6 zero-day fixes • The Register

What better way to say I love you than with an update? Attackers exploited a whopping six Microsoft bugs as zero-days prior to Redmond releasing software fixes on February’s Patch Tuesday.

For comparison, last month we saw just one Windows vulnerability under attack before the January Patch Tuesday fix.

Of course, then there’s also the emergency patches released because the first try didn’t plug the security hole – but that’s a different story.

As always, Microsoft did not provide any additional details about who attacked these six flaws and how widespread exploitation may be. But considering that three of the six are also listed as publicly disclosed – meaning there may already be proof-of-concept exploits floating around the internet – we expect to see more reports (and details) about active exploitation soon. 

Here’s what we do know about the six CVEs under attack, and you can read about all 59 Microsoft CVEs here.

Windows Shell Security Feature Bypass Vulnerability (CVE-2026-21510): Exploiting this bug, which received an 8.8 CVSS rating, requires an attacker to convince a user to open a malicious link or shortcut file – but we all know that most people will click on just about anything, so that’s not difficult to pull off. Once the user opens the malicious link, the attacker can bypass Windows SmartScreen and Windows Shell security prompts to execute code on the victim’s system without user warning or consent.

As Trend Micro Zero Day Initiative’s Dustin Childs warns, “this bug is listed as a security feature bypass, but it could also be classified as code execution … Definitely test and deploy this fix quickly.”

In addition to being marked “exploitation detected,” Microsoft lists this bug as being publicly disclosed.

Internet Explorer Security Feature Bypass Vulnerability (CVE-2026-21513): This bug also received an 8.8 CVSS rating, is under attack and publicly known, and could lead to remote code execution (RCE). It’s another flaw where the attacker needs to convince a user to open a malicious HTML file or shortcut (.lnk) file delivered through a link, email attachment, or download. After the user clicks on the link, however, it’s game over.

“The specially crafted file manipulates browser and Windows Shell handling, causing the content to be executed by the operating system,” Redmond explained. “This allows the attacker to bypass security features and potentially achieve code execution.”

The potential silver lining: since Internet Explorer on Windows support ended years ago, in 2022, hopefully there’re not a whole lot of people still using this retired browser.

Microsoft Word Security Feature Bypass Vulnerability (CVE-2026-21514): The theme of February’s Patch Tuesday does seem to be about bypassing security features, and this flaw that’s also publicly known is another example. This flaw received a 7.8 CVSS and all it requires is a user to open a malicious Office file, thus giving the attacker access to COM (Component Object Model) and OLE (Object Linking and Embedding) controls, which can be abused for RCE. Luckily, the Preview Pane is not an attack vector. 

Desktop Window Manager Elevation of Privilege Vulnerability (CVE-2026-21519): This one wasn’t disclosed prior to the software update, and that’s good because an attacker who exploits this bug can gain SYSTEM privileges. It received a 7.8 CVSS rating.

As Childs notes, “This is the second month in a row that a DWM was listed as being exploited in the wild. That leads me to believe the first patch didn’t completely resolve the vulnerability.” 

Windows Remote Access Connection Manager Denial of Service Vulnerability (CVE-2026-21525): This 6.2-rated bug is triggered by a null pointer dereference in Windows Remote Access Connection Manager that allows an unauthorized attacker to deny service locally.

Windows Remote Desktop Services Elevation of Privilege Vulnerability (CVE-2026-21533): Another bad bug that allows an authorized attacker to elevate privileges locally and then run code with SYSTEM privileges. It received a 7.8 CVSS and Microsoft said it’s due to improper privilege management in Windows Remote Desktop. ®