Philip Odjidja
Vulnerability Engineer
Philip Odjidja Linked In
Microsoft’s February 2026 Patch Tuesday delivers security fixes for 58 vulnerabilities, including six that are actively exploited and three publicly disclosed zero‑day flaws.
Zero Day Vulnerabilities:
Microsoft addressed six actively exploited vulnerabilities, three of which CVE-2026-21513, CVE-2026-21510, and CVE-2026-21514 had been publicly disclosed.
CVE-2026-21510 – This vulnerability affects a Windows Shell security feature and allows an attacker to bypass built-in protections. It was assigned a CVSS v3 score of 8.8 and rated as Important. Microsoft reported that the flaw was publicly disclosed before a patch was available and was actively exploited in the wild as a zero-day. Successful exploitation requires tricking a user into opening a malicious link or shortcut file, enabling the attacker to bypass Windows SmartScreen and Windows Shell warnings by abusing a weakness in Windows Shell components.
CVE-2026-21513 – A security feature bypass vulnerability affecting the MSHTML framework. Microsoft stated that the issue was publicly disclosed and actively exploited before a fix was released. To exploit this vulnerability, an attacker must persuade a user to open a malicious HTML file or a shortcut file. Exploiting this flaw enables attackers to circumvent security warnings that are intended to alert users before opening potentially unsafe files. It has a CVSS v3 score of 8.8 and is classified as Important.
CVE-2026-21514 – A security feature bypass due to reliance on untrusted inputs in a security decision within Microsoft Office Word. An attacker could bypass certain security mitigations (OLE/COM protections) in Office by convincing a user to open a malicious Office document, potentially allowing exploitation. Microsoft Office versions include Office 2024, Office 2021 (Windows and macOS) and Microsoft 365 Apps. It has a CVSS score: 7.8 under CVSS v3.1.
CVE-2026-21519 - Microsoft has addressed an actively exploited elevation-of-privilege vulnerability affecting the Desktop Window Manager. According to Microsoft, successful exploitation could allow an attacker to obtain SYSTEM-level privileges, potentially leading to full compromise of confidentiality, integrity, and availability on the system. It has a CVSS v3 score of 7.8 and is classified as Important.
CVE-2026-21525 – A Windows Remote Access Connection Manager Denial of Service Vulnerability. A null pointer dereference flaw exists in the Windows Remote Access Connection Manager that could be triggered locally by an attacker. If exploited, this vulnerability enables an unauthorized attacker to cause a denial-of-service (DoS) condition, disrupting remote access services on affected systems. It has been assigned a CVSS v3.1 Severity 6.2.
CVE-2026-21533 – A Windows Remote Desktop Services Elevation of Privilege Vulnerability. Microsoft resolved an elevation-of-privilege vulnerability in Windows Remote Desktop Services stemming from improper privilege management. Successful exploitation could allow an authorized local attacker to gain elevated privileges. Microsoft did not share technical details regarding exploitation. The vulnerability was discovered by the Advanced Research Team at CrowdStrike.
Critical
Microsoft also addressed five other vulnerabilities rated as Critical in this Patch Tuesday window, including issues in Azure and other components.
CVE-2026-24302 – An Azure Arc Elevation of Privilege Vulnerability affecting the Azure AI Language Conversations Authoring SDK / Azure SDK. The issue arises from improper deserialization of untrusted data, allowing an attacker to trigger code execution on vulnerable systems. Because the flaw is exploitable over the network without authentication or user interaction, it enables an unauthenticated attacker to compromise a target remotely. With a CVSS v3.1 score of 9.8 (Critical), this vulnerability represents a high‑impact risk with the potential for a full system takeover if exploited.
CVE‑2026‑23655 - A security vulnerability that arises from improper permission handling within the affected Microsoft component. Successful exploitation could allow an attacker to gain elevated privileges, enabling actions normally restricted to higher‑level users or processes. While exploitation generally requires local access or certain conditions, vulnerability poses a significant risk as it can be leveraged to escalate attacks and compromise the broader system.
CVE-2026-21522 - A command-injection vulnerability in Azure Compute Gallery caused by improper neutralization of special characters used in command execution. An authorized attacker with high privileges can exploit this flaw locally to run unintended commands and elevate privileges within the environment.
CVE-2026-24300 - A critical elevation‑of‑privilege vulnerability in Azure Front Door that, with a CVSS 3.1 score of 9.8, could allow an unauthenticated attacker on the network to gain elevated privileges and impact confidentiality, integrity, and availability in the affected Azure service.
CVE-2026-21532 - An elevation‑of‑privilege vulnerability caused by improper permission handling within the affected Microsoft component. An attacker who already has local access could exploit this flaw to gain higher‑level privileges, allowing them to perform actions normally restricted to more trusted users or system processes. While exploitation requires certain pre‑conditions, vulnerability still poses meaningful risk because it can be chained with other flaws to achieve broader compromise.
Important
CVE-2026-21511 is a spoofing vulnerability affecting Microsoft Outlook. It was assigned a CVSSv3 score of 7.5 and was rated as important. The spoofing vulnerability is the result of a deserialisation of untrusted data flaw, which an attacker can trigger using a crafted email. Microsoft notes that the preview pane is an attack vector for this flaw. CVE-2026-21511 was assessed as “Exploitation More Likely” according to Microsoft’s Exploitability Index.
CVE-2026-21244, CVE-2026-21248, CVE-2026-21247 and CVE-2026-21255
These are Remote Code Execution and Security Feature Bypass vulnerabilities affecting Windows Hyper-V. Exploitability assessment rated these as “Exploitation Less Likely”
Recent updates from other Vendors
Adobe
Adobe official February Patch Tuesday updates addressed multiple products vulnerabilities including several critical issues that could lead to arbitrary code execution.
Cisco
Cisco’s February 2026 security updates are mainly focused on based on recent advisories and vendor reports. They released a critical security update for CVE-2026-20045 a remote code execution (RCE) vulnerability in Unified Communications Manager (Unified CM), Session Management Edition (SME), Unified CM IM & Presence, Unity Connection, and Webex Calling Dedicated Instance.
Fortinet
Fortinet has been rolling out updates to address a critical authentication bypass vulnerability in FortiOS, FortiManager, and FortiAnalyzer tied to FortiCloud SSO (CVE-2026-24858)
Ivanti
Ivanti published its February security advisory for Ivanti Endpoint Manager (EPM), which includes fixes for 2 news CVEs along with 11 medium severity vulnerabilities that had been disclosed in late 2025
SAP
SAP Security Patch Day on February 10, 2026, delivered 26 new security notes and one update to an existing note.
BeyondTrust
BeyondTrust released an urgent security update for CVE2026-1731 to address a critical remote code execution vulnerability affecting its remote access products.
Applying the latest security updates promptly is critical for staying protected against emerging threats. Timely patching reduces exposure to known vulnerabilities and helps prevent potential exploits.