Microsoft Patch Tuesday Fixes Six Actively Exploited Zero-Days Including Windows Shell SmartScreen Bypass
Microsoft released its February Patch Tuesday security updates addressing ~58–59 vulnerabilities across Windows and other products, including six zero-day flaws confirmed as actively exploited in the wild and five Critical issues. Reported vulnerability classes were led by Elevation of Privilege (25), followed by Remote Code Execution (12) and Security Feature Bypass (5), with additional fixes for spoofing, information disclosure, DoS, and XSS; Microsoft also noted additional Edge fixes shipped outside the prior Patch Tuesday cadence, including an Android spoofing issue (CVE-2026-0391).
One of the actively exploited zero-days highlighted across reporting is CVE-2026-21510, a Windows Shell security feature bypass that can be abused to evade Mark-of-the-Web/SmartScreen-style warnings by using specially crafted files (e.g., shortcut/link formats) so that untrusted content can execute without expected prompts, making it well-suited to phishing and social-engineering delivery. Separate coverage also noted Microsoft’s rollout of updated Secure Boot certificates ahead of the June 2026 expiration of legacy 2011 certificates, a change with broad implications for Windows boot integrity and enterprise device management.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
CISA adds all six Microsoft zero-days to the KEV catalog
Following Microsoft's disclosure, CISA added the six actively exploited vulnerabilities to its Known Exploited Vulnerabilities catalog. The agency set a remediation deadline of 2026-03-03 for U.S. Federal Civilian Executive Branch agencies to apply the fixes.
Microsoft begins rollout of updated Secure Boot certificates
As part of the February 2026 security release, Microsoft started a phased rollout of updated Secure Boot certificates to replace legacy 2011 certificates set to expire in June 2026. The change was described as important for maintaining Windows boot integrity, especially in environments with custom boot policies.
Microsoft fixes five other actively exploited zero-days in Windows and Office
Alongside CVE-2026-21510, Microsoft patched five additional exploited zero-days: CVE-2026-21513 in MSHTML, CVE-2026-21514 in Microsoft Word/Office, CVE-2026-21519 in Desktop Window Manager, CVE-2026-21525 in Remote Access Connection Manager, and CVE-2026-21533 in Remote Desktop Services. These bugs enabled security feature bypass, privilege escalation to SYSTEM, or local denial-of-service depending on the component affected.
Microsoft patches Windows Shell zero-day CVE-2026-21510
Microsoft fixed CVE-2026-21510, a Windows Shell security feature bypass that lets attackers use malicious link or shortcut files to evade Mark-of-the-Web protections such as SmartScreen and warning prompts. Microsoft credited MSTIC and Google Threat Intelligence Group with discovering the flaw, which was under active exploitation.
Microsoft releases February 2026 Patch Tuesday fixes for six exploited zero-days
On 2026-02-10, Microsoft issued its February Patch Tuesday security updates, fixing roughly 58-59 vulnerabilities across Windows, Office, Edge, and related products. The release included six zero-day flaws that Microsoft said were already being actively exploited in the wild.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
Microsoft’s February Patch Tuesday Fixes 6 Zero-Days Under Attack
techrepublic.com
Open sourceMicrosoft Patch Tuesday: February 2026 - Arctic Wolf
arcticwolf.com
Open sourceMicrosoft Patch Tuesday: February 2026 - Arctic Wolf
arcticwolf.com
Open sourceHalf a dozen exploited zero-days fixed by Microsoft | SC Media
scworld.com
Open sourceWindows Shell Security Feature 0-Day Vulnerability Let Attackers Bypass Authentication
cybersecuritynews.com
Open sourceMicrosoft’s February 2026 Patch Tuesday: Six Zero-Days, 58 flaws Patched Amid Growing Exploit Activity - SecPod Blog
secpod.com
Open sourceMicrosoft says hackers are exploiting critical zero-day bugs to target Windows and Office users | TechCrunch
techcrunch.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft February Patch Tuesday Fixes Six Zero-Day Vulnerabilities and Rolls Out New Secure Boot Certificates
Microsoft released its **February 2026 Patch Tuesday** security updates, addressing **54–58 vulnerabilities** across Windows and other Microsoft products, including **six zero-days** that were **publicly disclosed and/or actively exploited** prior to patch availability. Reported zero-days include `CVE-2026-21514` (Office Word security feature bypass), `CVE-2026-21513` (MSHTML security feature bypass), `CVE-2026-21510` (Windows Shell security feature bypass), `CVE-2026-21533` (Windows Remote Desktop Services elevation of privilege), `CVE-2026-21525` (Windows Remote Access Connection Manager DoS), and `CVE-2026-21519` (Desktop Window Manager elevation of privilege). The broader release spans common bug classes such as **RCE**, **EoP**, **information disclosure**, **spoofing**, **DoS**, and **security feature bypass**, with multiple **Critical** issues also called out, including Azure Compute Gallery flaws impacting *ACI Confidential Containers* (`CVE-2026-23655`, `CVE-2026-21522`). As part of the February Windows updates, Microsoft also began a **phased rollout of updated Secure Boot certificates** to replace the original **2011 certificates** ahead of their expiration in **late June 2026**, using “targeting data” and “successful update signals” to control deployment. Windows 11 cumulative updates (including **KB5077181** and **KB5075941**) were released as mandatory Patch Tuesday packages for supported Windows 11 versions, bundling the security fixes alongside additional reliability and feature changes. Separately, Adobe issued February security bulletins covering **44 CVEs** across multiple Creative Cloud products; those Adobe issues were not listed as publicly known or under active attack at release.
Mar 21, 2026
Microsoft February Patch Tuesday Fixes Actively Exploited Zero-Days Including Windows RDS Privilege Escalation
Microsoft’s February 2026 Patch Tuesday shipped fixes for **58 vulnerabilities** across Windows, Office, and related components, including **six zero-days reported as actively exploited**. Reported zero-days included **CVE-2026-21533** (Windows **Remote Desktop Services** elevation of privilege), **CVE-2026-21510** (Windows Shell security feature bypass involving SmartScreen/Mark-of-the-Web), **CVE-2026-21513** and **CVE-2026-21514** (Office/MSHTML mitigation bypasses requiring user interaction), and **CVE-2026-21525** (Windows Remote Access Connection Manager DoS). Coverage of the release emphasized that elevation-of-privilege issues were the largest category in the update set, and that organizations should prioritize rapid deployment given in-the-wild exploitation claims. For **CVE-2026-21533** (CVSS 7.8, *Important*), reporting cited CrowdStrike observations of an exploit binary used post-compromise to reach **SYSTEM** by modifying a service configuration **registry key** to point to attacker-controlled values, enabling actions such as adding a user to the local Administrators group; the issue primarily impacts Windows systems where RDS is enabled and is positioned as a strong enabler for lateral movement in RDP-heavy environments. Separately, a January 2026-patched local privilege escalation in Windows Error Reporting, **CVE-2026-20817** (CVSS 7.8), was described with technical detail and a released PoC: the WER service (`wersvc.dll`) allegedly failed to validate requester permissions over ALPC, allowing a standard user to trigger process creation with a SYSTEM-derived token retaining powerful privileges (e.g., `SeDebugPrivilege`, `SeImpersonatePrivilege`, `SeBackupPrivilege`), underscoring the broader trend of Windows local EoP bugs being leveraged for post-exploitation escalation.
Mar 21, 2026
Microsoft Issues Record Patch Tuesday With 206 Fixes and Multiple Zero-Day Risks
Microsoft released its largest Patch Tuesday update to date, fixing **206 vulnerabilities** across Windows, Office, Azure, Exchange, SharePoint, SQL Server, Visual Studio, Copilot-related offerings, and other products. Multiple reports said the release included **three publicly disclosed zero-days**, while Microsoft separately noted an earlier out-of-band fix for the actively exploited Microsoft Defender flaw `CVE-2026-41091`. Publicly disclosed issues in the June bundle included `CVE-2026-50507`, a **BitLocker** security feature bypass that could expose encrypted data with physical access and available proof-of-concept code, and `CVE-2026-45586`, a **Windows CTFMON** elevation-of-privilege flaw that could let a low-privileged local attacker gain **SYSTEM** access. JPCERT/CC also warned that Microsoft disclosed active exploitation of `CVE-2026-42897`, a spoofing flaw in **Microsoft Exchange Server**.
Jun 20, 2026