Microsoft Issues Patches for Six Zero-Day Exploits

- In total, Microsoft's February 2026 security update addressed 58 vulnerabilities across Windows, Office, and other products. Of these, five were rated as "Critical," and privilege escalation flaws were the most common vulnerability category, accounting for 25 of the fixes. - Three of the zero-day flaws are security feature bypasses that require an attacker to trick a user into opening a malicious file. CVE-2026-21510 allows circumvention of Windows SmartScreen prompts, while CVE-2026-21513 affects the MSHTML browser engine, and CVE-2026-21514 bypasses security controls for embedded content in Microsoft Word. - Two of the actively exploited vulnerabilities allow for privilege escalation, enabling an attacker who already has a foothold on a system to gain SYSTEM-level access. These affect the Desktop Window Manager (CVE-2026-21519) and Windows Remote Desktop Services (CVE-2026-21533). - The final zero-day is a denial-of-service vulnerability (CVE-2026-21525) in the Windows Remote Access Connection Manager. A local attacker with low privileges can exploit it to crash the service or the entire system. - Several security firms and researchers were credited with discovering the vulnerabilities, including Google's Threat Intelligence Group (GTIG), CrowdStrike, and Microsoft's own security teams. GTIG had a hand in reporting three of the six zero-days. - Following the disclosure, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added all six zero-day vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. This action mandates that Federal Civilian Executive Branch agencies apply the necessary patches by March 3, 2026.