Microsoft released cumulative security updates for February, addressing 59 vulnerabilities across its software. Six of these flaws were actively exploited in the wild, prompting immediate attention from the U.S. Cybersecurity and Infrastructure Security Agency (CISA). This significant patch release underscores the ongoing challenges in securing digital environments against evolving cyber threats, with a particular focus on protecting users from widespread exploitation.
Microsoft Patches Actively Exploited Vulnerabilities in Latest Security Update
Microsoft on Tuesday issued a batch of security updates targeting 59 distinct vulnerabilities within its software ecosystem. The most critical aspect of this release involves six flaws that have already been exploited by malicious actors. These vulnerabilities span various Microsoft products, with severity ratings ranging from Moderate to Critical, highlighting the broad impact of these security gaps. The patches come as part of Microsoft’s regular “Patch Tuesday” schedule, aiming to bolster the security posture of millions of users worldwide.
Among the 59 addressed flaws, five are classified as Critical, indicating a severe risk of exploitation. An additional 52 vulnerabilities are rated as Important, while two are deemed Moderate in severity. The types of vulnerabilities patched include privilege escalation (25), remote code execution (12), spoofing (7), information disclosure (6), security feature bypass (5), denial-of-service (3), and cross-site scripting (1). These updates address a wide array of potential attack vectors that could compromise user data and system integrity.
The security updates are in addition to patches released earlier for the Microsoft Edge browser. Since the January 2026 Patch Tuesday, three security flaws affecting Edge have been addressed, including a Moderate vulnerability (CVE-2026-0391) on the Android platform. This particular flaw, with a CVSS score of 6.5, could allow an unauthorized attacker to conduct spoofing attacks over a network by exploiting a “user interface misrepresentation of critical information.”
Six Vulnerabilities Actively Exploited in the Wild
The most concerning aspect of this month’s update involves six vulnerabilities that Microsoft has confirmed are being actively exploited in the wild. These actively exploited vulnerabilities are:
CVE-2026-21510 (CVSS score: 8.8): This vulnerability in Windows Shell allows an unauthorized attacker to bypass security features over a network by exploiting a protection mechanism failure.
CVE-2026-21513 (CVSS score: 8.8): A protection mechanism failure in the MSHTML Framework allows for a security feature bypass when exploited by an unauthorized attacker over a network.
CVE-2026-21514 (CVSS score: 7.8): This vulnerability in Microsoft Office Word, caused by a reliance on untrusted inputs in security decisions, allows an unauthorized attacker to bypass security features locally.
CVE-2026-21519 (CVSS score: 7.8): A type confusion vulnerability in the Desktop Window Manager allows an authorized attacker to elevate privileges locally.
CVE-2026-21525 (CVSS score: 6.2): A null pointer dereference in the Windows Remote Access Connection Manager enables an unauthorized attacker to perform a denial of service locally.
CVE-2026-21533 (CVSS score: 7.8): This vulnerability in Windows Remote Desktop allows an authorized attacker to elevate privileges locally due to improper privilege management.
Microsoft’s internal security teams and Google Threat Intelligence Group (GTIG) are credited with discovering and reporting the first three vulnerabilities, which were publicly known at the time of the update’s release. Specific details regarding the nature of the exploitation or if these vulnerabilities were part of a single coordinated campaign remain unclear.
“CVE-2026-21513 is a security feature bypass vulnerability in the Microsoft MSHTML Framework, a core component used by Windows and multiple applications to render HTML content,” stated Jack Bicer, director of vulnerability research at Action1. “It is caused by a protection mechanism failure that allows attackers to bypass execution prompts when users interact with malicious files. A crafted file can silently bypass Windows security prompts and trigger dangerous actions with a single click.”
Satnam Narang, senior staff research engineer at Tenable, noted that CVE-2026-21513 and CVE-2026-21514 share significant similarities with CVE-2026-21510. The key distinction is that CVE-2026-21513 can be exploited via an HTML file, whereas CVE-2026-21514 is exploitable only through a Microsoft Office file.
Regarding CVE-2026-21525, it is reportedly linked to a zero-day vulnerability discovered by ACROS Security’s 0patch service in December 2025 during an investigation into a related flaw in the same component (CVE-2025-59230).
“These [CVE-2026-21519 and CVE-2026-21533] are local privilege escalation vulnerabilities, which means an attacker must have already gained access to a vulnerable host,” explained Kev Breen, senior director of cyber threat research at Immersive. He added that such access could be obtained through malicious attachments, remote code execution vulnerabilities, or lateral movement from compromised systems.
Once an attacker gains initial access, these privilege escalation vulnerabilities can be leveraged to elevate their permissions to the SYSTEM level. This elevated access allows threat actors to disable security software, deploy additional malware, and potentially access sensitive credentials, leading to a full domain compromise.
CISA Mandates Fixes and Secure Boot Certificate Updates
In response to the actively exploited vulnerabilities, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added all six critical flaws to its Known Exploited Vulnerabilities (KEV) catalog. This mandates that Federal Civilian Executive Branch (FCEB) agencies must implement the necessary fixes by March 3, 2026.
The February update also includes the rollout of updated Secure Boot certificates. These new certificates are intended to replace the original 2011 certificates, which are set to expire in late June 2026. The new certificates will be distributed through the standard Windows update process, requiring no additional user action.
Microsoft stated that devices not receiving the new certificates before the expiration of the 2011 certificates will continue to function normally. However, these systems will enter a “degraded security state,” which will limit their ability to receive future boot-level protections. This could lead to increased exposure as new boot-level vulnerabilities are discovered and can no longer be mitigated.
Furthermore, Microsoft is enhancing default protections in Windows through two key security initiatives: Windows Baseline Security Mode and User Transparency and Consent. These efforts align with the company’s Secure Future Initiative and Windows Resiliency Initiative.
Windows Baseline Security Mode aims to enable runtime integrity safeguards by default. These safeguards ensure that only properly signed applications, services, and drivers are permitted to run, thereby protecting the system from tampering and unauthorized modifications.
The User Transparency and Consent feature, similar to Apple’s macOS Transparency, Consent, and Control (TCC) framework, will introduce a standardized approach to managing security decisions. The operating system will prompt users when applications attempt to access sensitive resources like files, the camera, or the microphone, or when they try to install unintended software. These prompts will be designed for clarity and actionability, with users retaining the ability to review and modify their choices.
Logan Iyer, Distinguished Engineer at Microsoft, noted that “Apps and AI agents will also be expected to meet higher transparency standards, giving both users and IT administrators better visibility into their behaviors.” This move signals a broader commitment to user privacy and system integrity in future Windows releases.
The next steps will involve FCEB agencies diligently applying the mandated patches by the March 3, 2026 deadline to mitigate the risks associated with the actively exploited vulnerabilities. Meanwhile, users should ensure their Windows systems are updated to receive the new Secure Boot certificates before the upcoming expiration date to maintain optimal security posture.