Microsoft Patches Six Zero-Days in February Patch Tuesday

Microsoft's February 2026 Patch Tuesday dropped with six actively exploited zero-days baked into a batch of 59 security fixes. CISA added all six to its Known Exploited Vulnerabilities catalog within hours of the release, giving federal agencies until March 3 to patch.

The six zero-days hit core Windows components—Shell, MSHTML, Office, Desktop Window Manager, Remote Desktop Services, and the Remote Access Connection Manager. Five of the six enable either privilege escalation or security bypasses, the kind of bugs attackers chain together to turn initial access into full system compromise.

The Six Actively Exploited Flaws

CVE-2026-21510 (CVSS 8.8) affects Windows Shell. Attackers can bypass SmartScreen protections when users click malicious links or shortcut files. This is the classic "click to own" scenario—once a user opens the wrong file, SmartScreen doesn't intervene.

CVE-2026-21513 (CVSS 8.8) targets the MSHTML Framework, the legacy rendering engine still used by Internet Explorer mode and various Windows components. Network-based exploitation allows security feature bypass.

CVE-2026-21514 (CVSS 7.8) is a Microsoft Word bug stemming from reliance on untrusted inputs. Opening a malicious document bypasses OLE security mitigations—similar in concept to last month's CVE-2026-21509 flaw that APT28 weaponized within 72 hours.

CVE-2026-21519 (CVSS 7.8) is a type confusion vulnerability in Desktop Window Manager. Local attackers with low privileges can escalate to SYSTEM.

CVE-2026-21533 (CVSS 7.8) allows privilege escalation via Windows Remote Desktop Services through improper privilege management. This one has the most documented pre-disclosure exploitation—CrowdStrike Intelligence reported that threat actors used exploit binaries in the wild targeting US and Canada-based entities since at least December 24, 2025.

CVE-2026-21525 (CVSS 6.2) is the only denial-of-service bug among the six. A null pointer dereference in Windows Remote Access Connection Manager allows local attackers to crash the service.

Why RDS Exploitation Matters

The Remote Desktop Services flaw deserves attention beyond its CVSS score. RDS is everywhere in enterprise environments—IT teams use it for remote administration, helpdesks use it for support, and plenty of organizations still expose it to the internet despite years of warnings. CrowdStrike's finding that attackers had working exploits nearly two months before the patch means some organizations may already be compromised.

If you've got internet-facing RDP, check your logs for suspicious authentication attempts between late December and now. Our guide on endpoint detection and response tools covers how modern EDR solutions can help detect post-exploitation activity that signature-based tools miss.

The Full Patch Breakdown

Beyond the zero-days, the 59-patch bundle includes five Critical-rated vulnerabilities and 52 rated Important. The breakdown by vulnerability type:

• Privilege escalation: 25 flaws
• Remote code execution: 12 flaws
• Spoofing: 7 flaws
• Information disclosure: 6 flaws
• Security feature bypass: 5 flaws
• Denial of service: 3 flaws
• Cross-site scripting: 1 flaw

The privilege escalation count stands out. Attackers typically combine these with lower-severity initial access bugs—phish an employee, exploit a browser flaw, then chain into admin rights using EoP bugs like the ones patched this month.

Patch Now, Verify Later

CISA's KEV catalog addition means federal agencies have until March 3 to apply these patches. Private sector organizations should treat that deadline as a ceiling, not a target. Given the confirmed pre-disclosure exploitation of CVE-2026-21533, organizations running Remote Desktop Services should prioritize this patch above the others.

For the Word and MSHTML vulnerabilities, email security controls and user awareness remain your first line of defense. The exploits require user interaction—someone has to open the malicious document or click the link. Blocking macro execution and enabling Attack Surface Reduction rules in Microsoft Defender helps, but determined attackers will find users who click.

What This Means for Defenders

Six zero-days in a single Patch Tuesday matches last year's high watermark. The trend isn't improving. Microsoft's February security update follows a pattern we've seen repeatedly—state-sponsored groups and financially motivated attackers racing to weaponize disclosed vulnerabilities before defenders can patch.

The December-to-February exploitation window for CVE-2026-21533 is particularly concerning. Two months is a long time to be unaware that attackers have working exploits. Organizations need to assume that zero-days in high-value targets like RDS and Office will be exploited before patches drop.

Test these patches quickly. Deploy them faster.