Microsoft Patch Tuesday Fixes Six Actively Exploited Zero-Days Including Windows Shell SmartScreen Bypass
Microsoft released its February Patch Tuesday security updates addressing ~58–59 vulnerabilities across Windows and other products, including six zero-day flaws confirmed as actively exploited in the wild and five Critical issues. Reported vulnerability classes were led by Elevation of Privilege (25), followed by Remote Code Execution (12) and Security Feature Bypass (5), with additional fixes for spoofing, information disclosure, DoS, and XSS; Microsoft also noted additional Edge fixes shipped outside the prior Patch Tuesday cadence, including an Android spoofing issue (CVE-2026-0391).
One of the actively exploited zero-days highlighted across reporting is CVE-2026-21510, a Windows Shell security feature bypass that can be abused to evade Mark-of-the-Web/SmartScreen-style warnings by using specially crafted files (e.g., shortcut/link formats) so that untrusted content can execute without expected prompts, making it well-suited to phishing and social-engineering delivery. Separate coverage also noted Microsoft’s rollout of updated Secure Boot certificates ahead of the June 2026 expiration of legacy 2011 certificates, a change with broad implications for Windows boot integrity and enterprise device management.
Related Entities
Vulnerabilities
Organizations
Sources
3 more from sources like cyber security news, secpod blog and techcrunch com security
Related Stories
Microsoft February Patch Tuesday Fixes Six Zero-Day Vulnerabilities and Rolls Out New Secure Boot Certificates
Microsoft released its **February 2026 Patch Tuesday** security updates, addressing **54–58 vulnerabilities** across Windows and other Microsoft products, including **six zero-days** that were **publicly disclosed and/or actively exploited** prior to patch availability. Reported zero-days include `CVE-2026-21514` (Office Word security feature bypass), `CVE-2026-21513` (MSHTML security feature bypass), `CVE-2026-21510` (Windows Shell security feature bypass), `CVE-2026-21533` (Windows Remote Desktop Services elevation of privilege), `CVE-2026-21525` (Windows Remote Access Connection Manager DoS), and `CVE-2026-21519` (Desktop Window Manager elevation of privilege). The broader release spans common bug classes such as **RCE**, **EoP**, **information disclosure**, **spoofing**, **DoS**, and **security feature bypass**, with multiple **Critical** issues also called out, including Azure Compute Gallery flaws impacting *ACI Confidential Containers* (`CVE-2026-23655`, `CVE-2026-21522`). As part of the February Windows updates, Microsoft also began a **phased rollout of updated Secure Boot certificates** to replace the original **2011 certificates** ahead of their expiration in **late June 2026**, using “targeting data” and “successful update signals” to control deployment. Windows 11 cumulative updates (including **KB5077181** and **KB5075941**) were released as mandatory Patch Tuesday packages for supported Windows 11 versions, bundling the security fixes alongside additional reliability and feature changes. Separately, Adobe issued February security bulletins covering **44 CVEs** across multiple Creative Cloud products; those Adobe issues were not listed as publicly known or under active attack at release.
1 months ago
Microsoft February Patch Tuesday Fixes Actively Exploited Zero-Days Including Windows RDS Privilege Escalation
Microsoft’s February 2026 Patch Tuesday shipped fixes for **58 vulnerabilities** across Windows, Office, and related components, including **six zero-days reported as actively exploited**. Reported zero-days included **CVE-2026-21533** (Windows **Remote Desktop Services** elevation of privilege), **CVE-2026-21510** (Windows Shell security feature bypass involving SmartScreen/Mark-of-the-Web), **CVE-2026-21513** and **CVE-2026-21514** (Office/MSHTML mitigation bypasses requiring user interaction), and **CVE-2026-21525** (Windows Remote Access Connection Manager DoS). Coverage of the release emphasized that elevation-of-privilege issues were the largest category in the update set, and that organizations should prioritize rapid deployment given in-the-wild exploitation claims. For **CVE-2026-21533** (CVSS 7.8, *Important*), reporting cited CrowdStrike observations of an exploit binary used post-compromise to reach **SYSTEM** by modifying a service configuration **registry key** to point to attacker-controlled values, enabling actions such as adding a user to the local Administrators group; the issue primarily impacts Windows systems where RDS is enabled and is positioned as a strong enabler for lateral movement in RDP-heavy environments. Separately, a January 2026-patched local privilege escalation in Windows Error Reporting, **CVE-2026-20817** (CVSS 7.8), was described with technical detail and a released PoC: the WER service (`wersvc.dll`) allegedly failed to validate requester permissions over ALPC, allowing a standard user to trigger process creation with a SYSTEM-derived token retaining powerful privileges (e.g., `SeDebugPrivilege`, `SeImpersonatePrivilege`, `SeBackupPrivilege`), underscoring the broader trend of Windows local EoP bugs being leveraged for post-exploitation escalation.
1 months ago
Microsoft March 2026 Patch Tuesday Fixes Two Zero-Days and Dozens of Vulnerabilities
Microsoft’s March 2026 Patch Tuesday shipped fixes for **79 vulnerabilities**, including **two zero-day flaws**. Public reporting and third-party patch reviews highlight a mix of *Important* and *Critical* issues across Microsoft’s ecosystem, including **.NET** (`CVE-2026-26127` DoS; `CVE-2026-26131` EoP), **Active Directory Domain Services** (`CVE-2026-25177` EoP), **ASP.NET Core** (`CVE-2026-26130` DoS), and multiple Azure components such as **ACI Confidential Containers** (`CVE-2026-23651`, `CVE-2026-26124` EoP; `CVE-2026-26122` information disclosure) and **Azure IoT Explorer** (`CVE-2026-26121` spoofing; `CVE-2026-23661/23662/23664` information disclosure). Independent analysis (ZDI and SANS ISC) corroborated the breadth of affected products and provided additional scoring/metadata, including CVSS ratings and exploitability flags. ZDI’s review also called out additional *Critical* items in the release such as **Microsoft Office RCE** (`CVE-2026-26110`, `CVE-2026-26113`) and other high-impact vulnerabilities, while SANS ISC’s Patch Tuesday coverage additionally noted bundled **Chromium**-tracked fixes (multiple `CVE-2026-3536` through `CVE-2026-3544` entries) that commonly map to Microsoft’s browser/embedded Chromium components. Organizations should prioritize patching systems exposed to untrusted content or authentication boundaries (e.g., Office, AD DS, Azure agents/extensions) and validate deployment coverage across both Windows and cloud-connected workloads.
5 days ago