Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Feb 16, 2026 · 5 min read

Microsoft Just Patched 6 Zero-Days That Hackers Are Already Using Against You

Microsoft's February 2026 Patch Tuesday fixes 58 vulnerabilities, including six zero days being actively exploited in the wild. One gives attackers full system privileges. CISA has ordered federal agencies to patch by March 3.

Laptop showing Windows update in progress on office desk

What Happened

On February 10, 2026, Microsoft released its monthly Patch Tuesday update, addressing 58 security vulnerabilities across Windows, Office, Azure, and developer tools. Six of those vulnerabilities are zero days, meaning hackers discovered and started exploiting them before Microsoft had a fix ready.

All six zero days have been added to CISA's Known Exploited Vulnerabilities catalog, which means federal civilian agencies are now required to apply the patches by March 3, 2026. But if you are running Windows on any personal or work machine, you should update now.

The Six Zero Days

Here is what each vulnerability does and why it matters.

CVE-2026-21519: Full System Takeover

This is the most dangerous of the six. A flaw in the Desktop Window Manager lets an attacker who already has a foothold on your system escalate their privileges to SYSTEM level. That is the highest level of access on a Windows machine. It means complete control over your files, your applications, and your data.

CVE-2026-21510: SmartScreen Bypass

This Windows Shell vulnerability lets attackers bypass SmartScreen, the security feature that warns you before opening potentially dangerous files. With a CVSS score of 8.8, it is rated as high severity. The attack requires convincing a user to click a malicious link or open a crafted shortcut file, but once that happens, the usual safety prompts simply do not appear.

CVE-2026-21513: MSHTML Framework Bypass

A security feature bypass in MSHTML, the rendering engine still used by Internet Explorer components embedded in other applications. This flaw lets attackers bypass network based protection mechanisms, which is especially concerning for organizations that rely on legacy web components.

CVE-2026-21514: Microsoft Word Bypass

This vulnerability bypasses OLE mitigations in Microsoft Word that are supposed to protect users from vulnerable COM/OLE controls. OLE (Object Linking and Embedding) allows documents to contain embedded objects from other applications. Attackers are exploiting this to run malicious code through specially crafted Word documents.

CVE-2026-21533: Remote Desktop Privilege Escalation

A flaw in Windows Remote Desktop Services allows attackers to modify a service configuration key with an attacker controlled one, enabling privilege escalation. CrowdStrike revealed that threat actors have been using this vulnerability to target organizations in the United States and Canada since at least December 24, 2025, meaning it was being exploited for nearly two months before a fix was available.

CVE-2026-21525: Remote Access Denial of Service

A null pointer dereference in the Windows Remote Access Connection Manager allows an unauthorized attacker to crash the service locally. While less severe than the others, denial of service attacks can disrupt remote workers and VPN connections at critical moments.

Why Six at Once Is Unusual

Microsoft patches zero days regularly, but six actively exploited vulnerabilities in a single month is notable. For context, Microsoft patched three zero days in January 2026 and four in December 2025. The February batch is the largest collection of actively exploited flaws in a single Patch Tuesday since mid-2025.

The variety of attack vectors is also concerning. These are not six variations of the same bug. They span the Windows Shell, Office, the MSHTML rendering engine, the Desktop Window Manager, Remote Desktop Services, and the Remote Access Connection Manager. Attackers are probing multiple surfaces simultaneously.

Who Is Being Targeted

CrowdStrike confirmed that CVE-2026-21533, the Remote Desktop Services flaw, has been used against organizations in the United States and Canada since December 2025. The targeting suggests these are not opportunistic attacks but deliberate campaigns against specific entities.

The SmartScreen and Word bypasses are particularly dangerous for everyday users because they require only a click on a malicious link or document. Phishing emails remain the primary delivery method for these types of attacks.

What You Should Do

Update Windows immediately. Go to Settings, then Windows Update, and check for updates. If you are on a managed corporate device, contact your IT department to confirm the patches are being deployed.

  • Do not delay the update. All six vulnerabilities are being actively exploited.
  • Be cautious with email attachments, especially Word documents from unknown senders.
  • Avoid clicking links in unsolicited emails. The SmartScreen bypass means the usual warning prompts may not appear.
  • If you use Remote Desktop, verify your organization has applied the patch and review access logs for unusual activity since December 2025.