Microsoft February 2026 Patch Tuesday: 6 Zero-Days Under Active Attack — What You Need to Patch NOW

Six zero-day vulnerabilities. All actively exploited. One already weaponized since December 2025. And you have until March 3rd to patch them all.

If you manage Windows systems—whether a home PC, corporate endpoint, or enterprise server farm—stop what you're doing and read this. Microsoft's February 2026 Patch Tuesday, released on February 10th, represents one of the most dangerous security updates in recent memory. With six zero-day vulnerabilities under active exploitation in the wild, this isn't a routine "patch when convenient" situation. This is a "patch now or become a statistic" emergency.

CISA has already added all six vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog with a hard deadline of March 3, 2026 for federal agencies. But make no mistake—private organizations face the same threat actors using the same exploits. The only difference is you don't have a federal mandate forcing compliance.

Let's break down what you're up against, which systems are affected, and exactly what to patch first.

The Headline Numbers

Before we dive deep, here's what February 2026 looks like by the numbers:

The relatively low total CVE count is deceptive. What matters is the quality of vulnerabilities attackers are exploiting, not quantity. Six zero-days means threat actors had six different entry points into your systems before patches even existed.

For context: Microsoft addressed 41 zero-days across all of 2025. February 2026 alone accounts for roughly 15% of that total—in a single month.

As Trend Micro's Zero Day Initiative bluntly put it: "The number of bugs under active attack is extraordinarily high."

Why This Patch Tuesday is Different

Every month brings security patches. What makes February 2026 exceptional?

1. Three Security Feature Bypasses That Make Phishing Actually Dangerous

Three of the six zero-days (CVE-2026-21510, CVE-2026-21513, CVE-2026-21514) bypass Windows security warnings—the "Are you sure you want to run this?" dialogs that stand between your users and catastrophe. When these protections are bypassed, phishing attacks become nearly frictionless. Users click, malware runs, no warning appears.

2. Professional-Grade Exploits Already Circulating

When security researchers at 0patch (ACROS Security) discovered one of these vulnerabilities in December 2025, they found the exploit in a public malware repository. Their assessment? The code quality suggested "professional work"—not amateur script kiddie stuff, but sophisticated tooling likely developed by well-resourced threat actors.

3. Confirmed Six-Week Pre-Patch Exploitation

CrowdStrike's Advanced Research Team revealed something alarming: one of these zero-days (CVE-2026-21533) was actively used against U.S. and Canada-based entities since at least December 24, 2025. That's more than six weeks of exploitation before patches became available. If you haven't patched yet, you need to assume compromise and hunt for indicators.

4. Coordinated Discovery Suggests Coordinated Attacks

Multiple vulnerabilities were discovered by overlapping teams—Microsoft Threat Intelligence Center (MSTIC), Google Threat Intelligence Group (GTIG), Microsoft Security Response Center (MSRC), and CrowdStrike. When multiple premier threat intelligence teams simultaneously discover related vulnerabilities, it often indicates they're tracking the same advanced threat campaign.

The Six Zero-Days: Deep Dive

Let's examine each vulnerability in detail, starting with the most urgent.

CVE-2026-21533: Windows Remote Desktop Services Elevation of Privilege

The one that's been exploited since December.

What It Does

This vulnerability allows an attacker with basic local access to escalate their privileges to SYSTEM—the highest privilege level in Windows. The flaw exists in how Windows Remote Desktop Services manages privileges, specifically through improper handling of service configuration keys.

How Attackers Use It

According to CrowdStrike's technical analysis:

"The CVE-2026-21533 exploit binary modifies a service configuration key, replacing it with an attacker-controlled key, which could enable adversaries to escalate privileges to add a new user to the Administrator group."

Translation: Get basic access to a system (phishing, stolen credentials, whatever), run this exploit, become Administrator instantly.

Why It's Critical

CrowdStrike issued a stark warning about what happens now that the patch is public:

"Microsoft's public disclosure of CVE-2026-21533 will almost certainly encourage threat actors possessing CVE-2026-21533 exploit binaries, as well as any exploit brokers possessing the underlying exploit, to use or monetize the exploits in the near term."

In other words: every criminal who had this exploit is now racing to use it before systems get patched. Every exploit broker is selling it at a premium. The clock is ticking.

Who's Affected

• All Windows versions with Remote Desktop Services
• Windows Server (all supported versions)
• Windows 10 and 11 workstations

Detection Note

Since this was exploited for 6+ weeks before patches, consider running threat hunting queries looking for:

• Unexpected Administrator group changes
• Modified service configurations
• New local accounts created in December 2025 - February 2026

CVE-2026-21510: Windows Shell Security Feature Bypass

The SmartScreen killer.

What It Does

This vulnerability bypasses two critical Windows security features: SmartScreen and Windows Shell security prompts. These are the warnings that appear when you try to open a downloaded file or executable from the internet—the Mark of the Web (MoTW) protection system.

When bypassed, downloaded malware can execute silently without any warning dialog.

How Attackers Use It

The attack flow is disturbingly simple:

1. Attacker sends email with malicious .lnk (shortcut) file
2. User clicks the file
3. Normally: Windows displays "This file came from the internet and may be dangerous" warning
4. With this exploit: No warning appears
5. Malicious payload executes immediately

Why It's Critical

SmartScreen and MoTW warnings are often the last line of defense against phishing. They're the final speed bump between a user's click and malware execution. Bypassing them makes social engineering attacks dramatically more effective.

Who Discovered It

• Microsoft Threat Intelligence Center (MSTIC)
• Microsoft Security Response Center (MSRC)
• Office Product Group Security Team
• Google Threat Intelligence Group (GTIG)
• Anonymous researcher

The multi-team discovery suggests this was found while tracking an active threat campaign.

CVE-2026-21513: MSHTML Framework Security Feature Bypass

The legacy browser component that won't die.

What It Does

"Wait, Internet Explorer is dead—why am I patching it?"

Great question. While Internet Explorer as a standalone browser is discontinued, its rendering engine (MSHTML/Trident) lives on throughout Windows. It's embedded in various applications for displaying HTML content, and it's still present in every Windows installation.

This vulnerability bypasses security checks when MSHTML processes malicious content, potentially weakening browser or Office sandbox protections.

How Attackers Use It

According to Action1's analysis:

"A crafted file can silently bypass Windows security prompts and trigger dangerous actions with a single click."

Attack vectors include:

• Malicious HTML files
• Crafted .lnk shortcut files that leverage MSHTML for rendering
• Any application using MSHTML to display web content

Why It Matters Even Though IE Is Dead

Every Windows system still has MSHTML components. Many enterprise applications still use MSHTML for embedded web rendering. Legacy doesn't mean obsolete when it comes to attack surface.

CVE-2026-21514: Microsoft Word Security Feature Bypass

The Office document that disarms your defenses.

What It Does

This vulnerability bypasses OLE (Object Linking and Embedding) mitigations—security controls designed to protect users from malicious embedded objects in Office documents. It works by exploiting how Word makes security decisions based on untrusted input.

How Attackers Use It

Classic phishing attack flow:

1. Attacker sends email with malicious Word document
2. User opens document
3. Embedded malicious object executes
4. OLE mitigations that should have blocked execution are bypassed

Note: The Preview Pane is NOT an attack vector here. Users must actually open the document.

Historical Context

This vulnerability bears strong similarity to CVE-2026-21509, which Microsoft addressed with an emergency out-of-band update in January 2026 due to active exploitation. The pattern suggests attackers are systematically probing Office's OLE handling for bypass techniques.

CVE-2026-21519: Desktop Window Manager Elevation of Privilege

Type confusion leads to SYSTEM.

What It Does

The Desktop Window Manager is a Windows service responsible for rendering your graphical user interface—windows, transparency effects, animations. It runs on every Windows system with a GUI.

This vulnerability is a type confusion flaw where DWM treats one type of data as another, leading to unintended behavior that attackers can exploit for privilege escalation.

How Attackers Use It

• Attacker already has local access (low-privilege user)
• Runs crafted exploit program
• DWM processes malformed data
• Type confusion triggers
• Attacker gains SYSTEM privileges

No user interaction required once attacker has initial access.

Post-Exploitation Impact

With SYSTEM access, attackers can:

• Disable security tools (EDR, antivirus)
• Deploy additional malware
• Access credential stores
• Create persistence mechanisms
• Move laterally to other systems
• Potentially compromise the entire domain

CVE-2026-21525: Windows Remote Access Connection Manager DoS

The VPN killer.

What It Does

This is a null pointer dereference vulnerability in the RasMan service—the Windows component that manages VPN and dial-up connections. A local attacker can crash the service, causing denial of service.

"A DoS vulnerability? That's just an annoyance."

Not in this case. Let me explain why this matters more than the "Medium" severity suggests.

The VPN Cascade Problem

Automox's Ryan Braunstein highlighted a critical enterprise impact:

"Organizations using always-on VPN face severe risk. VPN service crash causes endpoints with 'fail close' policies to lose network access. IT teams cannot reach affected machines to patch them."

The attack scenario:

1. Attacker compromises endpoint (phishing, browser exploit, etc.)
2. Runs simple script that crashes RasMan
3. VPN connection dies
4. Endpoint with "fail close" policy loses all network connectivity
5. IT team can't remotely access the machine to fix it
6. Machine requires physical intervention

Scale this to hundreds of remote workers, and you've got a logistical nightmare.

The Distraction Attack

Worse: crashing VPN services can serve as a distraction. While IT scrambles to restore connectivity for hundreds of disconnected users, attackers conduct actual exfiltration or lateral movement elsewhere in the network.

Discovery History

0patch (ACROS Security) discovered this exploit in December 2025 in a public malware repository while investigating a related vulnerability (CVE-2025-59230). The combined exploit quality suggested professional development.

Attack Chains: How These Vulnerabilities Work Together

Individual vulnerabilities tell one story. Attack chains tell the real story.

Chain 1: Phishing → Code Execution → Full Compromise

┌─────────────────────────────────────────────────────────────┐
│  1. INITIAL ACCESS                                          │
│     • Attacker sends email with malicious .lnk file        │
│     • CVE-2026-21510 bypasses SmartScreen warnings         │
│     • User clicks without seeing security prompts          │
├─────────────────────────────────────────────────────────────┤
│  2. EXECUTION                                               │
│     • Malware runs with user-level privileges              │
│     • Establishes initial foothold                         │
├─────────────────────────────────────────────────────────────┤
│  3. PRIVILEGE ESCALATION                                    │
│     • CVE-2026-21519 (DWM) OR CVE-2026-21533 (RDS)        │
│     • Attacker escalates to SYSTEM                         │
├─────────────────────────────────────────────────────────────┤
│  4. FULL COMPROMISE                                         │
│     • Disable security tools                               │
│     • Dump credentials                                     │
│     • Deploy ransomware/backdoors                          │
│     • Move laterally                                       │
└─────────────────────────────────────────────────────────────┘

Chain 2: Document-Based Attack

┌─────────────────────────────────────────────────────────────┐
│  1. DELIVERY                                                │
│     • Malicious Word document via email/download           │
│     • "Invoice.docx" or "Report.docx"                      │
├─────────────────────────────────────────────────────────────┤
│  2. BYPASS                                                  │
│     • CVE-2026-21514 bypasses OLE mitigations              │
│     • Embedded malicious content executes                  │
├─────────────────────────────────────────────────────────────┤
│  3. ESCALATION                                              │
│     • CVE-2026-21533 adds attacker to Admin group          │
│     • SYSTEM access achieved                               │
├─────────────────────────────────────────────────────────────┤
│  4. PERSISTENCE                                             │
│     • Create backdoor accounts                             │
│     • Install remote access tools                          │
│     • Establish command & control                          │
└─────────────────────────────────────────────────────────────┘

Chain 3: VPN Disruption + Exfiltration

┌─────────────────────────────────────────────────────────────┐
│  PARALLEL ATTACK                                            │
│                                                             │
│  Thread A: DISTRACTION          Thread B: REAL ATTACK      │
│  ├─ Initial foothold            ├─ Already in network      │
│  ├─ CVE-2026-21525 crash RasMan ├─ Begin data exfiltration│
│  ├─ VPN dies enterprise-wide    ├─ Deploy ransomware       │
│  ├─ IT scrambles to fix VPN     ├─ Destroy backups         │
│  └─ (They're not watching B)    └─ Ransom note appears     │
└─────────────────────────────────────────────────────────────┘

CISA Deadline: March 3, 2026

On February 10, 2026—the same day as Patch Tuesday—CISA added all six zero-days to its Known Exploited Vulnerabilities (KEV) catalog.

KEV Catalog Entries

Who Must Comply

Under Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies are required to:

1. Apply patches by the specified due date
2. Protect networks against attacks exploiting cataloged vulnerabilities
3. Report compliance status

Private Sector Recommendation

CISA doesn't just mandate federal compliance—they explicitly recommend all organizations treat KEV entries seriously:

"CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice."

Translation: Just because you're not legally required to patch by March 3rd doesn't mean you shouldn't. The same threat actors targeting federal agencies are targeting you.

Patch Prioritization: What to Fix First

Not all patches are created equal. Here's your prioritization guide based on exploitation risk, impact, and attack surface.

Tier 1: IMMEDIATE — Patch Within 24-48 Hours

These are actively exploited with public disclosure and/or confirmed widespread attacks.

Action Steps:

# Check for pending updates
Get-WindowsUpdate -MicrosoftUpdate

# Install February 2026 cumulative update
Install-WindowsUpdate -AcceptAll -AutoReboot

# Verify installation
Get-HotFix | Where-Object {$_.InstalledOn -gt "2026-02-10"}

For enterprises using WSUS/SCCM/Intune:

# WSUS: Approve February 2026 updates for immediate deployment
# Classification: Security Updates
# Product: Windows 10, Windows 11, Windows Server, Microsoft Office

# Verify deployment status
Get-WsusUpdate | Where-Object {$_.UpdatesNeeded -gt 0}

Tier 2: HIGH PRIORITY — Patch Within 72 Hours

Actively exploited but requires local access. Part of attack chains.

Why not Tier 1? Requires attacker to already have local access. However, combined with Tier 1 security bypasses, this completes compromise chains. Patch immediately after Tier 1.

Tier 3: PRIORITY — Patch Within 1 Week

Lower severity but operational impact. Actively exploited.

Why Tier 3? Medium severity, DoS only. However, if your organization relies on always-on VPN, move this to Tier 2.

Bonus: Critical Non-Zero-Day Patches

While focused on zero-days, don't ignore these CVSS 9.8 critical vulnerabilities:

If you use Azure SDK for Python or Azure Front Door, patch these simultaneously with Tier 1.

Step-by-Step Remediation Guide

For Individual Users / Small Businesses

1. Check for updates immediately:
   • Settings → Windows Update → Check for updates
   • Install all available updates
   • Restart when prompted
2. Update Microsoft Office:
   • Open any Office app → File → Account → Update Options → Update Now
   • Or via Microsoft 365 admin center
3. Verify patches applied:
   • Settings → Windows Update → Update history
   • Look for "2026-02 Cumulative Update"

For Enterprise IT Teams

Phase 1: Emergency Deployment (Day 1-2)

# 1. Identify unpatched systems
# Example using SCCM/ConfigMgr
Get-CMDevice -CollectionName "All Windows Workstations" | 
    Where-Object {$_.LastUpdateScan -lt "2026-02-10"} |
    Export-CSV "unpatched-systems.csv"

# 2. Deploy to high-risk systems first
# - Executive workstations
# - Systems with RDP enabled
# - User-facing endpoints (phishing targets)

# 3. Verify deployment
$unpatched = Get-ADComputer -Filter * | ForEach-Object {
    $hotfix = Get-HotFix -ComputerName $_.Name -ErrorAction SilentlyContinue |
        Where-Object {$_.InstalledOn -gt "2026-02-10"}
    if (-not $hotfix) { $_.Name }
}
$unpatched | Out-File "still-unpatched.txt"

Phase 2: Validation (Day 2-3)

# Verify specific KB installation
$KB = "KB5034123"  # Replace with actual KB number

Get-ADComputer -Filter * | ForEach-Object {
    $result = Get-HotFix -ComputerName $_.Name -Id $KB -ErrorAction SilentlyContinue
    [PSCustomObject]@{
        Computer = $_.Name
        Patched = [bool]$result
        InstalledOn = $result.InstalledOn
    }
} | Export-CSV "patch-status.csv"

Phase 3: Threat Hunting (Day 3-7)

Given CVE-2026-21533 was exploited since December 2025, hunt for compromise indicators:

# Check for recently added local administrators
$startDate = Get-Date "2025-12-01"
Get-WinEvent -FilterHashtable @{
    LogName = 'Security'
    ID = 4732  # Member added to security-enabled local group
} | Where-Object {
    $_.TimeCreated -gt $startDate -and
    $_.Message -match "Administrators"
} | Select-Object TimeCreated, Message

# Check for suspicious service modifications
Get-WinEvent -FilterHashtable @{
    LogName = 'System'
    ID = 7045  # Service installed
} | Where-Object {$_.TimeCreated -gt $startDate}

# Review new local accounts
Get-LocalUser | Where-Object {
    $_.Enabled -eq $true -and
    $_.LastLogon -gt $startDate
} | Select-Object Name, Enabled, LastLogon, PasswordLastSet

Beyond Patching: Additional Hardening

Immediate Mitigations (If Patching Is Delayed)

For CVE-2026-21533 (RDS):

# Disable Remote Desktop if not needed
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' `
    -Name "fDenyTSConnections" -Value 1

# Or restrict RDP to specific IPs via firewall
New-NetFirewallRule -DisplayName "RDP Restricted" `
    -Direction Inbound -Protocol TCP -LocalPort 3389 `
    -RemoteAddress "10.0.0.0/8" -Action Allow

For CVE-2026-21510/CVE-2026-21513 (Phishing bypasses):

• Enable Attack Surface Reduction (ASR) rules
• Block .lnk files in email attachments
• Increase email filtering sensitivity

# Enable ASR rules via Group Policy or PowerShell
Set-MpPreference -AttackSurfaceReductionRules_Ids `
    BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 `
    -AttackSurfaceReductionRules_Actions Enabled

For CVE-2026-21514 (Word):

• Block macros from internet-sourced documents
• Enable Protected View for Office files

Long-Term Hardening

1. Implement least privilege: Users shouldn't be local administrators
2. Network segmentation: Limit RDP access to jump servers only
3. EDR deployment: Ensure behavioral detection is active
4. Security awareness: Retrain users on phishing given bypass vulnerabilities
5. Patch automation: Don't rely on manual patching for critical updates

What's Coming Next

Secure Boot Certificate Expiration (June 2026)

Separate from this Patch Tuesday but important: Microsoft has begun rolling out updated Secure Boot certificates. The original 2011 certificates expire in late June 2026. Plan for this transition.

Exploit Surge Expected

CrowdStrike's warning bears repeating: Now that CVE-2026-21533 is public, expect a surge in exploitation attempts. Threat actors who had private access to this exploit are racing to monetize it before patch adoption increases.

March 2026 Patch Tuesday

Given February's zero-day count, expect heightened attention on March's release. Mark your calendar for March 10, 2026.

Key Takeaways

1. Patch immediately: Six zero-days are actively exploited. This is not a drill.
2. CISA deadline is March 3, 2026: Federal mandate, but everyone should treat it as their deadline.
3. Prioritize the security bypasses first: CVE-2026-21510, CVE-2026-21513, CVE-2026-21514 make phishing attacks silent. Patch these today.
4. CVE-2026-21533 has been exploited since December 2025: If you haven't patched, assume compromise and hunt for indicators.
5. Attack chains are real: These vulnerabilities work together. A phishing email + security bypass + privilege escalation = full compromise.
6. VPN users beware: CVE-2026-21525 can crash your VPN service. If you use always-on VPN, prioritize this patch.
7. Don't forget Azure: Two CVSS 9.8 critical vulnerabilities in Azure services need attention too.

Further Reading

• Microsoft Security Response Center - February 2026 Release Notes
• CISA Known Exploited Vulnerabilities Catalog
• CrowdStrike Patch Tuesday Analysis February 2026
• Zero Day Initiative February 2026 Analysis

The bottom line: February 2026 Patch Tuesday isn't business as usual. Six zero-days, all actively exploited, all added to CISA's KEV catalog on day one. One has been exploited for over six weeks against U.S. and Canadian organizations.

Stop reading. Start patching.

Stay safe out there.