Microsoft patches six actively exploited zero-days in February update

Microsoft’s February Patch Tuesday fixed six zero-day vulnerabilities that the company and industry researchers say were being actively exploited in the wild, in a release that industry outlets variously reported as addressing roughly 58 to 59 vulnerabilities across Windows, Microsoft Office and core system components.

Cyber Security Hub summarized the rollout as: "Microsoft has released its February 2026 Patch Tuesday security updates, fixing a total of 59 vulnerabilities across Windows, Microsoft Office, and core system components. The update includes patches for six actively exploited zero-day vulnerabilities—three of which were publicly disclosed prior to today..." Other coverage described the monthly total less explicitly; Krebs on Security wrote that "Microsoft today released updates to fix more than 50 security holes" and one security vendor published a breakdown showing 58 patched flaws. One headline elsewhere referenced 71 CVEs, a figure that conflicts with the broader vendor consensus. Microsoft’s own Security Update Guide should be consulted for the authoritative count.

The six zero-days named in vendor reports are CVE-2026-21510, CVE-2026-21525, CVE-2026-21513, CVE-2026-21514, CVE-2026-21533 and CVE-2026-21519. CVE-2026-21510 is described as a Windows Shell security feature bypass in which "a single click on a malicious link can quietly bypass Windows protections and run attacker-controlled content without warning or consent dialogs," and it affects all currently supported Windows versions. CVE-2026-21513 targets MSHTML, the browser rendering engine, while CVE-2026-21514 is a security bypass in Microsoft Word. CVE-2026-21519 is an elevation of privilege in the Desktop Window Manager.

Two of the more operationally consequential flaws involve remote access infrastructure. CVE-2026-21525 is a null pointer dereference denial-of-service vulnerability in the Windows Remote Access Connection Manager, which maintains VPN connections; it requires no user interaction, has low attack complexity and carries a reported CVSS score of 6.2, and vendors reported active exploitation in the wild. CVE-2026-21533 affects Windows Remote Desktop Services and allows local attackers to elevate privileges to SYSTEM. Explaining the strategic value of that vector, CrowdStrike’s analysis reproduced by Secpod warned: "This Remote Desktop Services zero-day allows attackers to elevate privileges to SYSTEM under specific conditions, making it extremely valuable in environments that rely on RDS for administrative sessions or host multiple remote users." CrowdStrike and other telemetry providers said they observed detections and incident-response evidence tied to the RDS flaw.

Beyond the six zero-days, vendors highlighted a concentration of elevation-of-privilege and remote code execution bugs: multiple sources reported 25 EoP flaws and 12 RCE flaws among the month’s disclosures. CrowdStrike also flagged several high-severity Azure vulnerabilities, listing CVE-2026-24300 (Azure Front Door, CVSS 9.8), CVE-2026-24302 (Azure Arc, CVSS 8.6) and CVE-2026-21532 (Azure Functions, CVSS 8.2) as critical to cloud operators.

Vendors noted Microsoft had already pushed several out-of-band fixes in January. As Krebs on Security relayed, "Chris Goettl at Ivanti reminds us Microsoft has issued several out-of-band security updates since January’s Patch Tuesday," including a Jan. 17 fix for a credential prompt failure in Remote Desktop workflows and a Jan. 26 out-of-band patch for a Microsoft Office bypass (CVE-2026-21509). Security vendors also reported Microsoft has begun rolling out updated Secure Boot certificates ahead of June 2026 expirations for legacy 2011 certificates.

IT teams and enterprises should prioritize the listed patches and cross-check Microsoft’s Security Update Guide for the definitive list of CVEs and Microsoft’s exploitation designations. Given the mix of active exploitation, remote access impact and high-severity cloud flaws, vendors say immediate patching and verification of detection telemetry remain critical to reduce risk.