Alongside Windows and Azure patches, Microsoft has published its February 2026 security updates for Microsoft Office and on‑premises Exchange Server, addressing vulnerabilities ranging from information disclosure to remote code execution and privilege escalation. Some of these flaws are part of the same set of 50‑plus vulnerabilities fixed in this month’s Patch Tuesday, and at least one Office‑related zero‑day has been highlighted by security researchers as being actively exploited.
February 2026 Security Updates for Office
The February 2026 Office patches cover supported versions of Microsoft Office on Windows, including perpetual licenses and Microsoft 365 Apps on the desktop. Security advisories indicate that several Office vulnerabilities are being fixed this month, addressing issues in components like Word and shared Office libraries.
One of the notable zero‑days called out in our security coverage is CVE‑2026‑21514, a vulnerability affecting Microsoft Office Word with a CVSS score around 7.8 that can be exploited via malicious documents. This bug is one of three security feature bypass issues Microsoft lists as publicly disclosed at the time of patching, alongside CVE‑2026‑21510 and CVE‑2026‑21513. Attackers who convince users to open crafted files can use such vulnerabilities to bypass Office’s built‑in protections and potentially execute follow‑on code.
Office security updates are typically delivered automatically via Microsoft Update for Microsoft 365 Apps and through separate update channels for volume‑licensed Office installations. Admins should verify that February’s Office security updates are deployed across their fleet, especially on systems used by executives, finance teams, and others who frequently handle external documents.
Exchange Server Security Updates for Subscription Edition and 2019
On the server side, Microsoft’s Exchange team has released new Security Updates (SUs) for Exchange Server Subscription Edition and Exchange Server 2019 as part of the February 2026 patch cycle. These SUs address vulnerabilities that were responsibly reported to Microsoft by security partners and discovered by its internal security teams, continuing the cadence of monthly Exchange fixes.
Microsoft’s Exchange blog explains that the February 2026 SUs are available for:
-
Exchange Server Subscription Edition
-
Exchange Server 2019 (supported cumulative update branches)
The company strongly recommends that customers running any supported version install the latest SU as soon as possible, particularly for internet‑facing or hybrid deployments. Historically, many high‑profile breaches have involved unpatched Exchange servers exposed to the internet, and this month is no exception in terms of risk profile.
Post‑installation steps and known issues
As with previous Exchange releases, Microsoft stresses that admins should perform additional verification after installing the February 2026 SUs. Recommended steps include:
-
Running the latest Exchange Health Checker script to confirm the environment is in a supported and healthy state.
-
Verifying that the Exchange services have started correctly and that PowerShell remoting works as expected.
-
Checking for any warnings in the Application and System event logs related to the update.
Initial community feedback mentions that some Exchange Server 2019 environments have seen PowerShell connectivity issues after installing recent SUs, so testing in a staging environment before broad deployment remains a best practice.
Why Office and Exchange patches matter this month
This month’s Office and Exchange updates sit within the broader context of February 2026 Patch Tuesday, which fixes six actively exploited zero‑day vulnerabilities across Microsoft’s ecosystem. Office and Exchange have historically been attractive targets for attackers because they handle email and documents—the most common entry points for phishing and malware.
By patching Office and Exchange alongside Windows, organizations can close off multiple layers of their attack surface: the client apps that open malicious files, the servers that process and route email, and the underlying OS components attackers try to exploit for privilege escalation. For anyone running internet‑facing Exchange Server or handling sensitive data in Office, the February 2026 security updates should be treated as a high‑priority maintenance task, not an optional extra.
Recent Posts You Might Like
- Microsoft February 2026 Patch Tuesday Fixes 6 Zero‑Days and 50+ Windows Security Flaws
- Windows 10 February 2026 ESU Update KB5075912 Preps PCs for New Secure Boot Certificates
- Windows 11 February 2026 Update: KB5077181 and KB5075941 Fix Zero‑Days, Gaming Bugs, and Secure Boot Issues
- What’s New in Microsoft Sentinel February 2026: Improved Connectors, Multi‑Tenant Content, and More
- Microsoft Edge for Business Brings Safer, Scalable Browsing to K–12 Classrooms
Discover more from Microsoft News Now
Subscribe to get the latest posts sent to your email.
