Microsoft February 2026 Patch Tuesday Addresses Six Actively Exploited Zero-Days
This Patch Tuesday release from Microsoft patches 60 vulnerabilities, with six confirmed as actively exploited, including security feature bypasses and privilege escalations that enable attackers to bypass protections and gain system-level access without additional configuration.
Overview of Critical Vulnerabilities
Microsoft’s updates target vulnerabilities primarily in Windows and Office ecosystems. Among the six exploited issues, three are security feature bypass flaws: CVE-2026-21510, CVE-2026-21513, and CVE-2026-21514. These flaws undermine mechanisms designed to prevent users from opening malicious attachments, effectively neutralizing initial defenses. Attackers exploit these by crafting documents that evade markup protection, allowing execution of embedded malicious code.
Two vulnerabilities enable elevation of privilege to SYSTEM level, granting attackers full control over affected systems. The final exploited issue, CVE-2026-21525, resides in the Windows Remote Access Connection Manager service. This flaw permits local denial-of-service attacks, potentially crashing the service and disrupting remote connectivity across all supported Windows versions, including those under Extended Security Updates.
Technical Details and Exploitation Vectors
Security feature bypass vulnerabilities like CVE-2026-21510 operate by manipulating Office’s Protected View and markup services. Normally, these isolate potentially harmful files in a sandboxed environment. Exploitation involves RTF or DOCX files with crafted streams that trigger out-of-bounds reads or improper validation, bypassing the sandbox and executing payloads via OLE objects or macros. Privilege escalation flaws leverage kernel driver weaknesses, such as race conditions in handle management, allowing local users to overwrite critical memory structures and elevate tokens.
For CVE-2026-21525, attackers with local access send malformed packets to the RasMan service port, triggering a buffer overflow that exhausts resources or causes unhandled exceptions, leading to service termination. This affects workflows reliant on VPN or dial-up connections, amplifying impact in enterprise remote access scenarios.
Additional High-Risk Fixes
Beyond zero-days, patches address Azure-related issues, including remote code execution in cloud attestation services and authentication bypasses in Azure DevOps. These could allow attackers to impersonate services or inject code into build pipelines. Developer tools face command injection in GitHub Copilot integrations across VS Code, Visual Studio, and JetBrains IDEs. Prompt injection techniques trick the AI into executing arbitrary shell commands, potentially exfiltrating API keys or deploying malware during development sessions.
SAP Critical Vulnerabilities Released Concurrently
SAP issued 27 security notes, including two critical flaws. One in CRM and S/4HANA persistence layers allows unauthenticated remote code execution via deserialization bugs in OData services, enabling data theft or manipulation. The other, CVE-2026-0509 (CVSS 9.6), fails authorization checks in RFC execution paths, permitting unauthorized remote function calls across NetWeaver AS ABAP platforms. Attackers with initial foothold exploit permissive RFC trusts to chain into full system compromise.
APT28 Exploits CVE-2026-21509 in Coordinated Campaigns
Russia-aligned threat actor APT28, tracked as KTA007 or Fancy Bear, rapidly weaponized CVE-2026-21509, a Microsoft Office security feature bypass (CVSS 7.8), launching campaigns like Operation Nessusloit targeting Ukrainian and government entities within 24 hours of disclosure.
Exploitation Mechanics
CVE-2026-21509 allows local attackers to bypass security features without privileges. APT28 delivers it via malicious RTF documents containing embedded exploits that evade Protected View. Upon opening, the flaw triggers via malformed rich text format streams, executing VBA macros or shellcode that downloads secondary payloads. In observed attacks, this leads to Cobalt Strike beacons for persistence and lateral movement.
Campaign Details and Attribution
Operation Nessusloit focused on Ukrainian users with RTF lures mimicking official documents. CERTA and Trelics reported over 60 government inboxes hit. APT28’s speed highlights their maturity in zero-day exploitation, incorporating the flaw into phishing kits faster than typical patching cycles. Indicators include specific RTF structures and C2 domains resolving to Russian infrastructure.
Mitigation Strategies
Organizations must prioritize patching Office components, enable macro blocking, and deploy behavior-based detection for anomalous document execution. Network segmentation limits lateral movement post-compromise.
KTA529 Compromises Notepad++ Infrastructure for CHRYSALIS Backdoor Deployment
Threat group KTA529 (Lotus Blossom, Spring Dragon) infiltrated Notepad++ hosting infrastructure from June to December 2025, selectively redirecting updates for targeted users to deliver the novel CHRYSALIS backdoor.
Attack Infrastructure and Persistence
Attackers gained credentials to internal hosting services, searching logs for Notepad++.org traffic. They implemented traffic redirection based on IP geolocation or user agents, serving tampered installers. CHRYSALIS, a modular backdoor, establishes persistence via scheduled tasks, communicates over DNS tunneling, and includes keylogging, screenshot capture, and file exfiltration modules.
Backdoor Capabilities
CHRYSALIS uses encrypted C2 channels mimicking legitimate Notepad++ updates. Once installed, it hooks into editor processes for keystroke capture, injects into browsers for credential theft, and escalates via UAC bypasses. The backdoor’s stealth relies on living-off-the-land techniques, blending with legitimate binaries.
Impact and Detection
Victims, likely in Asia-Pacific regions per group TTPs, faced persistent access. Detection involves monitoring update traffic anomalies and hashing Notepad++ binaries against known goods.
FBI Seizes RAMP Ransomware Forum
In late January 2026, the FBI seized both Clearnet and Tor domains of RAMP, a prominent Russian-language cybercrime forum dedicated to ransomware, disrupting operations and exposing user data.
Seizure Details
RAMP positioned itself as ransomware-exclusive, hosting affiliate programs and leak sites. Seizure notices now display on domains, granting authorities access to emails, IPs, messages, and financial records, fueling investigations into operators and affiliates.
Broader Ecosystem Impact
The takedown erodes trust in cybercrime platforms, potentially scattering actors to underground alternatives while aiding law enforcement in attributing attacks.
High Severity Vulnerabilities Patched in Ingress NGINX Controller
The Kubernetes project released updates for multiple high-severity flaws in Ingress NGINX controller, addressing risks like remote code execution and configuration injection in cloud-native environments.
Vulnerability Analysis
Affected versions suffer from improper input validation in annotation processing, allowing attackers to inject Lua scripts or overwrite configs via malicious Ingress resources. Exploitation requires cluster access but chains with kubelet weaknesses for full compromise.
Remediation
Upgrade to patched versions, audit Ingress annotations, and enforce RBAC to limit resource creation.