Microsoft Patch Tuesday Fixes Six Actively Exploited Zero-Days Including Windows Shell SmartScreen Bypass
Microsoft released its February Patch Tuesday security updates addressing ~58–59 vulnerabilities across Windows and other products, including six zero-day flaws confirmed as actively exploited in the wild and five Critical issues. Reported vulnerability classes were led by Elevation of Privilege (25), followed by Remote Code Execution (12) and Security Feature Bypass (5), with additional fixes for spoofing, information disclosure, DoS, and XSS; Microsoft also noted additional Edge fixes shipped outside the prior Patch Tuesday cadence, including an Android spoofing issue (CVE-2026-0391).
One of the actively exploited zero-days highlighted across reporting is CVE-2026-21510, a Windows Shell security feature bypass that can be abused to evade Mark-of-the-Web/SmartScreen-style warnings by using specially crafted files (e.g., shortcut/link formats) so that untrusted content can execute without expected prompts, making it well-suited to phishing and social-engineering delivery. Separate coverage also noted Microsoft’s rollout of updated Secure Boot certificates ahead of the June 2026 expiration of legacy 2011 certificates, a change with broad implications for Windows boot integrity and enterprise device management.
Timeline
Feb 11, 2026
CISA adds all six Microsoft zero-days to the KEV catalog
Following Microsoft's disclosure, CISA added the six actively exploited vulnerabilities to its Known Exploited Vulnerabilities catalog. The agency set a remediation deadline of 2026-03-03 for U.S. Federal Civilian Executive Branch agencies to apply the fixes.
Feb 10, 2026
Microsoft begins rollout of updated Secure Boot certificates
As part of the February 2026 security release, Microsoft started a phased rollout of updated Secure Boot certificates to replace legacy 2011 certificates set to expire in June 2026. The change was described as important for maintaining Windows boot integrity, especially in environments with custom boot policies.
Feb 10, 2026
Microsoft fixes five other actively exploited zero-days in Windows and Office
Alongside CVE-2026-21510, Microsoft patched five additional exploited zero-days: CVE-2026-21513 in MSHTML, CVE-2026-21514 in Microsoft Word/Office, CVE-2026-21519 in Desktop Window Manager, CVE-2026-21525 in Remote Access Connection Manager, and CVE-2026-21533 in Remote Desktop Services. These bugs enabled security feature bypass, privilege escalation to SYSTEM, or local denial-of-service depending on the component affected.
Feb 10, 2026
Microsoft patches Windows Shell zero-day CVE-2026-21510
Microsoft fixed CVE-2026-21510, a Windows Shell security feature bypass that lets attackers use malicious link or shortcut files to evade Mark-of-the-Web protections such as SmartScreen and warning prompts. Microsoft credited MSTIC and Google Threat Intelligence Group with discovering the flaw, which was under active exploitation.
Feb 10, 2026
Microsoft releases February 2026 Patch Tuesday fixes for six exploited zero-days
On 2026-02-10, Microsoft issued its February Patch Tuesday security updates, fixing roughly 58-59 vulnerabilities across Windows, Office, Edge, and related products. The release included six zero-day flaws that Microsoft said were already being actively exploited in the wild.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Affected Products
Sources
2 more from sources like secpod blog and techcrunch com security
Related Stories
Microsoft February Patch Tuesday Fixes Six Zero-Day Vulnerabilities and Rolls Out New Secure Boot Certificates
Microsoft released its **February 2026 Patch Tuesday** security updates, addressing **54–58 vulnerabilities** across Windows and other Microsoft products, including **six zero-days** that were **publicly disclosed and/or actively exploited** prior to patch availability. Reported zero-days include `CVE-2026-21514` (Office Word security feature bypass), `CVE-2026-21513` (MSHTML security feature bypass), `CVE-2026-21510` (Windows Shell security feature bypass), `CVE-2026-21533` (Windows Remote Desktop Services elevation of privilege), `CVE-2026-21525` (Windows Remote Access Connection Manager DoS), and `CVE-2026-21519` (Desktop Window Manager elevation of privilege). The broader release spans common bug classes such as **RCE**, **EoP**, **information disclosure**, **spoofing**, **DoS**, and **security feature bypass**, with multiple **Critical** issues also called out, including Azure Compute Gallery flaws impacting *ACI Confidential Containers* (`CVE-2026-23655`, `CVE-2026-21522`). As part of the February Windows updates, Microsoft also began a **phased rollout of updated Secure Boot certificates** to replace the original **2011 certificates** ahead of their expiration in **late June 2026**, using “targeting data” and “successful update signals” to control deployment. Windows 11 cumulative updates (including **KB5077181** and **KB5075941**) were released as mandatory Patch Tuesday packages for supported Windows 11 versions, bundling the security fixes alongside additional reliability and feature changes. Separately, Adobe issued February security bulletins covering **44 CVEs** across multiple Creative Cloud products; those Adobe issues were not listed as publicly known or under active attack at release.
1 months ago
Microsoft February Patch Tuesday Fixes Actively Exploited Zero-Days Including Windows RDS Privilege Escalation
Microsoft’s February 2026 Patch Tuesday shipped fixes for **58 vulnerabilities** across Windows, Office, and related components, including **six zero-days reported as actively exploited**. Reported zero-days included **CVE-2026-21533** (Windows **Remote Desktop Services** elevation of privilege), **CVE-2026-21510** (Windows Shell security feature bypass involving SmartScreen/Mark-of-the-Web), **CVE-2026-21513** and **CVE-2026-21514** (Office/MSHTML mitigation bypasses requiring user interaction), and **CVE-2026-21525** (Windows Remote Access Connection Manager DoS). Coverage of the release emphasized that elevation-of-privilege issues were the largest category in the update set, and that organizations should prioritize rapid deployment given in-the-wild exploitation claims. For **CVE-2026-21533** (CVSS 7.8, *Important*), reporting cited CrowdStrike observations of an exploit binary used post-compromise to reach **SYSTEM** by modifying a service configuration **registry key** to point to attacker-controlled values, enabling actions such as adding a user to the local Administrators group; the issue primarily impacts Windows systems where RDS is enabled and is positioned as a strong enabler for lateral movement in RDP-heavy environments. Separately, a January 2026-patched local privilege escalation in Windows Error Reporting, **CVE-2026-20817** (CVSS 7.8), was described with technical detail and a released PoC: the WER service (`wersvc.dll`) allegedly failed to validate requester permissions over ALPC, allowing a standard user to trigger process creation with a SYSTEM-derived token retaining powerful privileges (e.g., `SeDebugPrivilege`, `SeImpersonatePrivilege`, `SeBackupPrivilege`), underscoring the broader trend of Windows local EoP bugs being leveraged for post-exploitation escalation.
1 months ago
Microsoft March 2026 Patch Tuesday Fixes Two Zero-Days and Dozens of Vulnerabilities
Microsoft’s March 2026 Patch Tuesday shipped fixes for **79 vulnerabilities**, including **two zero-day flaws**. Public reporting and third-party patch reviews highlight a mix of *Important* and *Critical* issues across Microsoft’s ecosystem, including **.NET** (`CVE-2026-26127` DoS; `CVE-2026-26131` EoP), **Active Directory Domain Services** (`CVE-2026-25177` EoP), **ASP.NET Core** (`CVE-2026-26130` DoS), and multiple Azure components such as **ACI Confidential Containers** (`CVE-2026-23651`, `CVE-2026-26124` EoP; `CVE-2026-26122` information disclosure) and **Azure IoT Explorer** (`CVE-2026-26121` spoofing; `CVE-2026-23661/23662/23664` information disclosure). Independent analysis (ZDI and SANS ISC) corroborated the breadth of affected products and provided additional scoring/metadata, including CVSS ratings and exploitability flags. ZDI’s review also called out additional *Critical* items in the release such as **Microsoft Office RCE** (`CVE-2026-26110`, `CVE-2026-26113`) and other high-impact vulnerabilities, while SANS ISC’s Patch Tuesday coverage additionally noted bundled **Chromium**-tracked fixes (multiple `CVE-2026-3536` through `CVE-2026-3544` entries) that commonly map to Microsoft’s browser/embedded Chromium components. Organizations should prioritize patching systems exposed to untrusted content or authentication boundaries (e.g., Office, AD DS, Azure agents/extensions) and validate deployment coverage across both Windows and cloud-connected workloads.
1 months ago