Microsoft on Tuesday released security updates addressing 58 vulnerabilities across Windows and related products.Among them are six zero-day flaws that the company confirmed are actively exploited.Three of those were publicly disclosed before patches became available.
The breakdown of vulnerabilities includes: 25 Elevation of Privilege 12 Remote Code Execution 7 Spoofing 6 Information Disclosure 5 Security Feature Bypass 3 Denial of Service Five of the vulnerabilities are rated Critical, with the majority classified as Important.The six actively exploited vulnerabilities span across Windows, Office, and Remote Desktop components: Featured Partners Advertisement TechRepublic is able to offer our services for free because some vendors may pay us for web traffic or other sales opportunities.Our mission is to help technology buyers make better purchasing decisions, so we provide you with information for all vendors — even those that don’t pay us.
1 Semperis Visit Website Company Size Employees per Company Size Micro (0-49), Small (50-249), Medium (250-999), Large (1,000-4,999), Enterprise (5,000+) Small (50-249 Employees), Medium (250-999 Employees), Large (1,000-4,999 Employees), Enterprise (5,000+ Employees) Small, Medium, Large, Enterprise Features Advanced Attacks Detection, Advanced Automation, Anywhere Recovery, and more 2 Ready1 Visit Website Company Size Employees per Company Size Micro (0-49), Small (50-249), Medium (250-999), Large (1,000-4,999), Enterprise (5,000+) Small (50-249 Employees), Medium (250-999 Employees), Large (1,000-4,999 Employees), Enterprise (5,000+ Employees) Small, Medium, Large, Enterprise Features Incident Management 3 ManageEngine Log360 Visit Website Company Size Employees per Company Size Micro (0-49), Small (50-249), Medium (250-999), Large (1,000-4,999), Enterprise (5,000+) Micro (0-49 Employees), Small (50-249 Employees), Medium (250-999 Employees), Large (1,000-4,999 Employees), Enterprise (5,000+ Employees) Micro, Small, Medium, Large, Enterprise Features Activity Monitoring, Blacklisting, Dashboard, and more CVE-2026-21510 affects the Windows Shell and allows attackers to bypass SmartScreen security warnings.Users just need to click a malicious link or shortcut file, and the attacker’s code runs without any warning prompts.Microsoft’s security teams, along with Google Threat Intelligence Group and an anonymous researcher, caught this one.
“Bypassing Windows Shell and SmartScreen protections significantly increases the success rate of malware delivery and phishing campaigns,” said Mike Walters, president and co-founder of Action1, in an email to TechRepublic.“Because Windows Shell is a core component used by nearly all users, the attack surface is broad and difficult to fully restrict without patching.” CVE-2026-21513 hits the MSHTML Framework with a similar security bypass.“In enterprise environments, this flaw can lead to unauthorized code execution, malware deployment, credential theft, and system compromise,” explained Jack Bicer, director of vulnerability research at Action1.Even though Microsoft moved to Chromium-based Edge years ago, MSHTML still lurks in Windows shell components and third-party apps.
CVE-2026-21514 targets Microsoft Word and Office 365, bypassing protections against malicious embedded objects.The other three zero-days enable privilege escalation and service disruptions.CVE-2026-21519 exploits Desktop Window Manager to grant attackers SYSTEM-level privileges.
CVE-2026-21533 does the same through Windows Remote Desktop Services.Finally, CVE-2026-21525 affects Windows Remote Access Connection Manager, a denial-of-service flaw that ACROS Security stumbled upon while hunting for exploits in a public malware repository back in December 2025.Walters told TechRepublic that a “simple local trigger can knock critical Windows networking services offline without warning.” He added, “Repeated exploitation could be used as a distraction or to degrade system reliability during broader attack activity.” Must-read security coverage UK Police Convicts Pair in £5.5 Billion Bitcoin Launder Case Blackpoint Cyber vs.
Arctic Wolf: Which MDR Solution is Right for You? How GitHub Is Securing the Software Supply Chain 8 Best Enterprise Password Managers Federal agencies face March 3 deadline The US Cybersecurity and Infrastructure Security Agency (CISA) has now added all six vulnerabilities to its Known Exploited Vulnerabilities catalog.Federal agencies now have until March 3, 2026, to patch their systems.To put this month’s haul in perspective, Microsoft disclosed 41 zero-days across all of 2025.
Six in a single month is a significant spike.The February release patches 58 total flaws, far below the nearly 200 vulnerabilities fixed last October.But security researchers say the number of patches is irrelevant when attackers are already weaponizing a half-dozen of them.
“The presence of six zero-days makes this release more urgent than the numbers alone might suggest,” Bicer said.This Patch Tuesday also kicks off Microsoft’s rollout of updated Secure Boot certificates to replace the original 2011 versions expiring in late June 2026.The new certificates install automatically through regular Windows updates, with Microsoft using a phased approach to ensure stability.
For more on how attackers are targeting Windows networking services, read our full breakdown of the RasMan VPN vulnerability and what it means for enterprise security.Subscribe to the Cybersecurity Insider Newsletter Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.Delivered every Monday, Tuesday and Thursday Subscribe to the Cybersecurity Insider Newsletter Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Delivered every Monday, Tuesday and Thursday
Read More
