Actively exploited Microsoft zero-days patched in February security updates
Microsoft disclosed and patched multiple actively exploited vulnerabilities as part of its February security updates, including a Microsoft Word security feature bypass tracked as CVE-2026-21514. The Word flaw (CVSS 7.8; CWE-807) allows attackers to bypass Object Linking and Embedding (OLE)-related mitigations by abusing how Word makes security decisions based on untrusted inputs; exploitation is described as requiring a crafted document and user interaction (e.g., opening a phishing-delivered file) while avoiding typical prompts such as Protected View or “Enable Content” warnings.
Microsoft also addressed an in-the-wild exploited Windows Desktop Window Manager (dwm.exe) elevation-of-privilege vulnerability, CVE-2026-21519 (CVSS 7.8), which can allow a local attacker to escalate from a standard user context to SYSTEM. The February update review also lists additional exploited issues patched in the same release, including security feature bypasses in Windows Shell (CVE-2026-21510) and Internet Explorer (CVE-2026-21513), plus other exploited vulnerabilities (e.g., Windows Remote Desktop Services EoP CVE-2026-21533), underscoring that defenders should prioritize rapid deployment of the February fixes across affected Windows and Office estates.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
CISA sets federal patch deadline for Word zero-day
CISA set a 2026-03-03 deadline for U.S. federal civilian agencies to remediate CVE-2026-21514 after it was disclosed as actively exploited. The directive elevated urgency around patching the Microsoft Word zero-day.
Microsoft patches exploited DWM zero-day CVE-2026-21519 in February updates
On 2026-02-10, Microsoft addressed CVE-2026-21519 in the February 2026 security update, fixing an actively exploited Windows Desktop Window Manager flaw that could allow local privilege escalation to SYSTEM. The issue affects multiple Windows 10, Windows 11, and Windows Server versions, with no workaround other than patching.
Microsoft issues Office fixes for Word zero-day CVE-2026-21514
Microsoft released Click-to-Run updates for affected Windows and Mac Office products to address CVE-2026-21514, including version 16.106.26020821. The fixes cover multiple Office product lines such as Microsoft 365 Apps for Enterprise and Office LTSC 2021/2024.
Microsoft discloses actively exploited Word zero-day CVE-2026-21514
On 2026-02-10, Microsoft disclosed CVE-2026-21514, a Microsoft Word security feature bypass flaw that abuses untrusted input handling to bypass OLE mitigations for malicious COM/OLE controls. The vulnerability was reported as actively exploited in the wild and can be triggered when a user opens a specially crafted Office document.
Microsoft's February 2026 security updates disclose multiple exploited zero-days
On 2026-02-10, Microsoft's February 2026 security release was reviewed publicly, listing several vulnerabilities as exploited in the wild, including Microsoft Word security feature bypass CVE-2026-21514 and Desktop Window Manager elevation-of-privilege CVE-2026-21519. The release also covered fixes across Windows, Office, Azure, and other Microsoft products.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Microsoft Office Word 0-day Vulnerability Actively Exploited in the Wild
cybersecuritynews.com
Open sourceDesktop Window Manager 0-Day Vulnerability Allows Attacker to Elevate Privileges
cybersecuritynews.com
Open sourceZero Day Initiative - The February 2026 Security Update Review
zerodayinitiative.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft February Patch Tuesday Fixes Actively Exploited Zero-Days Including Windows RDS Privilege Escalation
Microsoft’s February 2026 Patch Tuesday shipped fixes for **58 vulnerabilities** across Windows, Office, and related components, including **six zero-days reported as actively exploited**. Reported zero-days included **CVE-2026-21533** (Windows **Remote Desktop Services** elevation of privilege), **CVE-2026-21510** (Windows Shell security feature bypass involving SmartScreen/Mark-of-the-Web), **CVE-2026-21513** and **CVE-2026-21514** (Office/MSHTML mitigation bypasses requiring user interaction), and **CVE-2026-21525** (Windows Remote Access Connection Manager DoS). Coverage of the release emphasized that elevation-of-privilege issues were the largest category in the update set, and that organizations should prioritize rapid deployment given in-the-wild exploitation claims. For **CVE-2026-21533** (CVSS 7.8, *Important*), reporting cited CrowdStrike observations of an exploit binary used post-compromise to reach **SYSTEM** by modifying a service configuration **registry key** to point to attacker-controlled values, enabling actions such as adding a user to the local Administrators group; the issue primarily impacts Windows systems where RDS is enabled and is positioned as a strong enabler for lateral movement in RDP-heavy environments. Separately, a January 2026-patched local privilege escalation in Windows Error Reporting, **CVE-2026-20817** (CVSS 7.8), was described with technical detail and a released PoC: the WER service (`wersvc.dll`) allegedly failed to validate requester permissions over ALPC, allowing a standard user to trigger process creation with a SYSTEM-derived token retaining powerful privileges (e.g., `SeDebugPrivilege`, `SeImpersonatePrivilege`, `SeBackupPrivilege`), underscoring the broader trend of Windows local EoP bugs being leveraged for post-exploitation escalation.
Mar 21, 2026
Microsoft Patches 137 Flaws, Highlighting Word Preview Pane and Netlogon RCE Risks
Microsoft released its May Patch Tuesday updates fixing 137 vulnerabilities across Windows, Office, Azure, Dynamics 365, SharePoint, Copilot, and other products, with no actively exploited zero-days or publicly disclosed flaws reported at release. The update included multiple high-severity remote code execution bugs, notably Microsoft Word flaws `CVE-2026-40361` and `CVE-2026-40364`, which can be triggered through the Preview Pane by sending a malicious document, as well as `CVE-2026-42898` in Microsoft Dynamics 365 On-Premises, `CVE-2026-42823` in Azure Logic Apps, and `CVE-2026-33109` in Azure Managed Instance for Apache Cassandra. Researchers also flagged `CVE-2026-41089` in Windows Netlogon and `CVE-2026-41096` in Windows DNS Client as especially urgent because they expose broadly deployed enterprise infrastructure to remote compromise. Microsoft’s Windows 11 cumulative updates, including `KB5089549` and `KB5087420`, delivered many of the security fixes alongside reliability and usability improvements, and Microsoft said it was not aware of new issues with the release. Coverage and advisories also showed the breadth of the month’s attack surface, with additional fixes for SharePoint Server remote code execution, Office Click-to-Run privilege escalation, Hyper-V guest-to-host escalation, Teams spoofing, Outlook for iOS tampering, and several Copilot and Visual Studio Code vulnerabilities. Security researchers said the growing volume of Microsoft disclosures may reflect increased AI-assisted vulnerability discovery, while defenders were urged to prioritize patching domain controllers, DNS-exposed Windows systems, Office deployments, and internet-facing enterprise applications.
May 25, 2026
Microsoft Patch Tuesday Fixes Six Actively Exploited Zero-Days Including Windows Shell SmartScreen Bypass
Microsoft released its February Patch Tuesday security updates addressing **~58–59 vulnerabilities** across Windows and other products, including **six zero-day flaws confirmed as actively exploited in the wild** and **five Critical** issues. Reported vulnerability classes were led by **Elevation of Privilege (25)**, followed by **Remote Code Execution (12)** and **Security Feature Bypass (5)**, with additional fixes for spoofing, information disclosure, DoS, and XSS; Microsoft also noted additional *Edge* fixes shipped outside the prior Patch Tuesday cadence, including an Android spoofing issue (`CVE-2026-0391`). One of the actively exploited zero-days highlighted across reporting is `CVE-2026-21510`, a **Windows Shell security feature bypass** that can be abused to evade **Mark-of-the-Web/SmartScreen-style warnings** by using specially crafted files (e.g., shortcut/link formats) so that untrusted content can execute without expected prompts, making it well-suited to phishing and social-engineering delivery. Separate coverage also noted Microsoft’s rollout of **updated Secure Boot certificates** ahead of the June 2026 expiration of legacy 2011 certificates, a change with broad implications for Windows boot integrity and enterprise device management.
Mar 21, 2026