Microsoft February 2026 Patch Tuesday Addresses Six Actively Exploited Zero-Days
This Patch Tuesday release from Microsoft patches 59 vulnerabilities, including six zero-day flaws actively exploited in the wild, targeting Windows components such as Shell, MSHTML, Word, Desktop Window Manager, Remote Access Connection Manager, and Remote Desktop Services, alongside critical issues in Azure services.
Overview of the Zero-Day Vulnerabilities
Microsoft’s February 2026 Patch Tuesday, released on the second Tuesday of the month, delivers critical security updates addressing a total of 59 Common Vulnerabilities and Exposures (CVEs) across its ecosystem. Among these, six zero-days stand out due to confirmed active exploitation by threat actors. These flaws span security feature bypasses, elevation of privilege vulnerabilities, and denial-of-service conditions, primarily affecting Windows operating systems and related services. The updates also cover two critical Azure vulnerabilities with CVSS scores of 9.8, emphasizing the broad scope of this patch cycle.
Windows Shell Security Feature Bypass (CVE-2026-21510)
The Windows Shell vulnerability, assigned CVE-2026-21510 with a CVSS score of 8.8, represents a protection mechanism failure that enables attackers to circumvent Windows SmartScreen and similar security prompts. Exploitation occurs over the network but requires user interaction, typically through social engineering to compel the victim to open a malicious link or shortcut file. Once triggered, the flaw suppresses standard security dialogs for untrusted content, facilitating the delivery of malicious payloads without alerting the user.
Technically, this bypass exploits a flaw in how the Windows Shell handles shortcut (.lnk) files or hyperlinks. Attackers craft these files to invoke shell execution paths that skip SmartScreen’s reputation-based checks and Mark of the Web (MOTW) validations. SmartScreen normally evaluates file origins and blocks known malicious entities, but here, the shell misinterprets the invocation context, treating the content as trusted. This allows arbitrary code execution via embedded scripts or loaders, often chaining into ransomware or remote access trojans. Mitigation prior to patching involves disabling hyperlink warnings via Group Policy (User Configuration > Administrative Templates > Windows Components > File Explorer > Hide entry points for Fast User Switching), though this reduces security.
MSHTML Framework Security Feature Bypass (CVE-2026-21513)
CVE-2026-21513, also scoring 8.8 on CVSS, targets the MSHTML Framework, the legacy rendering engine embedded in Internet Explorer and certain Office applications. This network-based protection mechanism failure allows bypassing of sandbox and warning protections when a user opens a malicious HTML file or crafted .lnk shortcut leveraging MSHTML.
MSHTML’s role in rendering web content within non-browser contexts makes it a persistent attack vector despite Edge’s dominance. The vulnerability stems from inadequate isolation in the MSHTML hosting model, where hosted instances fail to enforce full browser sandbox boundaries. Attackers embed malicious HTML in .lnk files or documents, triggering MSHTML parsing that evades URL reputation checks and cross-origin restrictions. This can lead to script execution outside the intended sandbox, enabling phishing kits or exploit chains targeting memory corruption flaws. Deep analysis reveals improper handling of ActiveX controls and VBScript invocation, allowing escalation to host process privileges. Organizations using legacy IE mode in Edge or Office-embedded browsers face heightened risk.
Microsoft Word Security Feature Bypass (CVE-2026-21514)
With a CVSS score of 5.5, CVE-2026-21514 in Microsoft Word involves untrusted inputs influencing security decisions, resulting in a local bypass exploitable via a malicious document.
The flaw arises during document parsing where Word’s protected view and macro security fail to validate embedded content properly. Attackers embed OLE objects or ActiveX controls with tampered metadata, tricking the security engine into allowing execution of blocked scripts. This local attack requires user interaction but bypasses defenses like Protected View, potentially executing VBA macros or downloading payloads. Technically, it exploits a logic error in the Secure View decision tree, where input sanitization overlooks certain RTF or DOCX structures. Post-exploitation, attackers gain user-level code execution, often chaining with privilege escalation primitives.
Desktop Window Manager Elevation of Privilege (CVE-2026-21519)
CVE-2026-21519 (CVSS 7.8) is a type confusion vulnerability in the Desktop Window Manager (DWM), enabling local low-privileged attackers to elevate to SYSTEM without user interaction.
DWM, responsible for compositing windows in Windows 10/11, suffers from type confusion in its graphics pipeline, mishandling inter-process communication (IPC) messages. Attackers send malformed DWM messages via local RPC endpoints, causing integer overflows that corrupt memory layouts and hijack control flow. Successful exploitation rewrites access control lists (ACLs) or impersonates higher-privileged tokens, granting SYSTEM access. This no-interaction local EoP is ideal for exploit chains, as seen in prior DWM flaws like CVE-2021-34481. Debugging traces show the confusion occurs in DwmCore.dll during HWND-to-surface mapping.
Windows Remote Access Connection Manager Denial of Service (CVE-2026-21525)
CVE-2026-21525 (CVSS 6.2) affects the RasMan service, allowing unauthenticated local attackers to crash the service or system via low-complexity inputs.
RasMan handles VPN and dial-up connections through named pipes and RPC interfaces. The DoS stems from buffer over-reads in connection negotiation handlers, triggered by malformed packet sequences. Attackers enumerate accessible endpoints and flood with invalid TLV structures, exhausting kernel pools or inducing NULL pointer dereferences. While availability-focused, repeated crashes disrupt remote access, aiding persistence or lateral movement denial.
Windows Remote Desktop Services Elevation of Privilege (CVE-2026-21533)
CVE-2026-21533 (CVSS 7.8) involves improper privilege management in Remote Desktop Services (RDS), allowing local low-privileged escalation to SYSTEM.
RDS’s session management mishandles token auditing during reconnection logic. Attackers with low-priv accounts abuse RDS RPC calls (e.g., TermService endpoints) to duplicate privileged tokens from active sessions. This exploits weak impersonation checks in rdpcore.dll, elevating via NtDuplicateToken API abuse. Full CIA impact post-exploit enables kernel driver loads or LSASS dumps.
Critical Azure Vulnerabilities and Broader Patch Ecosystem
Azure SDK (CVE-2026-21531, CVSS 9.8) and Azure Front Door (CVE-2026-24300, CVSS 9.8) face remote code execution risks from deserialization flaws and misconfigured auth. Concurrently, over 60 vendors issued patches: SAP’s SQL injection (CVE-2026-0488, CVSS 9.9) in CRM/S/4HANA, missing auth in NetWeaver (CVE-2026-0509); Intel TDX 1.5 flaws enabling guest-to-host escapes; and Kubernetes Ingress NGINX high-severity issues in controller routing.
European Commission Launches Revised Cybersecurity Act Proposal
On January 20, 2026, the European Commission introduced a new cybersecurity package featuring a Proposal for a revised Cybersecurity Act, alongside NIS 2 Directive amendments, aiming to streamline certification, bolster ENISA’s role, and improve ransomware data collection.
Key Provisions of the Revised Act
The proposal accelerates European cybersecurity certification scheme development to within 12 months by simplifying procedures, reducing bureaucratic hurdles in the current framework managed by ENISA (European Union Agency for Cybersecurity). It expands ENISA’s mandate to oversee standard-setting and cross-border supervision, addressing gaps in the 2019 Cybersecurity Act.
NIS 2 Enhancements and Jurisdictional Clarity
Targeted NIS 2 amendments clarify jurisdictional rules for critical entities, mandate ransomware incident reporting, and empower ENISA for coordinated oversight of multinational operators. This responds to rising supply chain attacks, mandating standardized data formats for breach telemetry to enable EU-wide threat intelligence sharing.
Implications for Organizations
Certified products under schemes like EUCC will gain mutual recognition, easing market access but imposing stricter conformity assessments. Entities in scope face accelerated audits, with non-compliance risking fines up to 2% of global turnover under NIS 2.
French CNIL Issues €5 Million Fine for Massive Data Breach
The French data protection authority (CNIL) fined a governmental agency €5 million on January 22, 2026, following a cyberattack exposing jobseeker data of millions, due to deficiencies in authentication, monitoring, and access controls.
Breach Details and Exploitation
Attackers compromised accounts via weak multi-factor authentication (MFA) bypasses and absent session monitoring, accessing sensitive personal data including resumes and contact details for 24 million individuals. The incident highlights persistence hunting via lateral movement in unsegmented networks.
CNIL Findings and Remediation Orders
CNIL cited failures in real-time detection (no SIEM integration), excessive privileges, and improper data retention exceeding GDPR limits. Orders require MFA hardening, logging enhancements, and retention purges within six months, underscoring enforcement trends in public sector breaches.
84% of Security Programs Lag in CTEM Maturity
A recent analysis reveals 84% of cybersecurity programs fall behind in Continuous Threat Exposure Management (CTEM), exacerbating risks amid evolving threats like ransomware and supply chain disruptions.
Understanding the CTEM Divide
CTEM, Gartner-defined as continuous scoping, assessment, prioritization, and validation of exposures, remains immature in most organizations. Surveys show siloed tools hinder automated workflows, leaving 84% unable to correlate vulnerabilities with exploitability in real-time.
Path to Maturity
Leaders integrate CTEM via agentless scanners, AI-driven prioritization (e.g., EPSS scores), and automated validation playbooks, reducing mean time to remediate (MTTR) by 50%. Laggards face amplified ransomware impact, per World Economic Forum’s 2026 Outlook citing supply chain as top CISO concern.