Microsoft is rolling out a particularly busy February 2026 Patch Tuesday, shipping fixes for roughly 50–60 vulnerabilities across Windows, Office, Azure, Edge, Exchange, Hyper‑V, WSL, and more. Security vendors and researchers put the total at between 58 and 60 CVEs, while Microsoft’s own bulletins list 59 flaws, including six zero‑day vulnerabilities that are already being exploited in the wild. For Windows and Microsoft 365 admins, this is not the month to sit on patches and wait.
Six zero‑days already under active attack
The headline this month is the six zero‑day bugs that Microsoft confirms were exploited before patches became available. Out of the 59 vulnerabilities, five are rated Critical, most of the rest Important, and about a quarter of them are privilege‑escalation issues that help attackers move from a foothold to full control. This Patch Tuesday covers:
-
Around 25 elevation‑of‑privilege vulnerabilities
-
Roughly a dozen remote code execution issues
-
Multiple spoofing, information disclosure, security feature bypass, denial‑of‑service, and one XSS bug across Microsoft’s stack
Six of those flaws are being used in real‑world attacks right now, with three of them already publicly disclosed when the patches landed. That combination—public details and in‑the‑wild exploitation—significantly raises the urgency for enterprises with internet‑facing systems.
CVE‑2026‑21510, CVE‑2026‑21513, CVE‑2026‑21514, and CVE‑2026‑21525
Among the vulnerabilities patched this month, a few stand out as especially important for defenders to understand and prioritize.
CVE‑2026‑21510 is a high‑impact security feature bypass affecting a core Windows component, which multiple reports link to Defender SmartScreen behavior and Windows Shell. This bug effectively weakens a line of defense users rely on when opening suspicious downloads or links, and it has been assigned a CVSS score in the high‑8s range in some advisories.
CVE‑2026‑21513 and CVE‑2026‑21514 are also flagged as security feature bypass issues, affecting Internet Explorer and Microsoft Office Word respectively. These vulnerabilities can allow attackers to sidestep built‑in security checks once they convince a user to open a malicious file or browse to a crafted page.
Meanwhile, CVE‑2026‑21525 and related vulnerabilities appear in several vendor write‑ups as part of the zero‑day set that CISA has already added to its Known Exploited Vulnerabilities (KEV) catalog. KEV inclusion means US federal civilian agencies are under a firm deadline to patch, which is often a good signal for everyone else to treat these bugs as top‑priority.
Security researchers highlight that once an attacker lands on a host—through phishing, browser exploits, or other vectors—these elevation‑of‑privilege and bypass flaws can be chained to gain SYSTEM‑level access, disable endpoint protection, deploy additional malware, or harvest credentials and secrets. In worst‑case scenarios, that opens the door to full domain compromise.
Why this February 2026 Patch Tuesday is especially urgent
Many of the bugs this month impact core Windows components, Office, and server workloads that commonly sit on the network edge. That means exposed Windows servers, RDS hosts, and Exchange front‑ends are all in scope for attackers looking to move quickly from initial access to full environment compromise.
What Windows admins should patch first
If you run mixed environments with Windows, Office, and Exchange, here’s a practical prioritization order aligned with what security guidance recommends this month:
-
Apply the latest cumulative updates for Windows 11 and Windows 10 ESU on internet‑facing servers and high‑risk endpoints, focusing on closing the zero‑days first.
-
Patch Office across Microsoft 365 Apps and on‑prem installations to pick up fixes for Office‑related zero‑days like CVE‑2026‑21514.
-
Deploy the February 2026 Security Updates (SUs) for Exchange Server Subscription Edition and Exchange Server 2019, especially on servers reachable from the internet.
-
Verify that any systems covered by Extended Security Updates—particularly Windows 10 22H2 and 21H2—have received their ESU cumulative update and servicing stack update.
As always, you can install the February 2026 cumulative updates via Windows Update, Windows Server Update Services (WSUS), Microsoft Endpoint Manager, or manual downloads from the Microsoft Update Catalog. But given the six actively exploited zero‑days, this is one of those Patch Tuesdays where “test quickly and roll out fast” is the right mindset.
Recent Posts You Might Like
Windows 10 February 2026 ESU Update KB5075912 Preps PCs for New Secure Boot Certificates
Discover more from Microsoft News Now
Subscribe to get the latest posts sent to your email.
