Alerts

Microsoft February 2026 Patch Tuesday Fixes Six Actively Exploited Zero-Days Across Windows, Office, and Remote Desktop

Zero Day Wire

3 min read
Microsoft February 2026 Patch Tuesday Fixes Six Actively Exploited Zero-Days Across Windows, Office, and Remote Desktop

Microsoft's February 2026 Patch Tuesday addresses 59 vulnerabilities across Windows, Office, Azure, Edge, Exchange, and Hyper-V — including six zero-day flaws already being exploited in the wild. All six have been added to CISA's Known Exploited Vulnerabilities catalog with a March 3 federal patching deadline.

Of the 59 flaws, five are rated Critical and 52 Important. The breakdown spans privilege escalation (25), remote code execution (12), spoofing (7), information disclosure (6), security feature bypass (5), denial-of-service (3), and cross-site scripting (1).

The Six Zero-Days

Three of the actively exploited vulnerabilities are security feature bypass flaws that allow attackers to circumvent Windows SmartScreen and Office protections — requiring only that a user open a malicious file or link:

CVE-2026-21510 (CVSS 8.8) — A protection mechanism failure in Windows Shell that allows attackers to bypass SmartScreen prompts and execute content without user warning. Exploitation requires convincing a user to open a crafted link or shortcut file. Likely enables Mark of the Web (MotW) bypass.

CVE-2026-21513 (CVSS 8.8) — A security feature bypass in the MSHTML Framework that allows attackers to suppress execution prompts when users interact with malicious HTML or .lnk files. As Action1's Jack Bicer noted, "a crafted file can silently bypass Windows security prompts and trigger dangerous actions with a single click."

CVE-2026-21514 (CVSS 7.8) — A security decision flaw in Microsoft Word that bypasses OLE mitigations in Microsoft 365 and Office through malicious Office documents.

All three were reported by Google Threat Intelligence Group (GTIG) and Microsoft's internal security teams, and all three were publicly disclosed prior to patching — suggesting they may have been exploited in the same campaign. SecurityWeek noted that Google frequently tracks exploitation by commercial spyware vendors and state-sponsored APTs, though no specific attribution has been made.

The remaining three zero-days enable privilege escalation and denial-of-service:

CVE-2026-21519 (CVSS 7.8) — A type confusion vulnerability in Desktop Window Manager (DWM) that allows local privilege escalation to SYSTEM. DWM has now appeared in exploited vulnerabilities in consecutive Patch Tuesday releases.

CVE-2026-21533 (CVSS 7.8) — An improper privilege management flaw in Windows Remote Desktop Services. CrowdStrike, which reported the vulnerability, revealed the exploit binary modifies a service configuration key to escalate privileges and add users to the Administrator group. CrowdStrike warned that "threat actors possessing the exploit binaries will likely accelerate their attempts to use or sell CVE-2026-21533 in the near term."

CVE-2026-21525 (CVSS 6.2) — A null pointer dereference in Windows Remote Access Connection Manager (RasMan) that enables denial-of-service. Discovered by ACROS Security's 0patch team in a public malware repository while investigating the related CVE-2025-59230. Organizations relying on always-on VPN connections face particular risk — a RasMan crash could sever VPN connectivity and serve as a distraction for parallel attacks.

Secure Boot Certificate Rollover

Microsoft is simultaneously rolling out updated Secure Boot certificates to replace 2011-era certificates expiring in late June 2026. Devices that don't receive the new certificates will continue to function but enter a degraded security state, unable to receive future boot-level protections and potentially facing compatibility issues with newer operating systems and firmware.

New Windows Security Defaults

Microsoft also announced two new security initiatives under its Secure Future Initiative:

Windows Baseline Security Mode will enforce runtime integrity safeguards by default, ensuring only properly signed applications, services, and drivers are allowed to run.

User Transparency and Consent — modeled on Apple's macOS TCC framework — will prompt users when applications attempt to access sensitive resources such as files, cameras, or microphones.

Recommendation

Apply all February 2026 updates immediately, prioritizing the six zero-days. CISA's KEV deadline is March 3, 2026. Organizations running Remote Desktop Services, VPN infrastructure, or Office environments should treat these patches as emergency priority. Monitor for exploitation indicators, particularly unusual shortcut file or HTML attachment delivery, service configuration changes, and RasMan crashes.

Read more

ClickFix Campaign Compromises Legitimate Sites to Deploy MIMICRAT — A Custom C++ RAT With 22 Post-Exploitation Commands

ClickFix Campaign Compromises Legitimate Sites to Deploy MIMICRAT — A Custom C++ RAT With 22 Post-Exploitation Commands

Elastic Security Labs has disclosed a new ClickFix campaign that leverages compromised legitimate websites as delivery infrastructure to deploy a previously undocumented remote access trojan dubbed MIMICRAT (also tracked as AstarionRAT). The campaign, discovered earlier this month, demonstrates significant operational sophistication — from multi-stage PowerShell chains that bypass Windows security controls

By Zero Day Wire
ShinyHunters Linked to Device Code Vishing Attacks Targeting Microsoft Entra Accounts via OAuth 2.0 Abuse

ShinyHunters Linked to Device Code Vishing Attacks Targeting Microsoft Entra Accounts via OAuth 2.0 Abuse

A new wave of attacks is combining voice phishing (vishing) with OAuth 2.0 device authorization abuse to compromise Microsoft Entra accounts at technology, manufacturing, and financial organizations — bypassing traditional phishing infrastructure entirely. Sources told BleepingComputer they believe the ShinyHunters extortion gang is behind the campaigns, which the threat actors

By Zero Day Wire