Key Takeaway
Microsoft's February 2026 Patch Tuesday addresses over 50 vulnerabilities including six zero-day flaws actively exploited in the wild. Critical fixes affect Windows Shell, MSHTML, Microsoft Word, Remote Desktop Services, Desktop Window Manager, and developer tools such as GitHub Copilot and VS Code. Administrators should urgently apply these patches to prevent privilege escalation, code execution, and denial-of-service attacks.
Microsoft released its February 2026 security updates addressing over 50 vulnerabilities across Windows operating systems and related software. This batch includes patches for six zero-day flaws actively exploited in the wild, posing immediate risks to enterprise environments.
The first zero-day, CVE-2026-21510, is a security feature bypass in Windows Shell that allows attackers to execute arbitrary code by tricking users into clicking a malicious link. This flaw affects all currently supported Windows versions and bypasses built-in protection mechanisms without user prompts.
Two additional zero-days target Microsoft’s web and document platforms. CVE-2026-21513 is a security bypass vulnerability in MSHTML, the rendering engine of the default Windows web browser, enabling attackers to bypass security controls silently. CVE-2026-21514 affects Microsoft Word similarly, allowing bypass of security features that could lead to code execution.
Privilege escalation vulnerabilities include CVE-2026-21533 in Windows Remote Desktop Services, which permits local attackers to gain SYSTEM-level privileges, and CVE-2026-21519, an elevation of privilege flaw in Desktop Window Manager (DWM). DWM is critical for window management on user desktops. Notably, Microsoft patched a separate DWM zero-day just last month, indicating ongoing targeting of this component.
The sixth zero-day, CVE-2026-21525, is a denial-of-service vulnerability in the Windows Remote Access Connection Manager service responsible for maintaining VPN connections. Exploitation could disrupt remote access to corporate networks.
Beyond Windows, Microsoft addressed remote code execution vulnerabilities in development tools tied to GitHub Copilot and popular IDEs including VS Code, Visual Studio, and JetBrains products. CVE-2026-21516, CVE-2026-21523, and CVE-2026-21256 stem from command injection flaws triggered by prompt injection attacks against AI-powered developer assistants.
Security researcher Kev Breen of Immersive highlights that attackers could leverage these AI vulnerabilities to execute malicious commands, potentially accessing sensitive developer credentials like API keys for AWS and Azure. Breen advises applying least-privilege principles and carefully controlling AI access in development workflows to reduce risk.
Chris Goettl from Ivanti notes Microsoft’s pattern of issuing out-of-band updates since January, including fixes for remote desktop credential prompt failures and Office security bypass zero-days (e.g., CVE-2026-21509).
Administrators should prioritize deploying these updates promptly to mitigate active exploits. The SANS Internet Storm Center provides a detailed breakdown of this month’s patches, indexed by severity and CVSS scores, aiding risk assessment. Enterprise teams should also monitor resources like askwoody.com for insights on update stability and compatibility issues.
Backing up critical data before patch deployment remains essential. Organizations experiencing installation problems are encouraged to share feedback to help refine update processes. These patches underscore the ongoing need for vigilant patch management amid persistent exploitation targeting Windows and development environments.
Original Source
Krebs on Security
Related Articles
CVE Pending: Critical Vulnerability in Anthropic's Claude Code Discovered Days After Source Code Leak
Adversa AI discovered a critical vulnerability in Anthropic's Claude Code agentic coding assistant within days of Anthropic accidentally leaking the product's source code. Claude Code operates with elevated system privileges in developer environments, making exploitation potentially severe — including credential theft, CI/CD pipeline manipulation, and lateral movement. Organizations should audit deployments, rotate credentials, and apply patches immediately once Anthropic releases a fix.
CVE-2024-6387: OpenSSH regreSSHion RCE Flaw Exposes Millions of Linux Servers to Unauthenticated Root Access
CVE-2024-6387 (regreSSHion) is a signal handler race condition in OpenSSH sshd versions 8.5p1 through 9.7p1 that allows unauthenticated remote code execution as root. Discovered by Qualys, the flaw affects an estimated 700,000 publicly exposed servers. Administrators should upgrade to OpenSSH 9.8p1 immediately or set LoginGraceTime 0 as a temporary workaround.
Apple Expands DarkSword Exploit Kit Mitigations Across Device Fleet After State-Sponsored and Spyware Vendor Abuse
Apple has expanded mitigations against the DarkSword exploit kit to additional devices after the toolkit was used in operations by state-sponsored threat groups and commercial spyware vendors. The expansion follows Apple's standard model of phased protection rollouts across its device ecosystem. All Apple device owners should apply the latest OS updates immediately, and high-risk individuals should enable Lockdown Mode.
CVE-2026-20093: Critical Cisco IMC Authentication Bypass Carries CVSS 9.8
Cisco has patched CVE-2026-20093, a critical authentication bypass vulnerability in the Cisco Integrated Management Controller (IMC) with a CVSS score of 9.8. An unauthenticated remote attacker can exploit the flaw to bypass authentication and gain elevated privileges over affected hardware management interfaces. Administrators should apply Cisco's patch immediately and restrict IMC network access to isolated management VLANs.