Microsoft February 2026 Patch Tuesday Addresses 50+ Vulnerabilities Including Six Exploited Zero-Days
In its February 2026 Patch Tuesday release, Microsoft addressed over 50 security vulnerabilities, with a critical focus on six zero-day flaws actively exploited in the wild, spanning components like the MSHTML engine, Microsoft Word, Windows Shell, Desktop Window Manager, Remote Access Connection Manager, and Remote Desktop Services.
Security Feature Bypass Vulnerabilities
Three of the zero-days involve security feature bypasses, enabling attackers to evade protective mechanisms without triggering user warnings. CVE-2026-21513 targets the MSHTML/Trident browser engine in Internet Explorer on Windows. Attackers craft malicious HTML files or Windows shortcut (.lnk) files that manipulate browser rendering and Shell interactions. When a user opens such a file, the engine processes malformed content, sidestepping built-in safeguards like markup validation and script execution controls. This allows injection of arbitrary code during document parsing, exploiting discrepancies in how Trident handles DOM tree construction versus Shell file association prompts.
CVE-2026-21514 affects Microsoft Word, bypassing OLE object linking and embedding mitigations in Microsoft 365 and Office suites. Malicious Office documents embed payloads that trick Word’s security decisions on active content. Normally, OLE mitigations scan for suspicious embedded executables or scripts, but this flaw stems from improper validation of untrusted inputs during document deserialization. Attackers embed structured storage streams mimicking legitimate macros or ActiveX controls, causing Word to execute them without invoking Protected View or macro disabling prompts. Recent emergency patches for similar issues highlight ongoing exploitation chains combining this with social engineering.
CVE-2026-21510 impacts Windows Shell, allowing bypass of SmartScreen and security prompts via malicious links or shortcuts. Exploitation involves crafting .lnk files with embedded Uniform Resource Identifiers (URIs) that reference remote payloads. Shell’s prompt logic fails to validate URI schemes or referrer headers properly, suppressing the standard “Open File – Security Warning” dialog. This enables silent execution of downloaded executables, chaining into ransomware or remote access trojans. Public disclosure by researchers from Google Threat Intelligence and Microsoft teams underscores the need for immediate patching, as exploits circulate in underground forums.
Privilege Escalation and Denial-of-Service Zero-Days
CVE-2026-21519 is a Desktop Window Manager (DWM) privilege escalation vulnerability. On compromised hosts, attackers leverage memory corruption in DWM’s composition engine, which handles window rendering and GPU acceleration. By sending crafted window messages via user-mode APIs like SetWindowPos, attackers trigger an out-of-bounds write in DWM’s heap, overwriting pointers to elevate from user to SYSTEM privileges. This requires local access but no further interaction, making it ideal for post-exploitation in lateral movement scenarios.
CVE-2026-21525 targets the Windows Remote Access Connection Manager (RasMan) service, enabling denial-of-service from unprivileged users. RasMan manages VPN and dial-up connections using Point-to-Point Protocol (PPP) stacks. Attackers send malformed RASAPI32 calls or manipulate registry keys under HKLM\SYSTEM\CurrentControlSet\Services\RasMan, causing stack overflows in parameter validation routines. This crashes the service, disrupting all VPN tunnels. In enterprise environments with “fail-closed” policies, endpoints lose network access, isolating them from management tools. Larger deployments risk cascading failures, as RRAS servers handling routing amplify the outage, providing cover for data exfiltration.
CVE-2026-21533 affects Windows Remote Desktop Services (RDS), allowing privilege escalation by modifying service configuration keys. Exploits alter registry entries under HKLM\SYSTEM\CurrentControlSet\Services\TermService, substituting attacker-controlled paths for legitimate binaries. This grants administrative access, such as adding users to the Administrators group. Threat actors targeted North American entities since late 2025, using pre-built binaries detected via endpoint behavioral analytics. Post-patch, adversaries may pivot to variant exploits or broker them on dark web markets.
Broader Implications and Patching Priorities
Patch counts vary slightly across reports between 50 and 60 CVEs, with elevations of privilege dominating at over 40% and remote code execution at 20%. Critical Azure flaws like CVE-2026-21531 in Azure SDK and CVE-2026-24300 in Azure Front Door demand attention for cloud workloads, involving service misconfigurations exploitable remotely. Organizations should prioritize zero-days, test in staging environments, and monitor for exploit artifacts like anomalous .lnk handling or RasMan crashes. Enhanced logging via Event ID 4688 for process creation aids detection.
RenEngine Campaign Deploys Advanced Information Stealers via Cracked Games
A large-scale campaign since March 2025 uses RenEngine, a sophisticated loader delivered through cracked video games, infecting over 400,000 victims worldwide with stealers like Lumma and ACR targeting credentials and crypto wallets in a multi-stage infection chain.
Infection Vector and Loader Mechanics
Attackers distribute cracked games via torrent sites and fake repositories, embedding RenEngine in executable stubs. Upon launch, RenEngine employs anti-analysis techniques including API hashing to evade static detection, dynamic API resolution via PEB walking, and environment checks for virtual machines using timing discrepancies in RDTSC instructions. It decrypts subsequent stages using RC4 with keys derived from machine GUIDs, ensuring persistence across reboots via scheduled tasks mimicking legitimate game updaters.
Payload Deployment and Stealer Operations
RenEngine drops HijackLoader, which injects into browser processes like chrome.exe via process hollowing: suspending legitimate threads, unmapping PE sections, and overlaying malicious code. Final payloads include Lumma Stealer, extracting cookies, autofill data, and extension storage from Chromium browsers via SQLite parsing, and ACR Stealer focusing on cryptocurrency extensions like MetaMask by hooking Web3 APIs. Exfiltrated data routes through bulletproof hosting with domain generation algorithms, rotating C2 servers daily.
Target Profiling and Evasion Tactics
Victims span global demographics, with high concentrations in gaming communities. Evasion includes string obfuscation with XOR chains, polymorphic code mutations per sample, and living-off-the-land binaries like certutil.exe for downloads. Behavioral indicators include unusual disk I/O on browser profile directories and network beacons to reconnaissance endpoints.
Muddled Libra Evolves to Ransomware Affiliate Model
Muddled Libra has shifted from cryptocurrency theft to a ransomware affiliate program, targeting diverse sectors like government and telecom by exploiting psychology and legitimate tools while minimizing custom malware.
Operational Evolution and Attack Speed
The group accelerates attacks using initial access brokers for footholds, then living-off-the-land techniques like PowerShell for reconnaissance and PsExec for lateral movement. Domain controller compromises enable Kerberoasting for ticket escalation, followed by VMware vSphere exploits via vmdk manipulation for encryption.
Infrastructure and Sector Focus
Infrastructure emphasizes cloud pivots to AWS and Azure, abusing IAM roles for persistence. Targets include aviation for operational disruption and insurance for data leverage in negotiations.
Iron Mountain Faces Everest Ransomware Extortion
Iron Mountain confronts a February 11 deadline from Everest ransomware after the gang claimed theft of 1.4TB of internal and client documents, though the company denies confidential data exposure.
Incident Details and Verification Challenges
Proof-of-concept leaks show folder structures with customer names, but data sensitivity remains unconfirmed pending official statements. Everest employs double extortion, pairing encryption with data dumps on leak sites.