Threat Advisories:
Microsoft’s February 2026 Patch Tuesday Fixes Active Zero-Day Exploits Critical API Flaw Puts SmarterMail Servers at Risk TGR-STA-1030: Global State-Aligned Cyber Espionage Campaign Transparent Tribe Targets India’s Startup Ecosystem with Crimson RAT Amaranth-Dragon: Low Noise, High Impact Espionage in Southeast Asia Web Traffic Hijacking via Malicious NGINX Configuration Injection DEAD#VAX: AsyncRAT Deployment via IPFS-Hosted VHD Phishing Operation Neusploit: APT28 Weaponizes CVE-2026-21509 Chrysalis Backdoor: A Quiet Passenger in Notepad++ Updates One Click to Compromise: Inside OpenClaw’s Critical RCE Flaw Attackers Hijack Open VSX Extensions to Spread GlassWorm Malware UAT-8099 Cybercrime Group Leverages BadIIS Ivanti Patches Actively Exploited EPMM Flaws CVE-2026-24858: Critical FortiCloud SSO Zero-day Under Active Exploitation TA584 and the Business of Breach: Selling Access at Scale Mustang Panda Enhances CoolClient for Stealth and Surveillance Instant Root Access via CVE-2026-24061: A Decade-Old Bug Comes Alive Gopher Strike and Sheet Attack Campaigns Targeting Indian Government January 2026 Linux Patch Roundup CVE-2026-21509: Microsoft Office Zero-Day Under Active Exploitation
Hive Pro recognized in Gartner® Magic Quadrant™ for Exposure Assessment Platform, 2025 Watch platform in action
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them. Powered by:
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s ComparisonSave Cost , Reduce Complexity and Increase Security by Augmenting and Replacing your existing Vulnerability Management platform
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Threat Advisories
Threat Digests
Blog
Whitepapers
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Whitepapers
Press Releases
connect
Webinars & Videos
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe
Platform
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them. Powered by:
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s Comparison
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Resources
Threat Advisories
Threat Digests
Blog
Whitepapers
Resources
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Whitepapers
Press Releases
connect
Webinars & Videos
Company
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe

Microsoft’s February 2026 Patch Tuesday Fixes Active Zero-Day Exploits

Red | Vulnerability Report
Download PDF

Summary

Microsoft’s February 2026 Patch Tuesday represents a substantial security update addressing 60 vulnerabilities across the Microsoft product ecosystem, including six actively exploited zero-day vulnerabilities that pose immediate threats to enterprise and consumer environments. The security update includes 59 Microsoft vulnerabilities plus one Chromium-based vulnerability affecting Microsoft Edge, spanning severity ratings of 5 Critical, 52 Important, and 2 Moderate. The vulnerabilities encompass 12 Remote Code Execution flaws, 25 Elevation of Privilege vulnerabilities, 6 Information Disclosure issues, 3 Denial of Service weaknesses, 5 Security Feature Bypass vulnerabilities, and 8 Spoofing flaws affecting core Windows components, Microsoft Office applications, Azure cloud services, and development tools.

Of critical concern, six vulnerabilities were confirmed as actively exploited in the wild at the time of patch release, with three having been publicly disclosed prior to Microsoft’s patches becoming available. Additionally, 16 CVEs are assessed as either actively exploited or at increased risk of exploitation, underscoring the urgent need for rapid patch deployment across enterprise environments. The six actively exploited zero-days include CVE-2026-21510 (Windows Shell security feature bypass), CVE-2026-21513 (MSHTML Framework security feature bypass), CVE-2026-21514 (Microsoft Word security feature bypass), CVE-2026-21519 (Desktop Window Manager elevation of privilege), CVE-2026-21525 (Windows Remote Access Connection Manager denial of service), and CVE-2026-21533 (Windows Remote Desktop Services elevation of privilege). All six vulnerabilities have been added to CISA’s Known Exploited Vulnerabilities catalog, indicating confirmed exploitation by threat actors.

The three security feature bypass zero-days (CVE-2026-21510, CVE-2026-21513, CVE-2026-21514) enable attackers to circumvent Windows security controls through social engineering attacks. CVE-2026-21510 allows attackers to bypass Windows SmartScreen and Windows Shell security warnings by convincing users to open malicious links or specially crafted shortcut files. CVE-2026-21513 enables adversaries to circumvent MSHTML Framework protections, achieving code execution when victims open malicious HTML or LNK files. CVE-2026-21514 affects Microsoft Word, bypassing OLE (Object Linking and Embedding) mitigations designed to restrict unsafe COM/OLE control execution, requiring victims to open crafted Office documents. These vulnerabilities are particularly dangerous as they defeat security controls specifically designed to protect users from malicious content, effectively removing critical defensive layers.

The two elevation of privilege zero-days (CVE-2026-21519, CVE-2026-21533) provide local attackers with pathways to escalate privileges to SYSTEM level after gaining initial access to compromised systems. CVE-2026-21519 affects the Desktop Window Manager component responsible for rendering the Windows graphical user interface, while CVE-2026-21533 targets Windows Remote Desktop Services, a critical component for remote system administration. These privilege escalation vulnerabilities are particularly valuable in post-compromise scenarios, enabling attackers who have gained initial foothold access through phishing, social engineering, or other vulnerabilities to escalate to full administrative control, facilitating lateral movement, persistence establishment, and comprehensive network compromise. The sixth zero-day, CVE-2026-21525, represents a denial-of-service vulnerability in Windows Remote Access Connection Manager that can disrupt system availability, notably assessed at moderate severity despite active exploitation.

Beyond the zero-days, this Patch Tuesday addresses critical vulnerabilities in Azure cloud services including CVE-2026-21522 (Azure ACI Confidential Containers command injection enabling privilege escalation) and CVE-2026-23655 (Azure ACI Confidential Containers information disclosure potentially exposing sensitive tokens or cryptographic keys). Microsoft also patched CVE-2026-21511 (Outlook spoofing vulnerability triggered via crafted emails leveraging the preview pane) and multiple remote code execution issues affecting GitHub Copilot integrations within Visual Studio, VS Code, and JetBrains products stemming from prompt injection risks. Additionally, this release introduces phased updates to replace expiring Secure Boot certificates originally issued in 2011, reinforcing platform trust and boot integrity across the Windows ecosystem.

Vulnerability Details

Severity Distribution: 5 Critical, 52 Important, 2 Moderate vulnerabilities
Impact Categories: 12 RCE, 25 EoP, 6 Information Disclosure, 3 DoS, 5 Security Feature Bypass, 8 Spoofing

Six Actively Exploited Zero-Days:

  1. CVE-2026-21510 (Windows Shell) – Bypasses SmartScreen via malicious links/shortcuts
  2. CVE-2026-21513 (MSHTML Framework) – Circumvents MSHTML protections via HTML/LNK files
  3. CVE-2026-21514 (Microsoft Word) – Bypasses OLE mitigations via crafted documents
  4. CVE-2026-21519 (Desktop Window Manager) – Local privilege escalation to SYSTEM
  5. CVE-2026-21533 (Windows Remote Desktop Services) – Local privilege escalation to SYSTEM
  6. CVE-2026-21525 (Windows Remote Access Connection Manager) – Denial of service (moderate severity)

Notable Additional Vulnerabilities:

  • Azure confidential computing flaws (CVE-2026-21522, CVE-2026-23655)
  • Outlook spoofing via preview pane (CVE-2026-21511)
  • GitHub Copilot RCE across development environments
  • Windows Hyper-V remote code execution vulnerabilities
  • Secure Boot certificate replacement initiative

Recommendations

  1. Priority Patching of Six Zero-Days – Immediately deploy patches for CVE-2026-21510, CVE-2026-21513, CVE-2026-21514, CVE-2026-21519, CVE-2026-21525, CVE-2026-21533 (all on CISA KEV)
  2. Comprehensive Service Exposure Review – Identify publicly accessible vulnerable services and patch internet-facing systems first
  3. Implement Network Segmentation – Restrict unauthorized access to limit lateral movement following privilege escalation
  4. Enforce Least Privilege – Minimize user permissions to reduce privilege escalation impact
  5. Accelerated Testing and Deployment – Given volume of EoP flaws and multiple zero-days, prioritize patch deployment for remote access infrastructure and endpoints exposed to user content

MITRE ATT&CK TTPs

Initial Access: T1189, T1566.001, T1566.002 | Execution: T1059, T1203, T1204.001, T1204.002 | Defense Evasion: T1036, T1218, T1553.005 | Privilege Escalation: T1068, T1543.003 | Credential Access: T1552 | Lateral Movement: T1021.001 | Impact: T1499

What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox