Full Report
Roses are red, violets are blue ... now get patching What better way to say I love you than with an update? Attackers exploited a whopping six Microsoft bugs as zero-days prior to Redmond releasing software fixes on February's Patch Tuesday.…
Analysis Summary
As a vulnerability research specialist, here is the summary of the six actively exploited zero-day vulnerabilities disclosed in Microsoft's February Patch Tuesday release.
***
# Vulnerability: Microsoft February 2026 Zero-Day Patch Roundup (6 Exploits)
## CVE Details
This summary covers six vulnerabilities actively exploited by attackers prior to the patch release.
| CVE ID | Severity Score (CVSS) | CWE (Inferred) |
| :--- | :--- | :--- |
| CVE-2026-21510 | 8.8 (High) | Security Feature Bypass |
| CVE-2026-21513 | 8.8 (High) | Security Feature Bypass |
| CVE-2026-21514 | 7.8 (High) | Security Feature Bypass |
| CVE-2026-21519 | 7.8 (High) | Elevation of Privilege (EoP) |
| CVE-2026-21525 | 6.2 (Medium) | Null Pointer Dereference / Denial of Service (DoS) |
| CVE-2026-21533 | 7.8 (High) | Elevation of Privilege (EoP) |
## Affected Systems
- **Products:** Windows variants (implied for CVE-2026-21510, CVE-2026-21519, CVE-2026-21525, CVE-2026-21533), Internet Explorer (CVE-2026-21513), Microsoft Word (CVE-2026-21514).
- **Versions:** Unspecified specific vulnerable versions; applies to products pending the February 2026 security updates.
- **Configurations:** Varies by CVE, but most high-impact flaws require user interaction (e.g., opening a malicious file or link).
## Vulnerability Description
The disclosed set of zero-day vulnerabilities primarily revolve around **Security Feature Bypass** and **Elevation of Privilege (EoP)** across the Windows ecosystem and Microsoft Office components.
1. **CVE-2026-21510 (Windows Shell SFB):** Allows bypassing Windows SmartScreen and Shell security prompts via a malicious link or shortcut file, leading to code execution without user warning. It is noted that this behaves like a code execution flaw.
2. **CVE-2026-21513 (IE SFB):** Attackers can trick a user into opening a malicious HTML or shortcut file (.lnk) which manipulates browser and Windows Shell handling to achieve Remote Code Execution (RCE).
3. **CVE-2026-21514 (Word SFB):** Exploits object handling by allowing RCE via malicious Office files by abusing COM and OLE controls upon opening the file.
4. **CVE-2026-21519 (DWM EoP):** Allows an attacker to escalate privileges to the **SYSTEM** level. This is notable as it is the second consecutive month a DWM vulnerability has been exploited.
5. **CVE-2026-21525 (Remote Access Connection Manager DoS):** A null pointer dereference allowing a local, unauthorized attacker to cause a Denial of Service.
6. **CVE-2026-21533 (RDC Services EoP):** An improper privilege management flaw allowing an *authorized* attacker to elevate privileges locally to **SYSTEM** level.
## Exploitation
- **Status:** **Exploited in the wild** for all six CVEs.
- **PoC Availability:** **Publicly disclosed** for CVE-2026-21510, CVE-2026-21513, and CVE-2026-21514, strongly suggesting Proof-of-Concept code is available.
- **Complexity:** Generally **Low** for the feature bypasses, as they rely on social engineering (getting a user to click a link/open a file). EoP complexity varies based on prerequisites (e.g., CVE-2026-21533 requires prior authorization).
- **Attack Vector:** Varies (Network for initial delivery, Local for EoP/DoS).
## Impact
| CVE | Confidentiality | Integrity | Availability |
| :--- | :--- | :--- | :--- |
| CVE-2026-21510 | High (Code Execution) | High (Code Execution) | High (Potential) |
| CVE-2026-21513 | High (RCE) | High (RCE) | High (Potential) |
| CVE-2026-21514 | High (RCE) | High (RCE) | High (Potential) |
| CVE-2026-21519 | High (SYSTEM Access) | High (SYSTEM Access) | High (Potential) |
| CVE-2026-21525| None | None | High (DoS) |
| CVE-2026-21533| High (SYSTEM Access) | High (SYSTEM Access) | High (Potential) |
## Remediation
### Patches
- **Action:** Apply all applicable updates from the **February 2026 Microsoft Security Update Guide** (which covers all 59 CVEs released that month, including these six).
- **Note:** Specific patch deployment versions are dictated by the general February update roll-up for the affected operating systems and software.
### Workarounds
- No general workarounds were explicitly detailed in the provided context beyond urging immediate patching.
- **Implicit Mitigation (CVE-2026-21513):** Since Internet Explorer support officially ended in 2022, organizations should ensure they are not utilizing this retired browser.
## Detection
- **Indicators of Compromise (IoCs):** Look for anomalous execution resulting from shell link interactions or malicious document processing that bypasses standard security dialogue boxes.
- **Detection Methods and Tools:** Security teams should prioritize monitoring for exploitation patterns related to Windows Shell component interactions and Office file parsing that lead to unexpected process creation or privilege escalation attempts (especially SYSTEM level gains via DWM or RDP services). Threat hunting should specifically target activity following user interactions with untrusted external files or links.
## References
- Vendor Advisories: Microsoft Security Update Guide for February 2026 (Detailed information available via the vendor site).
- Relevant Links:
- [msrc.microsoft.com/update-guide/releaseNote/2026-Feb](https://msrc.microsoft.com/update-guide/releaseNote/2026-Feb) (Defanged)
- Trend Micro ZDI Review: [www.zerodayinitiative.com/blog/2026/2/10/the-february-2026-security-update-review](https://www.zerodayinitiative.com/blog/2026/2/10/the-february-2026-security-update-review) (Defanged)