Microsoft Patches 6 Actively Exploited Zero-Days in Windows, Office Software

Microsoft released urgent security updates this week, fixing nearly 60 vulnerabilities across its Windows operating systems and Office software. The patches address six "zero-day" flaws that hackers were actively using to attack computers before fixes became available. Users must install these updates quickly to protect their systems from compromise.^[blog+3]

Critical Threats Addressed

The February 2026 security updates, known as Patch Tuesday, tackled a total of 59 vulnerabilities. Among these, five were rated "Critical," meaning they pose severe risks. Many others were classified as "Important" due to their potential impact. The most concerning vulnerabilities are the six zero-days. These are flaws that attackers discovered and exploited before Microsoft could develop and release a patch. This makes them especially dangerous because hackers had a head start.^[blog+4]

Security experts emphasize that zero-day exploits are highly valuable to attackers. When details about these flaws become public, it often increases the chances of widespread attacks. Microsoft has urged all users to install the updates promptly to reduce the risk of their systems being compromised.^{[timesofindia]}

Key Zero-Day Vulnerabilities Explained

This month's patches fix several types of dangerous attacks. Many of these require users to take a simple action, like clicking a link or opening a file, for an attack to succeed.^{[timesofindia]}

One critical zero-day is CVE-2026-21510, a security feature bypass in Windows Shell. This flaw allows attackers to get around Windows SmartScreen and Shell security warnings. If a user clicks a malicious link or opens a specially crafted shortcut file, attacker-controlled content can run without any warning or consent. This vulnerability affects all currently supported versions of Windows.^{[timesofindia+3]}

Another exploited flaw, CVE-2026-21513, affects the MSHTML Framework. MSHTML is a browser engine still used in Windows for displaying web content within applications. This security bypass bug lets attackers circumvent protection mechanisms. They can do this by distributing manipulated HTML or link files, tricking the engine's verification logic. This bypass can be triggered remotely, making it suitable for attacks through email or malicious websites.^{[timesofindia+4]}

Microsoft Word also had a zero-day vulnerability, CVE-2026-21514. This flaw allows attackers to bypass security features in Word by using a specially crafted document. When a user opens a malicious Office file, the attacker can introduce unsafe content into trusted Office workflows. Although it requires user interaction, this bypass is powerful because it undermines a core safety boundary in documents.^{[krebsonsecurity+5]}

Two elevation of privilege vulnerabilities were also actively exploited. CVE-2026-21519 is a flaw in the Desktop Window Manager (DWM). DWM is a key Windows component that organizes windows on a user's screen. This vulnerability allows local attackers with low privileges to gain SYSTEM privileges, giving them full administrative control over the system.^{[crowdstrike+5]}

Similarly, CVE-2026-21533 affects Windows Remote Desktop Services. This elevation of privilege flaw allows authenticated attackers to gain SYSTEM-level privileges. Exploitation typically requires the attacker to already have some access to the target system. CrowdStrike identified and reported this vulnerability, noting its use in real-world attacks since at least December 2025.^{[crowdstrike+4]}

The sixth zero-day, CVE-2026-21525, is a denial-of-service vulnerability in the Windows Remote Access Connection Manager. This service maintains VPN connections. The flaw could allow an attacker to make the system unavailable.^{[krebsonsecurity+3]}

Microsoft's Response and User Action

Microsoft released these crucial updates as part of its regular February 2026 Patch Tuesday. The company provides these updates to close security gaps that attackers could exploit. Installing these patches is essential for organizations and individual users to maintain strong security.^[blog+1]

Beyond these February updates, Microsoft also released an out-of-band security fix in late January. This emergency patch addressed CVE-2026-21509, a high-severity zero-day vulnerability in Microsoft Office. This earlier flaw allowed attackers to bypass Office security features and execute malicious code locally. Reports indicated that a Russian-linked threat group, APT28, exploited this vulnerability in targeted social engineering attacks in Eastern Europe.^{[krebsonsecurity+2]}

Microsoft is also continuing to refresh Secure Boot certificates. These certificates are vital for ensuring that only trusted programs run during the boot process, protecting against bootkit malware. Many older certificates are set to expire in June 2026, making these ongoing updates necessary for continued protection on Windows 10 and 11 PCs.^[zdnet+1]

Users should not delay applying these security patches. Timely updates are the best defense against actively exploited vulnerabilities that could lead to data theft, system control, or other severe disruptions.