Microsoft February Patch Tuesday Fixes Actively Exploited Zero-Days Including Windows RDS Privilege Escalation
Microsoft’s February 2026 Patch Tuesday shipped fixes for 58 vulnerabilities across Windows, Office, and related components, including six zero-days reported as actively exploited. Reported zero-days included CVE-2026-21533 (Windows Remote Desktop Services elevation of privilege), CVE-2026-21510 (Windows Shell security feature bypass involving SmartScreen/Mark-of-the-Web), CVE-2026-21513 and CVE-2026-21514 (Office/MSHTML mitigation bypasses requiring user interaction), and CVE-2026-21525 (Windows Remote Access Connection Manager DoS). Coverage of the release emphasized that elevation-of-privilege issues were the largest category in the update set, and that organizations should prioritize rapid deployment given in-the-wild exploitation claims.
For CVE-2026-21533 (CVSS 7.8, Important), reporting cited CrowdStrike observations of an exploit binary used post-compromise to reach SYSTEM by modifying a service configuration registry key to point to attacker-controlled values, enabling actions such as adding a user to the local Administrators group; the issue primarily impacts Windows systems where RDS is enabled and is positioned as a strong enabler for lateral movement in RDP-heavy environments. Separately, a January 2026-patched local privilege escalation in Windows Error Reporting, CVE-2026-20817 (CVSS 7.8), was described with technical detail and a released PoC: the WER service (wersvc.dll) allegedly failed to validate requester permissions over ALPC, allowing a standard user to trigger process creation with a SYSTEM-derived token retaining powerful privileges (e.g., SeDebugPrivilege, SeImpersonatePrivilege, SeBackupPrivilege), underscoring the broader trend of Windows local EoP bugs being leveraged for post-exploitation escalation.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
CISA adds six Microsoft February flaws to the KEV catalog
CISA added six Microsoft Windows and Office vulnerabilities from the February 2026 release to its Known Exploited Vulnerabilities catalog, citing active exploitation. The agency ordered U.S. federal civilian executive branch agencies to remediate the issues by March 3, 2026, and urged private organizations to prioritize patching as well.
Microsoft discloses three of the exploited February flaws were publicly known
Alongside the February 2026 Patch Tuesday release, Microsoft indicated that three of the six actively exploited vulnerabilities had also been publicly disclosed. These publicly known issues were security feature bypass flaws affecting Windows Shell, MSHTML/Trident, and Microsoft Word/OLE mitigations.
Microsoft releases February 2026 Patch Tuesday updates
Microsoft released its February 2026 Patch Tuesday security updates, fixing roughly 54-61 vulnerabilities across Windows, Office, Azure, Exchange Server, and related products. The release included six vulnerabilities that Microsoft said were actively exploited in the wild, spanning security feature bypass, elevation-of-privilege, and denial-of-service issues.
0patch finds RasMan DoS exploit in a public malware repository
0patch reported discovering exploit code for CVE-2026-21525, a Windows Remote Access Connection Manager denial-of-service flaw, in a public malware repository. The finding indicated the vulnerability was already accessible to attackers before Microsoft's February 2026 fixes.
CrowdStrike observes exploitation of RDS zero-day CVE-2026-21533
CrowdStrike reported that an exploit binary for the Windows Remote Desktop Services elevation-of-privilege flaw CVE-2026-21533 had been used against U.S. and Canada-based entities since at least December 24, 2025. The exploit modified a service configuration registry key to gain SYSTEM-level access and perform actions such as adding a user to the local Administrators group.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
10 references tracked. Mallory keeps watching after this page renders.
U.S. CISA adds Microsoft Office and Microsoft Windows flaws to its Known Exploited Vulnerabilities catalog
securityaffairs.com
Open sourceMicrosoft Patch Tuesday February 2026 Fixes 6 Zero-Days
thecyberexpress.com
Open sourcePatch Panic: Microsoft Fixes 6 Active Zero-Days in Feb 2026 Update
securityonline.info
Open sourceWindows Remote Desktop Services 0-Day Vulnerability Exploited in the Wild to Escalate Privileges
cybersecuritynews.com
Open sourceMicrosoft Patch Tuesday February 2026 - TheCyberThrone
thecyberthrone.in
Open sourcePatch Tuesday - February 2026
rapid7.com
Open sourceMicrosoft Patch Tuesday: 6 exploited zero-days fixed in February 2026 - Help Net Security
helpnetsecurity.com
Open sourceFebruary 2026 Patch Tuesday: Six new and actively exploited Microsoft vulnerabilities addressed | CSO Online
csoonline.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft Patch Tuesday Fixes Six Actively Exploited Zero-Days Including Windows Shell SmartScreen Bypass
Microsoft released its February Patch Tuesday security updates addressing **~58–59 vulnerabilities** across Windows and other products, including **six zero-day flaws confirmed as actively exploited in the wild** and **five Critical** issues. Reported vulnerability classes were led by **Elevation of Privilege (25)**, followed by **Remote Code Execution (12)** and **Security Feature Bypass (5)**, with additional fixes for spoofing, information disclosure, DoS, and XSS; Microsoft also noted additional *Edge* fixes shipped outside the prior Patch Tuesday cadence, including an Android spoofing issue (`CVE-2026-0391`). One of the actively exploited zero-days highlighted across reporting is `CVE-2026-21510`, a **Windows Shell security feature bypass** that can be abused to evade **Mark-of-the-Web/SmartScreen-style warnings** by using specially crafted files (e.g., shortcut/link formats) so that untrusted content can execute without expected prompts, making it well-suited to phishing and social-engineering delivery. Separate coverage also noted Microsoft’s rollout of **updated Secure Boot certificates** ahead of the June 2026 expiration of legacy 2011 certificates, a change with broad implications for Windows boot integrity and enterprise device management.
Mar 21, 2026
Microsoft January Patch Tuesday Fixes 114 Vulnerabilities Including Three Zero-Days
Microsoft’s January Patch Tuesday security updates addressed **114 vulnerabilities**, including **three zero-days** reported as publicly known and/or exploited. Reported issues span multiple Windows and Microsoft product components, including **Desktop Window Manager (DWM)**, legacy modem drivers, and core OS services, with a mix of **information disclosure**, **elevation of privilege (EoP)**, **security feature bypass**, and **remote code execution (RCE)** flaws. Technical highlights called out include **CVE-2023-31096** (Windows Agere Soft Modem Driver EoP), **CVE-2026-20805** (DWM information disclosure), and a **Secure Boot certificate expiration** security feature bypass (**CVE-2026-21265**). The update set also includes multiple **Office/Excel/Word RCE** vulnerabilities (e.g., **CVE-2026-20952**, **CVE-2026-20953**, **CVE-2026-20955**, **CVE-2026-20957**, **CVE-2026-20944**), Windows privilege-escalation issues (e.g., **Windows Graphics Component** and **VBS Enclave** EoP), and cloud/agent components such as **Azure Connected Machine Agent** (**CVE-2026-21224**) and **Azure Core shared client library for Python** (**CVE-2026-21226**).
Mar 21, 2026
Microsoft February 2026 vulnerability disclosures across Windows, Azure, and developer tools
Microsoft published multiple security advisories for **Windows**, **Azure**, and **developer tooling**, including several high-impact issues spanning **remote code execution (RCE)**, **elevation of privilege (EoP)**, **spoofing**, **information disclosure**, **denial of service**, and **security feature bypass**. Notable items include **Azure SDK for Python RCE** `CVE-2026-21531` (CVSS 9.8; **deserialization of untrusted data**), **Windows Shell security feature bypass** `CVE-2026-21510` (CVSS 8.8; exploitability listed as **E:F**), **GitHub Copilot/Visual Studio/VS Code** issues enabling **RCE/EoP/feature bypass** (`CVE-2026-21256`, `CVE-2026-21523`, `CVE-2026-21257`, `CVE-2026-21518`), and **Azure Local RCE** `CVE-2026-21228` (CVSS 8.1; **improper certificate validation**). Additional Windows platform flaws include **Desktop Window Manager EoP** `CVE-2026-21519` (type confusion), **HTTP.sys EoP** `CVE-2026-21232` (untrusted pointer dereference), **WinSock Ancillary Function Driver EoP** `CVE-2026-21238` (improper access control), **Windows Storage EoP** `CVE-2026-21508`, **WSL EoP** `CVE-2026-21237`, **Microsoft Word security feature bypass** `CVE-2026-21514`, **Outlook spoofing** `CVE-2026-21511`, **Windows LDAP DoS** `CVE-2026-21243`, plus **ACI Confidential Containers information disclosure** `CVE-2026-23655` and **Azure IoT Explorer information disclosure** `CVE-2026-21528`. Separately, a detailed third-party writeup described a **Windows Error Reporting Service** local privilege escalation, `CVE-2026-20817`, patched in January 2026, where the **WER service** (`wersvc.dll`) running as `NT AUTHORITY\SYSTEM` allegedly fails to validate requester permissions over **ALPC**, enabling a standard user to trigger process creation with a SYSTEM-derived token (retaining powerful rights such as *SeDebugPrivilege*, *SeImpersonatePrivilege*, and *SeBackupPrivilege*). Another third-party report highlighted a long-standing **libpng** heap buffer issue, `CVE-2026-25646` (CVSS 8.3), in `png_set_quantize()` that can be triggered by a crafted PNG (palette present, histogram absent) leading to an infinite loop/out-of-bounds read with potential for DoS and, with heap grooming, possible code execution; an additional MSRC entry referenced **libjpeg-turbo** `CVE-2023-2804` (heap-based overflow) as an Important RCE-class issue. Collectively, the disclosures reinforce the need to prioritize patching for internet-reachable components and developer tooling, and to treat local EoP bugs as high-risk in post-compromise and lateral movement scenarios.
Feb 11, 2026