Microsoft Scrambles to Fix Six Actively Exploited Zero-Days in February 2026 Patch Tuesday

Executive Summary

On February 11, 2026, Microsoft released its monthly security update, addressing 58 vulnerabilities. The release is dominated by the inclusion of patches for six zero-day vulnerabilities that were confirmed to be actively exploited in the wild. These critical flaws span major components including Windows Shell, MSHTML, Microsoft Word, Desktop Window Manager, and Remote Desktop Services. The vulnerabilities primarily enable security feature bypasses and privilege escalation, allowing attackers to execute code silently or gain full SYSTEM-level control of compromised machines. Given the active exploitation, CISA is expected to add these to its Known Exploited Vulnerabilities (KEV) catalog. All organizations are urged to apply these updates with the highest priority to mitigate the immediate and significant risk of compromise.

Vulnerabilities Addressed

The February 2026 Patch Tuesday addresses a total of 58 flaws, with a heavy focus on privilege escalation. The breakdown of vulnerability types includes:

• 25 Elevation of Privilege (EoP) Vulnerabilities
• 12 Remote Code Execution (RCE) Vulnerabilities
• 5 Security Feature Bypass Vulnerabilities
• 5 Denial of Service (DoS) Vulnerabilities
• 11 Information Disclosure Vulnerabilities

The most critical vulnerabilities are the six zero-days actively exploited in the wild:

Technical Analysis

The zero-days present clear and distinct attack paths for threat actors:

1. Security Feature Bypass (CVE-2026-21510, CVE-2026-21513, CVE-2026-21514): These vulnerabilities are prime for initial access and payload delivery. Attackers can craft malicious links, shortcuts (.lnk), or documents that, when opened by a user, bypass critical OS security warnings like SmartScreen or Protected View. This allows for the seamless execution of malware. This technique aligns with T1204.002 - Malicious File and T1559.002 - Dynamic Data Exchange, where trusted application features are abused.

2. Elevation of Privilege (CVE-2026-21519, CVE-2026-21533): Once an attacker has a low-privilege foothold on a system (e.g., from a phishing attack), these vulnerabilities provide a direct path to SYSTEM-level control. The DWM and RDS flaws are local exploits, meaning the attacker must already have code execution capabilities on the target. This is a classic example of T1068 - Exploitation for Privilege Escalation. Gaining SYSTEM privileges allows attackers to disable security software, install rootkits, and move laterally across the network.

3. Denial of Service (CVE-2026-21525): While less severe, the RasMan DoS flaw can be used for disruption, particularly in environments reliant on VPNs for remote access. An attacker could use this to disrupt security operations or force users onto less secure networks.

MITRE ATT&CK Mapping

• T1204.002 - Malicious File: Exploitation of Word and MSHTML flaws relies on user interaction with a malicious file.
• T1548.002 - Bypass User Account Control: The security feature bypass flaws are a form of UAC bypass, tricking the user and OS into running untrusted code.
• T1068 - Exploitation for Privilege Escalation: The DWM and RDS flaws are used to escalate from user to SYSTEM privileges.
• T1485 - Data Destruction: While CVE-2026-21525 is a DoS, it can be used as part of a destructive attack to hinder recovery efforts.

Impact Assessment

The immediate impact is high for all organizations running unpatched Windows systems. The security feature bypass vulnerabilities lower the bar for successful phishing campaigns, as they remove key visual warnings that trained users rely on. The privilege escalation flaws are a critical component in post-exploitation attack chains, enabling ransomware deployment, data exfiltration, and persistent access. Industries that are common targets for cybercrime, such as healthcare, finance, and critical infrastructure, are at heightened risk. The combination of a bypass and an EoP flaw creates a potent attack chain, allowing an attacker to go from a single click to full domain compromise.

Cyber Observables for Detection

Security teams should hunt for signs of pre-patch exploitation:

Detection & Response

• Prioritize alerts related to mshta.exe, rundll32.exe, and Office applications spawning unusual child processes (e.g., powershell.exe, cmd.exe).
• Implement enhanced monitoring for endpoint security logs. Look for evidence of security warnings being programmatically dismissed or bypassed.
• Hunt for exploitation of privilege escalation: Query EDR data for processes that start with low or medium integrity and are later seen running as SYSTEM, especially if the parent process is svchost.exe (hosting DWM or RDS) or winword.exe.
• D3FEND Techniques: Employ D3-PA: Process Analysis to baseline normal process behavior and detect anomalies. Use D3-UBA: User Behavior Analysis to spot users executing files from untrusted locations.

Mitigation

1. Patch Immediately: The top priority is to deploy the February 2026 security updates to all affected systems. Prioritize internet-facing servers, workstations used by privileged users, and critical infrastructure. Use a risk-based approach, but aim for full deployment within 72 hours due to active exploitation.
2. Enable Attack Surface Reduction (ASR) Rules: Configure ASR rules to block Office applications from creating child processes, executing malicious content, or making Win32 API calls. This provides a strong compensating control against CVE-2026-21514.
3. Review User Privileges: Enforce the principle of least privilege. Standard users should not have administrative rights. This won't prevent exploitation of the EoP flaws but will contain the blast radius of other attacks.
4. Harden Remote Desktop Services: If RDS is not required, disable it. If it is, restrict access to authorized users via a bastion host or VPN and enforce Multi-Factor Authentication (MFA).

CRITICAL WARNING: Due to the active in-the-wild exploitation of these vulnerabilities, organizations must assume they are being actively targeted. Patching should be treated as an emergency action. Post-patching, a threat hunt for signs of compromise is strongly recommended.