contact@codexcg.com
All Posts vulnerabilities

Microsoft February 2026 Patch Tuesday: Six Zero-Days Under Active Exploitation

· Codex Consulting Group · 6 min read
Patch TuesdayMicrosoftZero-DayWindowsMSHTML

Overview

Microsoft’s February 2026 Patch Tuesday drops 55 security fixes, and six of them are already being exploited in the wild. Three of those were publicly disclosed before patches arrived, meaning attackers had a head start. The zero-days span Windows Shell, the ancient MSHTML rendering engine, Microsoft Word, Desktop Window Manager, Remote Desktop Services, and the Remote Access Connection Manager. If your organization runs Windows (and of course it does), this one deserves immediate attention.

Technical Details

The Security Feature Bypass Trio: CVE-2026-21510, CVE-2026-21513, CVE-2026-21514

Three of the six zero-days share a common theme: security feature bypass. Microsoft credits the same set of researchers for discovering all three, and they were all publicly disclosed before today’s patches.

CVE-2026-21510 targets the Windows Shell, the GUI interaction logic for the entire operating system provided by explorer.exe and its associated libraries. With a CVSS score of 8.8, this vulnerability allows an attacker to sidestep Smart Screen and similar “are you sure?” prompts by tricking a user into opening a malicious link or shortcut file. Files with a .lnk extension are the prime suspect, though .url files may also serve as a vector.

CVE-2026-21513 (CVSS 8.8) goes after the MSHTML/Trident rendering engine, the zombie browser engine that Microsoft still cannot bring itself to rip out of Windows. MSHTML continues to power Office rendering and Explorer integration, years after most users stopped opening Internet Explorer on purpose. The attack starts the same way: convince a user to open a malicious HTML file or shortcut file.

CVE-2026-21514 (CVSS 7.8) takes aim at Object Linking and Embedding (OLE) mitigations in Microsoft Word. An attacker bypasses these protections by convincing the user to open a malicious Word document. Curiously, the advisory only lists remediations for LTSC versions of Office and on-premises Microsoft 365 Apps for Enterprise, with no mention of the standard Microsoft 365 suite. On the plus side, the Preview Pane is not a vector, so the user must explicitly open the malicious file.

Microsoft assessed the attack vector for CVE-2026-21514 as “local” rather than the typical “remote” classification applied to phishing-based attacks. The advisory specifically states that “reliance on untrusted inputs in a security decision in Microsoft Office Word allows an unauthorized attacker to bypass a security feature locally.” Whether this reflects an unusual-but-correct assessment or an inadvertent mis-classification remains unclear.

All three of these vulnerabilities likely share a common thread: Mark-of-the-Web laundering through flaws in legacy Windows components. When you chain initial access through social engineering with these bypasses, you effectively strip away the safety nets that Windows places between the user and malicious content.

DWM Elevation of Privilege: CVE-2026-21519

For the second consecutive month, the Desktop Window Manager (DWM) is the site of an actively exploited zero-day. Last month brought CVE-2026-20805, an information disclosure vulnerability that served as a kernel-space address map for attackers, revealing the otherwise obfuscated in-memory location of the kernel-space DWM process. This month, CVE-2026-21519 (CVSS 7.8) provides the elevation of privilege to go with it. This almost certainly reflects Microsoft’s Threat Intelligence Center (MSTIC) and MSRC working to disrupt the same threat actor across both months: leak the kernel addresses in January, escalate privileges through those addresses in February.

Initial access paired with local privilege escalation is the staple diet of real-world attack chains. The relatively modest CVSS score of 7.8 (compared to a broadly equivalent remote code execution) should not make anyone comfortable about delaying this patch.

RDP Elevation of Privilege: CVE-2026-21533

Remote Desktop Services get their own zero-day with CVE-2026-21533 (CVSS 7.8), which allows an unauthorized local user to elevate privileges to SYSTEM. Every Windows Server product back to Server 2012 receives patches for this one, meaning the flaw has been sitting in the codebase for well over a decade. Today’s patches may finally close the door on a long-running exploitation story for at least one threat actor.

RasMan Denial of Service: CVE-2026-21525

The sixth zero-day is CVE-2026-21525 (CVSS 6.2), a local denial of service in the Windows Remote Access Connection Manager (RasMan). What makes this one unusual: no privileges are required at all to exploit it. Even a guest account can trigger the vulnerability. If you have not disabled guest accounts across your environment, this is a timely reminder to do so.

Impact

The combination of these six zero-days creates a particularly dangerous situation for enterprise defenders. The three security feature bypass vulnerabilities (CVE-2026-21510, -21513, -21514) effectively neutralize Windows’ built-in protections against malicious files. Once an attacker strips those protections away, the payload executes without the usual warnings that might give a security-aware user pause.

Pair those bypasses with CVE-2026-21519 (DWM privilege escalation) and you have a complete attack chain: initial access through a phished document or link, followed by bypass of security controls, followed by privilege escalation to kernel level. The DWM zero-day is especially concerning given the two-month pattern. Whatever actor is exploiting this has clearly invested in understanding Windows kernel internals at a deep level.

The RDP vulnerability (CVE-2026-21533) is a separate concern for anyone running Terminal Services environments. With patches required back to Server 2012, the affected surface area is enormous across the enterprise. And the RasMan DoS (CVE-2026-21525) at minimum provides a disruption tool that requires zero authentication.

Beyond the six zero-days, this month’s broader patch set includes a critical Azure SDK for Python vulnerability (CVE-2026-21531, CVSS 9.8), multiple Hyper-V remote code execution flaws, and several Windows kernel elevation of privilege issues rated “exploitation more likely” by Microsoft.

  1. Patch the zero-days immediately. Prioritize CVE-2026-21510, CVE-2026-21513, and CVE-2026-21514 first. These three are publicly disclosed, have the highest CVSS scores (8.8), and provide the initial access component of likely attack chains.

  2. Validate Windows Server coverage. CVE-2026-21533 affects every Windows Server release back to 2012. Confirm that your Server 2012, 2012 R2, 2016, 2019, 2022, and 2025 systems are all in scope for this month’s updates, with particular urgency for internet-facing RDP hosts.

  3. Audit guest accounts and unauthenticated access paths. CVE-2026-21525 requires zero privileges. Verify that guest accounts and similar low-privilege access are disabled across your fleet.

  4. Review your Office deployment targets. CVE-2026-21514 only lists patches for LTSC Office versions and on-premises M365 Apps for Enterprise. If you run standard Microsoft 365, monitor for updates and consider whether additional mitigations (such as blocking OLE in documents via Group Policy) are warranted until patches are confirmed.

  5. Hunt for DWM exploitation artifacts. The two-month DWM zero-day pattern (CVE-2026-20805 for information disclosure in January, CVE-2026-21519 for privilege escalation in February) strongly suggests an active threat actor with kernel-level capabilities. If you did not patch January’s DWM vulnerability promptly, assume potential compromise and investigate accordingly.

  6. Block .lnk and .url files at the email gateway. The security feature bypass vulnerabilities rely on convincing users to open malicious links or shortcut files. Stripping these attachment types at the perimeter reduces the available attack surface.

How Codex Can Help

If your team needs support getting ahead of this month’s patch cycle, reach out. We can help with:

  • Vulnerability prioritization and patch management strategy to ensure the most critical fixes deploy first across complex, multi-site environments
  • Compromise assessment to determine whether the DWM exploitation chain or other zero-days have already been used against your infrastructure
  • Security architecture review to evaluate your exposure to Mark-of-the-Web bypass techniques and recommend hardening measures for Windows endpoints and servers
  • Incident response if you suspect active exploitation of any of these vulnerabilities in your environment

We are available to assist on short notice whenever a critical patch cycle demands fast action.

Sources

  1. https://www.rapid7.com/blog/post/em-patch-tuesday-february-2026
  2. https://msrc.microsoft.com/update-guide/releaseNote/2026-Feb
Back to all posts

Related Posts

vulnerabilities

Three Years Undetected: The Cisco SD-WAN Zero-Day That Triggered a Five-Eyes Alert

CVE-2026-20127 in Cisco SD-WAN controllers was exploited for three years before CISA and Five-Eyes partners issued emergency guidance.

ciscosd-wanzero-day
vulnerabilities

Ivanti EPMM Zero-Days Chained for Unauthenticated RCE Against NATO-Allied Government

CVE-2026-1281 and CVE-2026-1340 give attackers full remote code execution on Ivanti mobile device management servers. Already exploited in the wild.

CVE-2026-1281CVE-2026-1340Ivanti
vulnerabilities

Fortinet FortiCloud SSO Authentication Bypass Under Active Exploitation

CVE-2026-24858 lets attackers with any FortiCloud account access other organizations' devices. CISA KEV listed, CVSS 9.4.

CVE-2026-24858FortinetFortiOS