Microsoft February 2026 Patch Tuesday Addresses Six Actively Exploited Zero-Days
This summary outlines Microsoft’s February 2026 security updates, which patch 59 to 60 vulnerabilities, including six zero-days under active exploitation, prompting urgent remediation mandates from CISA for federal agencies.
Overview of Patched Vulnerabilities
Microsoft released updates addressing a total of 59 vulnerabilities across its software ecosystem, with classifications including five Critical, 52 Important, and two Moderate severity flaws. The vulnerabilities encompass privilege escalation (25 cases), remote code execution (12), spoofing (7), information disclosure (6), security feature bypass (5), denial-of-service (3), and cross-site scripting (1). These patches supplement three prior Edge browser fixes from January, notably CVE-2026-0391, a Moderate spoofing issue in Edge for Android enabling network-based user interface misrepresentation.
Details of Actively Exploited Zero-Days
The six zero-days confirmed as exploited in the wild are CVE-2026-21510 (CVSS 8.8), a Windows Shell protection mechanism failure allowing network-based security bypass by unauthorized attackers; CVE-2026-21513 (CVSS 8.8), an MSHTML Framework protection failure with similar network bypass capabilities; CVE-2026-21514 (CVSS 7.8), a Microsoft Office Word input reliance flaw enabling local security bypass; CVE-2026-21519 (CVSS 7.8), a type confusion in Desktop Window Manager permitting local privilege escalation; CVE-2026-21525 (CVSS 6.2), a null pointer dereference in Windows Remote Access Connection Manager causing local denial-of-service; and CVE-2026-21533 (CVSS 7.8), improper privilege management in Windows Remote Desktop allowing local escalation. These flaws require initial host access via methods like malicious attachments or lateral movement, after which attackers can elevate to SYSTEM privileges, disable defenses, deploy malware, or extract credentials for domain dominance.
Technical Exploitation Mechanics
For CVE-2026-21533, the exploit modifies a service configuration registry key to an attacker-controlled value, enabling addition of users to the Administrator group. Local privilege escalations like CVE-2026-21519 and CVE-2026-21533 demand prior foothold but amplify impact through SYSTEM access. Protection failures in CVE-2026-21510 and CVE-2026-21513 bypass core defenses in Windows Shell and MSHTML, potentially via crafted network payloads exploiting untrusted inputs or malformed HTML rendering. CISA added all six to its Known Exploited Vulnerabilities catalog, mandating Federal Civilian Executive Branch remediation by March 3, 2026.
Accompanying Security Enhancements
Microsoft introduced updated Secure Boot certificates replacing 2011 versions expiring in June 2026, deployed via standard updates. New initiatives under Secure Future and Windows Resiliency include Windows Baseline Security Mode, enforcing runtime integrity for signed apps, services, and drivers to prevent tampering, and User Transparency and Consent for enhanced protections.
Fortinet Patches Critical SQL Injection in FortiClientEMS
Fortinet addressed CVE-2026-21643, a critical SQL injection vulnerability (CVSS 9.8) in FortiClientEMS version 7.4.4, enabling unauthenticated remote code execution via crafted HTTP requests, with immediate updates recommended.
Vulnerability Background and Scoring
Announced on February 11, 2026, CVE-2026-21643 stems from inadequate input sanitization in FortiClientEMS, Fortinet’s endpoint management server. The CVSS v3.1 score of 9.8 reflects high impact: attack vector is network, complexity low, privileges none required, user interaction none, scope changed, and confidentiality/integrity/availability all fully compromised.
Exploitation Impact and Attack Vector
An unauthenticated attacker sends specially crafted HTTP requests to the vulnerable endpoint, injecting malicious SQL payloads that execute arbitrary commands on the underlying server. This leads to full system compromise, data manipulation, privilege escalation to root, persistence via backdoors, and lateral movement across managed endpoints. In enterprise deployments, attackers could exfiltrate endpoint configurations, deploy ransomware, or pivot to broader network segments.
Technical Analysis of SQL Injection Mechanics
The flaw likely resides in a backend query handler processing user-supplied parameters without prepared statements or parameterized queries, allowing classic SQLi techniques like union-based extraction, blind time-based inference, or error-based disclosure. Exploitation chains might combine this with FortiClient agent interactions for mass endpoint compromise. Affected solely version 7.4.4; administrators must upgrade to patched releases, applying least-privilege network segmentation and web application firewalls as interim measures.
FBI Launches Operation Winter SHIELD Campaign
The FBI initiated Operation Winter SHIELD, a two-month national campaign promoting 10 layered defense actions against cyberthreats, emphasizing pre-crisis partnerships with health systems and defenses against nation-state actors using AI and cybercriminals.
Campaign Objectives and Scope
Operation Winter SHIELD (Securing Homeland Infrastructure by Enhancing Layered Defense) targets critical infrastructure, particularly healthcare, urging organizations to adopt 10 proactive measures. FBI leaders highlight nation-state actors’ tactics of leveraging cybercriminals and AI for disruptions like ransomware and data exfiltration in health systems.
Key Defensive Actions and Partnerships
The 10 actions include building local FBI relationships pre-incident, implementing multi-factor authentication, segmenting networks, patching promptly, monitoring logs, and conducting backups. AHA podcast discussions with FBI Cyber Division Assistant Director Brett Leatherman and Office of Private Sector Assistant Director Gretchen Burrier stress trusted channels for hospitals of all sizes to report anomalies early, enhancing collective defense.
Threat Landscape Insights
Nation-states amplify attacks via cybercriminal affiliates for plausible deniability, integrating AI for phishing evasion, vulnerability scanning, and payload generation. Health sector vulnerabilities arise from legacy systems, IoT medical devices, and supply chain dependencies, necessitating behavioral threat assessment resources co-developed with FBI’s Behavioral Analysis Unit.