Microsoft Patch Tuesday: 6 exploited zero-days fixed in February 2026

Microsoft has plugged 50+ security holes on February 2026 Patch Tuesday, including six zero-day vulnerabilities exploited by attackers in the wild.

The “security feature bypass” zero-days

Among the zero-days fixed are three vulnerabilities that allow attackers to bypass a security feature.

CVE-2026-21513 affects the MSHTML/Trident browser engine for the Microsoft Windows version of Internet Explorer, and CVE-2026-21514 affects Microsoft Word.

The former can be exploited by attackers by convincing a user to open a malicious HTML or shortcut (.lnk) file that has been crafted to manipulate browser and Windows Shell handling.

The latter can be triggered by a malicious Office file crafted to bypass OLE mitigations in Microsoft 365 and Microsoft Office. (If this sounds familiar, it’s because Microsoft recently fixed a similar flaw with an emergency update due to in-the-wild attacks.)

CVE-2026-21510 is the third security feature bypass zero-day fixed this time around. It affects Windows Shell, can be exploited with a malicious link or shortcut file, allowing attackers to bypass Windows SmartScreen and Windows Shell security prompts and execute files “without user warning or consent.”

All three flaws were publicly known and reported by Google Threat Intelligence Group, Microsoft Threat Intelligence Center (MSTIC), Microsoft Security Response Center (MSRC), and the Office Product Group Security Team, along with an anonymous researcher.

Patching publicly known vulnerabilities should be a priority, especially if, like these, are actively exploited by attackers.

The three remaining zero-days

CVE-2026-21519 is a Desktop Window Manager vulnerability that allows attackers to elevate their privileges to SYSTEM on an already compromised host. It was reported by MSTIC and MSRC.

CVE-2026-21525 is a vulnerability in Windows Remote Access Connection Manager (“RasMan”) that may allow an unprivileged user to crash the service. It was reported by the 0patch research team, who discovered an exploit for it in a public malware repository.

CVE-2026-21533 is an elevation of privilege flaw affecting Windows Remote Desktop Services. It was reported by Crowdstrike researchers.

“The CVE-2026-21533 exploit binary modifies a service configuration key, replacing it with an attacker-controlled key, which could enable adversaries to escalate privileges to add a new user to the Administrator group. CrowdStrike Intelligence retrospective hunting has revealed that threat actors had used this binary in the wild to target U.S. and Canada-based entities since at least December 24, 2025,” the cybersecurity company noted.

“CrowdStrike Intelligence assesses that Microsoft’s public disclosure of CVE-2026-21533 will almost certainly encourage threat actors possessing CVE-2026-21533 exploit binaries, as well as any exploit brokers possessing the underlying exploit, to use or monetize the exploits in the near term.”

Ryan Braunstein, Security Manager at Automox, also pointed out that the RasMan DoS flaw (CVE-2026-21525) should be patched quickly, as it could lead to widespread problems, since the service is responsible for maintaining VPN connections to corporate networks.

“An attacker with a foothold as a standard, non-admin user can run a small script that crashes the RAS manager service. The attack requires no elevated privileges and can be triggered after initial access through phishing or a malicious browser extension,” he explained.

“Organizations relying on always-on VPN connections face a particular risk: if the VPN service crashes, endpoints configured with “fail close” policies lose network access entirely. IT teams can’t reach those machines to patch them or run automation. In larger environments, this creates cascading failures that can take hours to resolve.”

Such a widespread crash could be used a distraction while executing a separate attack against servers or exfiltrating data, he added. “If you run servers with RRAS (Routing and Remote Access Service), include them in your priority patching list to protect automations and infrastructure.”

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!