six actively exploited zero-days.
The zero-days are:
- CVE-2026-21510: a Windows SmartScreen and Windows Shell security prompts bypass that can be exploited by convincing the targeted user to open a malicious link or shortcut file.
- CVE-2026-21514: a vulnerability that allows an attacker to bypass OLE mitigations in Microsoft 365 and Office by tricking the target into opening a malicious Office file.
- CVE-2026-21513: an Internet Explorer issue that allows an attacker to bypass security controls and potentially execute code by convincing the victim to open a malicious HTML or LNK file.
- CVE-2026-21519: a Windows Desktop Window Manager flaw that can be exploited by a local attacker for privilege escalation.
- CVE-2026-21533: a Windows Remote Desktop Services vulnerability that allows an attacker to escalate privileges to System.
- CVE-2026-21525: a Windows Remote Access Connection Manager bug that can be exploited for local DoS attacks.
There appears to be no public information about attacks exploiting these zero-days.
However, it’s worth noting that for the discovery of both CVE-2026-21510 and CVE-2026-21514 Microsoft credited Google Threat Intelligence Group (GTIG), its own security teams, and an anonymous researcher. CVE-2026-21513 was discovered by Microsoft and GTIG.
This suggests that some of these vulnerabilities may have been exploited by the same threat actors or in the same attacks. Google has been tracking attacks conducted by commercial spyware vendors, state-sponsored APTs, and profit-driven cybercriminals, but nation-state hackers are often behind campaigns involving these types of zero-days.
CVE-2026-21510, CVE-2026-21514 and CVE-2026-21513 are all flagged as ‘publicly disclosed’ in Microsoft’s advisories.
CVE-2026-21519 was discovered by Microsoft’s own researchers. The tech giant has credited the cybersecurity firm CrowdStrike with the discovery of CVE-2026-21533 and Acros Security with CVE-2026-21525.
SecurityWeek has reached out to both Acros and CrowdStrike for information on the attacks exploiting the zero-days and will update this article if they respond.
In addition to Windows and Office, Microsoft has patched vulnerabilities in Azure, Windows Defender, Exchange Server, .NET, GitHub Copilot, Edge, and Power BI.
UPDATE: CISA has added the six zero-days to its KEV catalog.
Adam Meyers, Head of Counter Adversary Operations at CrowdStrike, told SecurityWeek, “The CVE-2026-21533 exploit binary modifies a service configuration key, replacing it with an attacker-controlled key, which could enable adversaries to escalate privileges to add a new user to the Administrator group. While CrowdStrike does not currently attribute this activity to a specific target or adversary, threat actors possessing the exploit binaries will likely accelerate their attempts to use or sell CVE-2026-21533 in the near term.”
Mitja Kolsek, CEO of Acros Security, told SecurityWeek, “We found an exploit for this issue in December 2025 in a public malware repository while searching for an exploit for CVE-2025-59230. This issue turned out to be a 0day at the time, so we patched it and reported it to Microsoft. We don’t have any information on it having been exploited, but the quality of the combined exploit for both issues suggested professional work.”
Related: Patch Tuesday: Adobe Fixes 44 Vulnerabilities in Creative Apps
Related: Russia’s APT28 Rapidly Weaponizes Newly Patched Office Vulnerability
Related: SmarterTools Hit by Ransomware via Vulnerability in Its Own Product
