Under Siege: Microsoft Unveils “Valentine’s Day” Fixes for 6 Actively Exploited Zero-Days

Microsoft has disseminated its February Patch Tuesday security ensemble, a particularly dense release that addresses a staggering 58 vulnerabilities. Of paramount concern is the revelation that six of these flaws are currently being weaponized in active, real-world incursions, while three were disclosed to the public prior to the availability of formal remediations.

This cyclical update encompasses the breadth of the Microsoft ecosystem, from desktop Windows iterations to server-side and cloud-based architectures. The primary focus of this release is the mitigation of privilege escalation defects, which account for 25 of the addressed issues. Furthermore, the patch rectifies 12 remote code execution vulnerabilities, alongside various security feature bypasses, data exfiltration risks, and denial-of-service threats. Microsoft has designated five specific vulnerabilities as “Critical,” involving both elevated authorization and sensitive information disclosure.

The most urgent priority for administrators and end-users alike is the neutralization of the six actively exploited zero-day vulnerabilities:

• CVE-2026-21510: Localized within the Windows Shell, this flaw permits the circumvention of security warnings. By enticing a user to engage with a specifically crafted link or shortcut, an adversary can suppress the system’s cautionary dialogues to execute deleterious content. This suggests a subversion of the Mark of the Web (MotW) mechanism, which typically identifies and restricts files originating from the internet.

• CVE-2026-21513: Pertaining to the MSHTML component, this vulnerability is characterized as a network-based security feature bypass, though the precise mechanics of its exploitation remain undisclosed by the corporation.

• CVE-2026-21514: Affecting Microsoft Word, this flaw facilitates the bypass of protections surrounding OLE (Object Linking and Embedding) objects. In a quintessential phishing scenario, a victim is persuaded to open a malicious document; however, Microsoft notes that the Office “Preview Pane” does not serve as a viable attack vector for this specific issue.

• CVE-2026-21519: Residing in the Desktop Window Manager, successful exploitation of this defect grants the assailant SYSTEM-level privileges, effectively ceding near-total dominion over the compromised machine.

• CVE-2026-21525: This vulnerability within the Windows Remote Access Service facilitates a Denial of Service (DoS) via a null pointer dereference. ACROS Security reported identifying functional exploit code for this flaw in public malware repositories as early as December 2025.

• CVE-2026-21533: Targeting Remote Desktop Services, this privilege escalation flaw was detailed by CrowdStrike. The observed exploit manipulates service configuration keys to grant the attacker the ability to instantiate new administrative accounts, thereby providing a springboard for further lateral movement.

Beyond vulnerability remediation, Microsoft has initiated a phased transition of Secure Boot certificates. The original 2011 certificates, slated for expiration in late June 2026, are being systematically replaced. Windows 11 “quality updates” now include telemetry to ascertain a device’s readiness for this certificate migration, which will proceed once consistent update stability is confirmed.

This security surge coincides with significant releases from other industrial titans, including Adobe, Cisco, Fortinet, and SAP. Concurrently, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a mandatory directive for federal agencies to decommission end-of-life edge networking devices. Given the confirmed exploitation of multiple zero-days, Microsoft urges the immediate application of these patches, particularly for environments reliant on Office documentation and remote access services.