Microsoft has released a new set of security updates addressing 59 vulnerabilities across its software products, including six zero day flaws that the company confirmed have already been exploited in the wild. The security updates are part of the February Patch Tuesday release and cover multiple Microsoft technologies including Windows, Microsoft Office, and core system components that are widely used across enterprise and consumer environments.
Among the 59 vulnerabilities addressed in the update, five have been rated Critical in severity, while 52 are classified as Important and two are considered Moderate. The vulnerabilities span several categories that impact system security and application behavior. Privilege escalation issues represent the largest group with 25 vulnerabilities, followed by 12 remote code execution flaws. The update also resolves seven spoofing vulnerabilities, six information disclosure issues, five security feature bypass flaws, three denial of service vulnerabilities, and one cross site scripting issue. In addition to these patches, Microsoft also addressed three security flaws affecting its Edge browser after the January 2026 Patch Tuesday release. One of these is CVE-2026-0391, a Moderate severity vulnerability affecting Edge for Android with a CVSS score of 6.5. The issue could allow an unauthorized attacker to carry out spoofing attacks over a network by exploiting a user interface misrepresentation of critical information.
Six vulnerabilities within the update have been identified as actively exploited zero day flaws. These include CVE-2026-21510, a protection mechanism failure in Windows Shell with a CVSS score of 8.8 that allows an attacker to bypass security features over a network. Another vulnerability, CVE-2026-21513, affects Microsoft MSHTML Framework and carries the same severity rating of 8.8. This flaw also enables attackers to bypass security protections through crafted content delivered over a network. CVE-2026-21514 targets Microsoft Office Word and involves reliance on untrusted inputs in a security decision, allowing attackers to bypass security controls locally with a CVSS score of 7.8. CVE-2026-21519 involves a type confusion issue in Desktop Window Manager which may allow an authorized attacker to elevate privileges locally. CVE-2026-21525 relates to a null pointer dereference in Windows Remote Access Connection Manager that could allow denial of service locally with a CVSS score of 6.2. CVE-2026-21533 affects Windows Remote Desktop and enables privilege escalation through improper privilege management.
Microsoft security teams and Google Threat Intelligence Group were credited with discovering and reporting the first three vulnerabilities. These flaws were already publicly known when the patches were released. Details regarding the methods used in active exploitation have not been disclosed, and it remains unclear whether the vulnerabilities were used together within the same attack campaign. Security researchers noted that CVE-2026-21513 affects Microsoft MSHTML Framework, a core component used by Windows and various applications to render HTML content. According to vulnerability researchers, the flaw results from a protection mechanism failure that allows malicious files to bypass execution prompts. When a user interacts with a specially crafted file, Windows security warnings may be bypassed, allowing harmful actions to be triggered with a single click. Researchers from Tenable also observed similarities between CVE-2026-21510, CVE-2026-21513, and CVE-2026-21514, with the primary difference being the delivery method. CVE-2026-21513 can be exploited using HTML files while CVE-2026-21514 requires a Microsoft Office file.
Additional analysis revealed that CVE-2026-21525 is connected to a vulnerability identified in December 2025 by ACROS Security through its 0patch service during investigation of another related flaw. Security specialists explained that vulnerabilities such as CVE-2026-21519 and CVE-2026-21533 require attackers to already have access to a system before they can exploit them. This access could be obtained through malicious attachments, remote code execution vulnerabilities, or lateral movement from another compromised device. Once inside a system, attackers may attempt to escalate privileges to the SYSTEM level. Such access could allow threat actors to disable security tools, deploy additional malicious software, or obtain sensitive credentials that could enable wider network compromise. CrowdStrike, which reported CVE-2026-21533, stated that it has not attributed the exploitation to a specific threat actor but warned that possession of exploit binaries may lead to increased attempts to use or distribute them.
Following the disclosure, U.S. Cybersecurity and Infrastructure Security Agency added the six vulnerabilities to its Known Exploited Vulnerabilities catalog and directed Federal Civilian Executive Branch agencies to apply the patches by March 3, 2026. At the same time, Microsoft has begun rolling out updated Secure Boot certificates that will replace certificates originally issued in 2011, which are scheduled to expire in June 2026. These updated certificates will be distributed through regular Windows updates without requiring manual installation. Microsoft noted that systems that do not receive the updated certificates will continue operating but will enter a degraded security state that may limit their ability to adopt future boot level protections. The company also announced improvements to Windows security architecture through initiatives such as Windows Baseline Security Mode and User Transparency and Consent. These efforts are intended to strengthen default protections by ensuring that only properly signed applications, services, and drivers can run while providing users clearer prompts when applications attempt to access sensitive resources or install additional software.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
