Microsoft February Patch Tuesday Fixes Actively Exploited Zero-Days Including Windows RDS Privilege Escalation
Microsoft’s February 2026 Patch Tuesday shipped fixes for 58 vulnerabilities across Windows, Office, and related components, including six zero-days reported as actively exploited. Reported zero-days included CVE-2026-21533 (Windows Remote Desktop Services elevation of privilege), CVE-2026-21510 (Windows Shell security feature bypass involving SmartScreen/Mark-of-the-Web), CVE-2026-21513 and CVE-2026-21514 (Office/MSHTML mitigation bypasses requiring user interaction), and CVE-2026-21525 (Windows Remote Access Connection Manager DoS). Coverage of the release emphasized that elevation-of-privilege issues were the largest category in the update set, and that organizations should prioritize rapid deployment given in-the-wild exploitation claims.
For CVE-2026-21533 (CVSS 7.8, Important), reporting cited CrowdStrike observations of an exploit binary used post-compromise to reach SYSTEM by modifying a service configuration registry key to point to attacker-controlled values, enabling actions such as adding a user to the local Administrators group; the issue primarily impacts Windows systems where RDS is enabled and is positioned as a strong enabler for lateral movement in RDP-heavy environments. Separately, a January 2026-patched local privilege escalation in Windows Error Reporting, CVE-2026-20817 (CVSS 7.8), was described with technical detail and a released PoC: the WER service (wersvc.dll) allegedly failed to validate requester permissions over ALPC, allowing a standard user to trigger process creation with a SYSTEM-derived token retaining powerful privileges (e.g., SeDebugPrivilege, SeImpersonatePrivilege, SeBackupPrivilege), underscoring the broader trend of Windows local EoP bugs being leveraged for post-exploitation escalation.
Timeline
Feb 11, 2026
CISA adds six Microsoft February flaws to the KEV catalog
CISA added six Microsoft Windows and Office vulnerabilities from the February 2026 release to its Known Exploited Vulnerabilities catalog, citing active exploitation. The agency ordered U.S. federal civilian executive branch agencies to remediate the issues by March 3, 2026, and urged private organizations to prioritize patching as well.
Feb 10, 2026
Microsoft discloses three of the exploited February flaws were publicly known
Alongside the February 2026 Patch Tuesday release, Microsoft indicated that three of the six actively exploited vulnerabilities had also been publicly disclosed. These publicly known issues were security feature bypass flaws affecting Windows Shell, MSHTML/Trident, and Microsoft Word/OLE mitigations.
Feb 10, 2026
Microsoft releases February 2026 Patch Tuesday updates
Microsoft released its February 2026 Patch Tuesday security updates, fixing roughly 54-61 vulnerabilities across Windows, Office, Azure, Exchange Server, and related products. The release included six vulnerabilities that Microsoft said were actively exploited in the wild, spanning security feature bypass, elevation-of-privilege, and denial-of-service issues.
Feb 10, 2026
0patch finds RasMan DoS exploit in a public malware repository
0patch reported discovering exploit code for CVE-2026-21525, a Windows Remote Access Connection Manager denial-of-service flaw, in a public malware repository. The finding indicated the vulnerability was already accessible to attackers before Microsoft's February 2026 fixes.
Dec 24, 2025
CrowdStrike observes exploitation of RDS zero-day CVE-2026-21533
CrowdStrike reported that an exploit binary for the Windows Remote Desktop Services elevation-of-privilege flaw CVE-2026-21533 had been used against U.S. and Canada-based entities since at least December 24, 2025. The exploit modified a service configuration registry key to gain SYSTEM-level access and perform actions such as adding a user to the local Administrators group.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Sources
5 more from sources like belgium ccb security advisories, cyberthrone, rapid7 blog, help net security and cso online
Related Stories
Microsoft Patch Tuesday Fixes Six Actively Exploited Zero-Days Including Windows Shell SmartScreen Bypass
Microsoft released its February Patch Tuesday security updates addressing **~58–59 vulnerabilities** across Windows and other products, including **six zero-day flaws confirmed as actively exploited in the wild** and **five Critical** issues. Reported vulnerability classes were led by **Elevation of Privilege (25)**, followed by **Remote Code Execution (12)** and **Security Feature Bypass (5)**, with additional fixes for spoofing, information disclosure, DoS, and XSS; Microsoft also noted additional *Edge* fixes shipped outside the prior Patch Tuesday cadence, including an Android spoofing issue (`CVE-2026-0391`). One of the actively exploited zero-days highlighted across reporting is `CVE-2026-21510`, a **Windows Shell security feature bypass** that can be abused to evade **Mark-of-the-Web/SmartScreen-style warnings** by using specially crafted files (e.g., shortcut/link formats) so that untrusted content can execute without expected prompts, making it well-suited to phishing and social-engineering delivery. Separate coverage also noted Microsoft’s rollout of **updated Secure Boot certificates** ahead of the June 2026 expiration of legacy 2011 certificates, a change with broad implications for Windows boot integrity and enterprise device management.
1 months ago
Microsoft January Patch Tuesday Fixes 114 Vulnerabilities Including Three Zero-Days
Microsoft’s January Patch Tuesday security updates addressed **114 vulnerabilities**, including **three zero-days** reported as publicly known and/or exploited. Reported issues span multiple Windows and Microsoft product components, including **Desktop Window Manager (DWM)**, legacy modem drivers, and core OS services, with a mix of **information disclosure**, **elevation of privilege (EoP)**, **security feature bypass**, and **remote code execution (RCE)** flaws. Technical highlights called out include **CVE-2023-31096** (Windows Agere Soft Modem Driver EoP), **CVE-2026-20805** (DWM information disclosure), and a **Secure Boot certificate expiration** security feature bypass (**CVE-2026-21265**). The update set also includes multiple **Office/Excel/Word RCE** vulnerabilities (e.g., **CVE-2026-20952**, **CVE-2026-20953**, **CVE-2026-20955**, **CVE-2026-20957**, **CVE-2026-20944**), Windows privilege-escalation issues (e.g., **Windows Graphics Component** and **VBS Enclave** EoP), and cloud/agent components such as **Azure Connected Machine Agent** (**CVE-2026-21224**) and **Azure Core shared client library for Python** (**CVE-2026-21226**).
1 months ago
Microsoft February 2026 vulnerability disclosures across Windows, Azure, and developer tools
Microsoft published multiple security advisories for **Windows**, **Azure**, and **developer tooling**, including several high-impact issues spanning **remote code execution (RCE)**, **elevation of privilege (EoP)**, **spoofing**, **information disclosure**, **denial of service**, and **security feature bypass**. Notable items include **Azure SDK for Python RCE** `CVE-2026-21531` (CVSS 9.8; **deserialization of untrusted data**), **Windows Shell security feature bypass** `CVE-2026-21510` (CVSS 8.8; exploitability listed as **E:F**), **GitHub Copilot/Visual Studio/VS Code** issues enabling **RCE/EoP/feature bypass** (`CVE-2026-21256`, `CVE-2026-21523`, `CVE-2026-21257`, `CVE-2026-21518`), and **Azure Local RCE** `CVE-2026-21228` (CVSS 8.1; **improper certificate validation**). Additional Windows platform flaws include **Desktop Window Manager EoP** `CVE-2026-21519` (type confusion), **HTTP.sys EoP** `CVE-2026-21232` (untrusted pointer dereference), **WinSock Ancillary Function Driver EoP** `CVE-2026-21238` (improper access control), **Windows Storage EoP** `CVE-2026-21508`, **WSL EoP** `CVE-2026-21237`, **Microsoft Word security feature bypass** `CVE-2026-21514`, **Outlook spoofing** `CVE-2026-21511`, **Windows LDAP DoS** `CVE-2026-21243`, plus **ACI Confidential Containers information disclosure** `CVE-2026-23655` and **Azure IoT Explorer information disclosure** `CVE-2026-21528`. Separately, a detailed third-party writeup described a **Windows Error Reporting Service** local privilege escalation, `CVE-2026-20817`, patched in January 2026, where the **WER service** (`wersvc.dll`) running as `NT AUTHORITY\SYSTEM` allegedly fails to validate requester permissions over **ALPC**, enabling a standard user to trigger process creation with a SYSTEM-derived token (retaining powerful rights such as *SeDebugPrivilege*, *SeImpersonatePrivilege*, and *SeBackupPrivilege*). Another third-party report highlighted a long-standing **libpng** heap buffer issue, `CVE-2026-25646` (CVSS 8.3), in `png_set_quantize()` that can be triggered by a crafted PNG (palette present, histogram absent) leading to an infinite loop/out-of-bounds read with potential for DoS and, with heap grooming, possible code execution; an additional MSRC entry referenced **libjpeg-turbo** `CVE-2023-2804` (heap-based overflow) as an Important RCE-class issue. Collectively, the disclosures reinforce the need to prioritize patching for internet-reachable components and developer tooling, and to treat local EoP bugs as high-risk in post-compromise and lateral movement scenarios.
2 months ago