February 2026 Microsoft Patch Update: 6 Actively Exploited Zero-Day Vulnerabilities Added to CISA KEV List
Microsoft’s February 2026 Patch Tuesday introduced
security updates addressing 58 vulnerabilities, including six actively
exploited flaws and three publicly disclosed zero-day vulnerabilities. Notably,
six of these vulnerabilities were already being exploited before security
patches became publicly available. When vulnerabilities transition from
theoretical weaknesses to confirmed real-world exploitation, the urgency shifts
from “patch soon” to “patch now.”
Here’s what security teams should understand.
When a Patch Becomes a Race Against Time
A zero-day vulnerability means attackers are actively using a flaw before most users have had a chance to update their systems. In this case, Microsoft marked six vulnerabilities as exploited in the wild, and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added them to its Known Exploited Vulnerabilities (KEV) catalog.
Inclusion in the KEV list signals real-world risk. Federal agencies are required to remediate KEV-listed vulnerabilities within mandated timelines, and private organizations are strongly encouraged to follow similar urgency.
The Confirmed Exploited Vulnerabilities
The following CVEs were identified as actively exploited:
- CVE-2026-21510 – Windows Shell Security Feature Bypass
- CVE-2026-21513 – MSHTML Framework Security Feature Bypass
- CVE-2026-21514 – Microsoft Word Security Decision Vulnerability
- CVE-2026-21519 – Desktop Window Manager Elevation of Privilege
- CVE-2026-21525 – Windows NULL Pointer Dereference
- CVE-2026-21533 – Remote Desktop Services Elevation of Privilege
Each vulnerability represents a different attack path, but together they highlight common attacker objectives: bypass protections, gain elevated access, and maintain persistence.
To access the full description of each vulnerability and the systems it affects, you can view the full report here.
Security Feature Bypass: Undermining Built-In Protections
Several of the exploited vulnerabilities fall into the “security feature bypass” category.
CVE-2026-21510
This vulnerability affects the Windows Shell protection mechanism. If exploited, attackers may circumvent safeguards designed to block suspicious content from executing automatically. Such bypasses reduce the effectiveness of warning systems users rely on to detect malicious files.
CVE-2026-21513
This issue involves the MSHTML framework, responsible for rendering web content in certain Windows contexts. Exploitation may allow malicious content embedded within Office files to avoid normal security checks — a technique often linked to phishing campaigns.
CVE-2026-21514 (CVSS 7.8)
Affects Microsoft 365 Apps for Enterprise. This vulnerability allows untrusted input to influence security decisions during document processing. When attackers manipulate how Word handles embedded content, they can bypass protective layers.
Security feature bypass vulnerabilities are particularly concerning because they reduce user visibility into malicious activity.
🛡️ We added 6️⃣ Microsoft vulnerabilities to our Known Exploited Vulnerabilities Catalog. Visit https://t.co/myxOwap1Tf & apply mitigations to protect your org from cyberattacks. #Cybersecurity #InfoSec pic.twitter.com/ERaEMfqMct
— CISA Cyber (@CISACyber) February 10, 2026
Elevation of Privilege: Expanding the Breach
Privilege escalation remains one of the most valuable tools in an attacker’s arsenal.
CVE-2026-21519 (CVSS 7.8)
Targets the Desktop Window Manager. If an attacker already has limited system access, this flaw could allow elevation to higher privilege levels. Such vulnerabilities often appear in post-compromise attack chains.
CVE-2026-21533 (CVSS 7.8)
Affects Remote Desktop Services. In environments where RDP is exposed or internally accessible, privilege escalation may expand access across systems.These vulnerabilities do not necessarily grant initial access — but they can transform minor breaches into full system compromise.
Service Disruption Risk
CVE-2026-21525 (CVSS 6.2)
This NULL pointer dereference vulnerability may lead to system instability or crashes. While categorized as Medium severity, denial-of-service conditions can disrupt operations and degrade system reliability.
In enterprise environments, even temporary disruption may have significant operational impact.
Cloud Considerations
February’s update also addressed multiple Azure-related vulnerabilities. Unlike traditional Windows updates that deploy automatically, cloud remediation may require:
- Configuration adjustments
- Manual component updates
- Infrastructure redeployment
- Validation of service configurations
Cloud security teams should carefully review Azure-related advisories to ensure no overlooked exposure remains.
Why Immediate Remediation Matters
The exploitation window for zero-days continues to shrink. Attackers increasingly:
- Monitor patch releases
- Reverse-engineer updates
- Automate exploit development
Delays in applying patches widen the opportunity for adversaries.
Organizations should:
- Prioritize vulnerabilities marked as exploited
- Validate update deployment success
- Monitor for abnormal system behavior
- Review endpoint detection logs
For individual users, enabling automatic updates remains one of the simplest defenses.
Broader Security Implications
This month’s patch cycle reinforces several ongoing cybersecurity realities:
- Exploitation speed is increasing.
- Security bypass flaws remain highly attractive to attackers.
- Privilege escalation vulnerabilities amplify initial breaches.
- Patch management maturity is a competitive advantage in cybersecurity resilience.
Security updates are not routine maintenance tasks — they are active defense mechanisms.
Final Perspective
Six exploited zero-days in one patch release underscores how dynamic the threat landscape has become.While vulnerability disclosure is inevitable in complex systems, responsible patch management reduces exposure dramatically.In cybersecurity, preparedness is rarely about perfection — it is about response speed.
Applying updates quickly may not make headlines, but failing to do so often does.
Reference
Details regarding CVE severity ratings and exploitation status are available through Microsoft’s Security Update Guide and CISA’s Known Exploited Vulnerabilities Catalog.