Six Zero-Days Under Fire: February 2026 Patch Tuesday Breakdown
Microsoft released its February 2026 security updates on February 10th, patching 59 vulnerabilities across Windows, Office, Azure, and developer tools. The headline: six zero-day vulnerabilities were already being exploited in the wild before patches dropped. Three of those were also publicly disclosed, meaning attackers had a head start.
This is not a routine Patch Tuesday. Here's the breakdown.
The Official Word
The Six Zero-Days
| CVE | Component | Type | CVSS | Impact |
|---|---|---|---|---|
| CVE-2026-21510 | Windows Shell | Security Feature Bypass | 8.8 | Bypasses SmartScreen/MOTW via crafted LNK files |
| CVE-2026-21513 | MSHTML Framework | Security Feature Bypass | 8.8 | Bypasses IE-based security checks via malicious HTML |
| CVE-2026-21514 | Microsoft Word | Security Feature Bypass | 7.8 | Bypasses Office macro protections via crafted documents |
| CVE-2026-21519 | Desktop Window Manager | Elevation of Privilege | 7.8 | Local attacker escalates to SYSTEM |
| CVE-2026-21533 | Remote Desktop Services | Elevation of Privilege | — | Local attacker gains SYSTEM access via RDP stack |
| CVE-2026-21525 | Remote Access Connection Manager | Denial of Service | 6.2 | Unauthenticated local attacker crashes VPN connections |
CVE-2026-21510 is the most dangerous. Attackers craft malicious .lnk shortcut files that Windows Shell misidentifies as trusted local content, completely bypassing SmartScreen, Mark of the Web, UAC, and antivirus heuristics. The payload executes silently with full user privileges. Real-world exploitation has already been linked to ransomware and info-stealer deployments.
CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to remediate immediately.
Critical Azure Vulnerabilities (CVSS 9.8)
Two Azure-specific flaws scored the maximum severity:
- CVE-2026-21531 — Azure SDK vulnerability allowing remote code execution
- CVE-2026-24300 — Azure Front Door vulnerability enabling unauthenticated compromise
Cloud teams running Azure-native workloads should prioritize these alongside the zero-days.
Out-of-Band Office Zero-Day (CVE-2026-21509)
Before February's Patch Tuesday, Microsoft issued an emergency patch for CVE-2026-21509 — a high-severity Office zero-day (CVSS 7.8) that bypasses OLE mitigations through crafted documents. This vulnerability was linked to APT28 (Russian-nexus threat actor), making it a targeted espionage weapon. CISA set a remediation deadline of February 16, 2026.
Secure Boot Certificate Rollover
Microsoft began rolling out updated Secure Boot certificates in this release, deprecating legacy 2011 certificates that expire in June 2026. IT teams managing UEFI Secure Boot policies should test this transition in pilot environments now to avoid fleet-wide boot failures later.
Community Signal
The r/sysadmin Patch Tuesday megathread (Feb 10, 2026) is active but more measured than January's heated rolloutl.
Key community observations:
- VPN disruption risk: CVE-2026-21525 (RasMan DoS) is drawing the most concern from sysadmins. A successful exploit crashes VPN connections managed by Remote Access Connection Manager. For organizations with remote-heavy workforces, an unpatched fleet could mean widespread connectivity loss.
- Windows Server 2019: Early reporters note no issues after applying the February CU to Server 2019 environments.
- Persistent VSM shutdown bug: The January 2026 regression — where Windows 11 23H2 systems with Virtual Secure Mode (VSM) enabled restart instead of shutting down — remains unresolved for some configurations. The out-of-band fix only covered Secure Launch devices.
- AI prompt injection in dev tools: Krebs on Security flagged that some of the February fixes address vulnerabilities in GitHub Copilot, VS Code, and Visual Studio related to AI prompt injection — a new category that hasn't fully registered with most sysadmin teams yet.
Analysis & Guidance
Risk Rating: 🔴 Urgent
Six actively exploited zero-days is an exceptional count for a single Patch Tuesday. Three security feature bypasses in the same release means attackers have multiple vectors to circumvent endpoint protections. The SmartScreen bypass (CVE-2026-21510) is particularly dangerous because it defeats the very mechanism most organizations rely on to block untrusted executables.
Recommended Actions
Immediate (Within 48 Hours)
- Patch CVE-2026-21510 — SmartScreen bypass. This is the top priority. Confirm deployment across all Windows endpoints.
- Patch CVE-2026-21509 — The APT28-linked Office zero-day. The CISA deadline is February 16th.
- Enable ASR rules — Attack Surface Reduction rules for Office and Edge provide defense-in-depth while patches propagate.
Short-Term (Within 1 Week)
4. Deploy the full February CU — Covers all six zero-days and the 53 additional CVEs.
5. Audit Azure SDK and Front Door — Cloud teams should remediate CVE-2026-21531 and CVE-2026-24300 (CVSS 9.8).
6. Monitor Event ID 1116 — Track Shell execution events and anomalous .lnk file creation for signs of CVE-2026-21510 exploitation.
Watch Items 7. Secure Boot certificate rollover — Test in a pilot group before fleet-wide enforcement to catch compatibility issues early. 8. VSM shutdown regression — If running Windows 11 23H2 with VSM, test shutdown behavior post-patch. 9. AI prompt injection — If your organization uses GitHub Copilot or VS Code extensions, ensure the latest patches are applied to the IDE layer.
Stay updated on the latest intel by checking our Patches Dashboard for real-time risk scores.