Attackers are already actively exploiting six of the 59 vulnerabilities Microsoft disclosed in its latest security update, meaning security teams will need to treat February’s Patch Tuesday more as an active defense exercise rather than just routine maintenance.
Three of the six zero-days are security feature bypass flaws in different Microsoft products, which is particularly troubling for organizations, because they give attackers a way to slip past built-in protections organizations rely on. Microsoft issued an out-of-band for one of the zero-days, underscoring its urgency.
Two of the remaining actively exploited bugs are elevation-of-privilege issues that allow an attacker to gain admin-level privileges on affected systems, while the remaining bug enables denial-of-service attacks.
If that wasn’t enough to keep admins busy, Microsoft assessed five other CVEs it disclosed this week as bugs that attackers are “more likely” to exploit. That’s a term Microsoft uses for bugs for which exploit code could be developed relatively quickly, or can be exploited with little complexity, or because it affects a high-value target for attackers.
Security Feature Bypass Bugs
The three security feature bypass vulnerabilities in Microsoft’s February update are CVE-2026-21510, CVE-2026-21513 and CVE-2026-21514. Technical details of the bugs are already publicly available, which usually means more attacks will follow soon.
CVE-2026-2150 (CVSS 8.8), according to Microsoft, allows attackers to bypass Windows Shell and Windows SmartScreen and run code of their choice on a victim’s system without any warning or user consent. To exploit the flaw, an attacker would first need to convince a user to interact with a malicious file or line.
CVE-2026-21513 (CVSS 8.8) affects Microsoft’s MSHTML framework. Attackers can abuse the flaw by tricking users into opening a specially crafted HTML file or shortcut link and tricking the browser and operating system into executing it like code instead of treating it like data.
The third security feature bypass zero-day, CVE-2026-21514 (CVSS 7.8), affects Microsoft Word and once again involves user interaction for a successful exploit. In this case, an attacker who tricks a user into opening a malicious Word document can bypass OLE security controls in Microsoft 365 and Microsoft Office to execute arbitrary code. Microsoft issued an emergency out-of-band patch for a similar vulnerability in Office CVE-2026-21509 on Jan. 26 amid reports of active exploit activity.
“Security feature bypass vulnerabilities significantly increase the success rate of phishing and malware campaigns,” said Jack Bicer, director of vulnerability research at Action1, in prepared commentary. “In enterprise environments, this flaw can lead to unauthorized code execution, malware deployment, credential theft, and system compromise.”
What makes remediation even more urgent for organizations is the wide prevalence of the affected components. Word is both widely used and heavily targeted already, while MSHTML is a core component for rendering HTML content in the Windows ecosystem.
Similarly, vulnerabilities, like CVE-2026-2150 that allow attackers to bypass SmartScreen and Windows Shell protections are dangerous because of how they can enable more effective malware delivery and phishing campaigns, noted Mike Walters, president and co-founder of Action1. “Organizations may face unauthorized code execution, malware infections, credential theft, and lateral movement within networks,” he said in an emailed comment. “Because Windows Shell is a core component used by nearly all users, the attack surface is broad and difficult to fully restrict without patching.”
Two Elevation of Privilege and 1 DoS Zero-Days
The two other zero-days — tracked as CVE-2026-21519, CVE-2026-21525, and CVE-2026-21533 — affect Desktop Windows Manager, Windows Remote Access Connection Manager, and Windows Remote Desktop Services, respectively.
CVE-2026-21519 (CVSS 6.2) and CVE-2026-21533 both allow attackers to escalate their privileges on a system to administrator-level access.
CVE-2026-21525 (CVSS 6.2) in Windows Remote Access Connection Manager allows an attacker to trigger denial-of-service conditions locally. “An attacker with a foothold as a standard, non-admin user can run a small script that crashes the RAS manager service,” explained Ryan Braunstein, security manager at Automox, in a prepared statement. “The attack requires no elevated privileges and can be triggered after initial access through phishing or a malicious browser extension,” he noted. While the vulnerability does not enable any data theft or code execution, “its potential for disruption is significant,” Braunstein added.
The 59 bugs Microsoft disclosed this month is much lower than the 112 CVEs for January. But that doesn’t make it any less impactful. “The good news, there’s not a lot of CVEs to deal with; the bad news, there’s actually a lot to unpack here,” said Tyler Reguly, associate director of security R&D at Fortra, in prepared comments.
He pointed to 10 CVEs in Azure in particular as vulnerabilities that security teams should pay attention to, in addition to the bugs that attackers are already actively exploiting. “While three of these (CVE-2026-21532 [CVSS 8.2], CVE-2026-24300 [CVSS 9.8], and CVE-2026-24302 [CVSS 8.6]) are all marked as ‘No Customer Action Required,’ I’d stil want to ensure that there was no evidence of issues in my cloud — or cloud-adjacent — environments,” Reguly said in an emailed statement. “For the other seven CVEs, however, I’d hope that my team is looking closely at the variety of fixes that need to be performed to upgrade my environment.”
