Microsoft's February Patch Tuesday Drops a Bombshell: Six Zero-Days Under Active Attack

Microsoft released its February 2026 Patch Tuesday update this week, and security teams across the globe collectively groaned. The company patched 59 vulnerabilities, which sounds manageable until you learn that six of them are already being actively exploited in the wild. CISA didn't waste time—all six landed in the Known Exploited Vulnerabilities catalog with a March 3rd compliance deadline for federal agencies.

The two nastiest bugs both carry 8.8 CVSS scores. CVE-2026-21510 affects Windows Shell, while CVE-2026-21513 targets the MSHTML Framework, the core component Windows uses to render HTML content across the operating system. Security researchers at Action1 described the attack scenario bluntly: a carefully crafted file can bypass Windows security prompts entirely and trigger dangerous actions with a single click. No warning dialogs, no "are you sure?" confirmations. Just immediate execution.

CVE-2026-21514 runs the same play against Microsoft Word specifically. If your users have ever opened a document from an unknown sender—and let's not pretend they haven't—this is the vulnerability that makes that habit genuinely dangerous.

The privilege escalation pair is arguably worse for organizations that have already been compromised. CVE-2026-21519 exists in the Desktop Window Manager, while CVE-2026-21533 lurks in Remote Desktop services. Both let attackers who've already gained initial access jump straight to SYSTEM privileges. Kev Breen from Immersive Labs explained the implications: once an attacker has SYSTEM access, they can disable security tools, deploy additional malware, and begin the methodical march toward full domain compromise.

Rounding out the half-dozen is CVE-2026-21525, a denial-of-service bug in the Remote Access Connection Manager. At 6.2, it's the lowest severity of the group, but it comes with an interesting backstory. Researchers at 0patch stumbled onto this vulnerability back in December 2025 while investigating a related issue. Microsoft took roughly two months to ship a fix, which says something about the complexity of the underlying code—or the company's patch prioritization.

Microsoft's own security teams and Google's Threat Intelligence Group discovered the first three zero-days, flagging them as publicly known before the patch even dropped. Whether all six are connected to the same campaign remains unclear, but when you see this many actively exploited vulnerabilities patched simultaneously, it's reasonable to assume someone's been having a productive quarter.

Beyond the zero-days, the overall breakdown skews toward privilege escalation: 25 patches fall into that category, followed by 12 remote code execution fixes. The severity split shows 5 Critical, 52 Important, and 2 Moderate, with a smattering of spoofing, information disclosure, and security feature bypasses filling out the list.

Microsoft is also rolling out new Secure Boot certificates to replace the original 2011 certificates that expire this June. The update installs automatically through Windows Update, but systems that miss it will enter what Microsoft calls a "degraded security state"—unable to receive future boot-level protections. It's the kind of slow-motion security debt that compounds over time.

The recommendation here is straightforward: patch this week. Not during the next maintenance window, not when the team gets around to it. The threat actors exploiting these vulnerabilities already have a head start. For enterprise environments, prioritize the MSHTML and Windows Shell bugs first—those network-based attacks will be the low-hanging fruit for initial access. Then move to the privilege escalation fixes to limit the blast radius for anyone who's already inside.

And maybe it's worth auditing who in your organization is still double-clicking on unexpected email attachments. Old habits die hard, but so do compromised networks.