Microsoft on Tuesday launched safety updates addressing 58 vulnerabilities throughout Home windows and associated merchandise.
Amongst them are six zero-day flaws that the corporate confirmed are actively exploited. Three of these have been publicly disclosed earlier than patches grew to become accessible. The breakdown of vulnerabilities consists of:
- 25 Elevation of Privilege
- 12 Distant Code Execution
- 7 Spoofing
- 6 Data Disclosure
- 5 Safety Characteristic Bypass
- 3 Denial of Service
5 of the vulnerabilities are rated Crucial, with the bulk categorized as Essential. The six actively exploited vulnerabilities span throughout Home windows, Workplace, and Distant Desktop elements:
CVE-2026-21510 impacts the Home windows Shell and permits attackers to bypass SmartScreen safety warnings. Customers simply must click on a malicious hyperlink or shortcut file, and the attacker’s code runs with none warning prompts. Microsoft’s safety groups, together with Google Risk Intelligence Group and an nameless researcher, caught this one.
“Bypassing Home windows Shell and SmartScreen protections considerably will increase the success price of malware supply and phishing campaigns,” mentioned Mike Walters, president and co-founder of Action1, in an e-mail to TechRepublic.“As a result of Home windows Shell is a core part utilized by almost all customers, the assault floor is broad and tough to totally limit with out patching.”
CVE-2026-21513 hits the MSHTML Framework with an analogous safety bypass. “In enterprise environments, this flaw can result in unauthorized code execution, malware deployment, credential theft, and system compromise,” defined Jack Bicer, director of vulnerability analysis at Action1. Despite the fact that Microsoft moved to Chromium-based Edge years in the past, MSHTML nonetheless lurks in Home windows shell elements and third-party apps.
CVE-2026-21514 targets Microsoft Phrase and Workplace 365, bypassing protections in opposition to malicious embedded objects. The opposite three zero-days allow privilege escalation and repair disruptions. CVE-2026-21519 exploits Desktop Window Supervisor to grant attackers SYSTEM-level privileges. CVE-2026-21533 does the identical by way of Home windows Distant Desktop Providers.
Lastly, CVE-2026-21525 impacts Home windows Distant Entry Connection Supervisor, a denial-of-service flaw that ACROS Safety stumbled upon whereas attempting to find exploits in a public malware repository again in December 2025.
Walters instructed TechRepublic {that a} “easy native set off can knock essential Home windows networking providers offline with out warning.” He added, “Repeated exploitation might be used as a distraction or to degrade system reliability throughout broader assault exercise.”
Federal businesses face March 3 deadline
The US Cybersecurity and Infrastructure Safety Company (CISA) has now added all six vulnerabilities to its Recognized Exploited Vulnerabilities catalog. Federal businesses now have till March 3, 2026, to patch their techniques.
To place this month’s haul in perspective, Microsoft disclosed 41 zero-days throughout all of 2025. Six in a single month is a big spike.
The February launch patches 58 complete flaws, far beneath the almost 200 vulnerabilities mounted final October. However safety researchers say the variety of patches is irrelevant when attackers are already weaponizing a half-dozen of them. “The presence of six zero-days makes this launch extra pressing than the numbers alone would possibly recommend,” Bicer mentioned.
This Patch Tuesday additionally kicks off Microsoft’s rollout of up to date Safe Boot certificates to switch the unique 2011 variations expiring in late June 2026. The brand new certificates set up robotically by way of common Home windows updates, with Microsoft utilizing a phased strategy to make sure stability.
For extra on how attackers are concentrating on Home windows networking providers, learn our full breakdown of the RasMan VPN vulnerability and what it means for enterprise safety.
