Microsoft Patches 59 Vulnerabilities Including Six Actively Exploited Zero-Days

Source: The Hacker News

[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXD1L5ieHEU_h9-eg9LNbLb5-NpNemZK7bZbgYQS5MAeiHtGT2NyiQWOda0XOYhmj3wH_C0Bh4Nk8OzsXqAFaTCsja2EuPd_6t-V2R5PZjtwUQ2-74OWfUJKrJbRLy5n5qwchKcwcZ2Ns8DzYM_bE04nY9l3ntTbUXDi6OYxWO9EZmf8Ibv9YNBhUv6ejv/s1700-e365/windows-updates.jpg)](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXD1L5ieHEU_h9-eg9LNbLb5-NpNemZK7bZbgYQS5MAeiHtGT2NyiQWOda0XOYhmj3wH_C0Bh4Nk8OzsXqAFaTCsja2EuPd_6t-V2R5PZjtwUQ2-74OWfUJKrJbRLy5n5qwchKcwcZ2Ns8DzYM_bE04nY9l3ntTbUXDi6OYxWO9EZmf8Ibv9YNBhUv6ejv/s1700-e365/windows-updates.jpg)

Microsoft on Tuesday released security updates to address a set of **[59 flaws](https://msrc.microsoft.com/update-guide/releaseNote/2026-feb)** across its software, including six vulnerabilities that it said have been exploited in the wild.

Of the 59 flaws, five are rated **Critical**, 52 are rated **Important**, and two are rated **Moderate** in severity.  
Twenty‑five of the patched vulnerabilities have been classified as **privilege escalation**, followed by **remote code execution** (12), **spoofing** (7), **information disclosure** (6), **security feature bypass** (5), **denial‑of‑service** (3), and **cross‑site scripting** (1).

It’s worth noting that the patches are in addition to **[three security flaws](https://learn.microsoft.com/en-us/deployedge/microsoft-edge-relnotes-security)** that Microsoft has addressed in its Edge browser since the release of the **[January 2026 Patch Tuesday update](https://thehackernews.com/2026/01/microsoft-fixes-114-windows-flaws-in.html)**, including a **Moderate** vulnerability affecting Edge for Android (**CVE‑2026‑0391**, CVSS 6.5) that could allow an unauthorized attacker to perform spoofing over a network by exploiting a “user interface misrepresentation of critical information.”

[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5Ij_-TeqFMEsRFzgRRFzSRlVK6oHCncN_eJ2fkOdsA_1tN9HQbAlEEife2Z2JUt1lPv4st5n9KZP84jGEYY9Up6BQ7QE-N5rs6OhzL5thxGzVxnMx3JH9cGRLi9S5Kl-iV5PgjBeTdkBLnv_inF8UUAo88iqdmgJuPIc_6qiPyUMXwFyZWbZvkZkcRXSw/s728-e100/gartner-d.jpg)](https://thehackernews.uk/sse-customer-awards-d)

### Actively exploited vulnerabilities

The six vulnerabilities flagged as **actively exploited** are:

- **[CVE‑2026‑21510](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-21510)** – CVSS 8.8  
  A protection‑mechanism failure in Windows Shell that allows an unauthorized attacker to bypass a security feature over a network.

- **[CVE‑2026‑21513](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-21513)** – CVSS 8.8  
  A protection‑mechanism failure in the MSHTML Framework that allows an unauthorized attacker to bypass a security feature over a network.

- **[CVE‑2026‑21514](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-21514)** – CVSS 7.8  
  Reliance on untrusted inputs in a security decision in Microsoft Office Word that allows an unauthorized attacker to bypass a security feature locally.

- **[CVE‑2026‑21519](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-21519)** – CVSS 7.8  
  An “type confusion” resource‑access error in the Desktop Window Manager that allows an authorized attacker to elevate privileges locally.

- **[CVE‑2026‑21525](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-21525)** – CVSS 6.2  
  A null‑pointer dereference in Windows Remote Access Connection Manager that allows an unauthorized attacker to deny service locally.

- **[CVE‑2026‑21533](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-21533)** – CVSS 7.8  
  An improper privilege‑management issue in Windows Remote Desktop that allows an authorized attacker to elevate privileges locally.

Microsoft’s own security teams and Google Threat Intelligence Group (GTIG) are credited with discovering and reporting the first three flaws, which were publicly known at the time of release. No further details have been released about how the vulnerabilities are being exploited or whether they were weaponized as part of the same campaign.

> “CVE‑2026‑21513 is a security‑feature‑bypass vulnerability in the Microsoft MSHTML Framework, a core component used by Windows and multiple applications to render HTML content,” said **Jack Bicer**, director of vulnerability research at Action1. “It is caused by a protection‑mechanism failure that allows attackers to bypass execution prompts when users interact with malicious files. A crafted file can silently bypass Windows security prompts and trigger dangerous actions with a single click.”  
> — *[Action1 Patch Tuesday – February 2026](https://www.action1.com/patch-tuesday/patch-tuesday-february-2026/)*

**Satnam Narang**, senior staff research engineer at Tenable, noted that **CVE‑2026‑21513** and **CVE‑2026‑21514** share “a lot of similarities” with **CVE‑2026‑21510**; the main difference is that CVE‑2026‑21513 can be exploited via an HTML file, whereas CVE‑2026‑21514 requires a Microsoft Office file.

Regarding **CVE‑2026‑21525**, it is linked to a zero‑day that ACROS Security’s 0patch service discovered in December 2025 while investigating another related flaw in the same component (**CVE‑2025‑59230**).

> “These **CVE‑2026‑21519** and **CVE‑2026‑21533** are local privilege‑escalation vulnerabilities, which means an attacker must have already gained access to a vulnerable host,” said **Kev Breen**, senior director of cyber‑threat research at Immersive, to *The Hacker News* via email. “This could occur through a malicious attachment, a remote code‑execution vulnerability, or lateral movement from another compromise.”

Cleaned‑up Markdown

"Once on the host, the attacker can use these escalation vulnerabilities to elevate privileges to SYSTEM. With this level of access, a threat actor could disable security tooling, deploy additional malware, or, in worst‑case scenarios, access secrets or credentials that could lead to full domain compromise."

Cybersecurity vendor **CrowdStrike**, which has been acknowledged for reporting **CVE‑2026‑21533**, said it does not attribute the exploitation activity to a specific adversary, but noted that threat actors in possession of the exploit binaries will likely ramp up their efforts to use or sell them in the near term.

> "The CVE‑2026‑21533 exploit binary modifies a service configuration key, replacing it with an attacker‑controlled key, which could enable adversaries to escalate privileges to add a new user to the Administrator group,"  
> — *Adam Meyers, head of Counter Adversary Operations at CrowdStrike*, told *The Hacker News* in an emailed statement.

The development has prompted the U.S. **Cybersecurity and Infrastructure Security Agency (CISA)** to [add all six vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog](https://www.cisa.gov/news-events/alerts/2026/02/10/cisa-adds-six-known-exploited-vulnerabilities-catalog), requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by **March 3, 2026**.

The update also coincides with Microsoft rolling out [updated Secure Boot certificates](https://thehackernews.com/2026/01/microsoft-fixes-114-windows-flaws-in.html) to replace the original 2011 certificates that will expire in late June 2026. The new certificates will be installed through the regular monthly Windows update process without any additional action.

> "If a device does not receive the new Secure Boot certificates before the 2011 certificates expire, the PC will continue to function normally, and existing software will keep running," the tech giant [said](https://blogs.windows.com/windowsexperience/2026/02/10/refreshing-the-root-of-trust-industry-collaboration-on-secure-boot-certificate-updates/).  
> "However, the device will enter a degraded security state that limits its ability to receive future boot‑level protections."

![ThreatLocker illustration](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhC66R4wPZ8qksTJukqlCCmrHCUX65DnpWW1nKnkOhy0Poe219tacbU6h09qEfUgRHxoObBazf3SVJ4OAd_iVd0EFecj-vskZSfroQ7rh0XyxQd6Ep_zNgqDW95YU4zG1Gpin8rHPK8Rqu_1KV7tf-G-7JJhxOVHhRJDWnj0qfq82uZSAvAG2rxK-Fe5fwd/s728-e100/ThreatLocker-d.png)

"As new boot‑level vulnerabilities are discovered, affected systems become increasingly exposed because they can no longer install new mitigations. Over time, this may also lead to compatibility issues, as newer operating systems, firmware, hardware, or Secure Boot‑dependent software may fail to load."

In tandem, Microsoft said it is also strengthening default protections in Windows through two security initiatives:

* **Windows Baseline Security Mode** – Windows will move toward operating with runtime‑integrity safeguards enabled by default. These safeguards ensure that only properly signed apps, services, and drivers are allowed to run, helping protect the system from tampering or unauthorized changes.  
  *(Source: [Microsoft blog post, Feb 9 2026](https://blogs.windows.com/windowsexperience/2026/02/09/strengthening-windows-trust-and-security-through-user-transparency-and-consent/))*

* **User Transparency and Consent** – Analogous to Apple macOS Transparency, Consent, and Control (TCC) framework, this initiative introduces a consistent approach to handling security decisions. The OS will prompt users when apps try to access sensitive resources (files, camera, microphone) or attempt to install unintended software.  

  > "These prompts are designed to be clear and actionable, and you'll always have the ability to review and change your choices later,"  
  > — *Logan Iyer, Distinguished Engineer at Microsoft*  

  Apps and AI agents will also be expected to meet higher transparency standards, giving both users and IT administrators better visibility into their behaviors.

---

**Follow us for more:**  
- [Google News](https://news.google.com/publications/CAAqLQgKIidDQklTRndnTWFoTUtFWFJvWldoaFkydGxjbTVsZDNNdVkyOXRLQUFQAQ)  
- [Twitter](https://twitter.com/thehackersnews)  
- [LinkedIn](https://www.linkedin.com/company/thehackernews/)