TechTarget and Informa Tech’s Digital Business Combine. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise NEWSLETTER SIGN-UP Cybersecurity Topics World The Edge DR Technology Events Resources VULNERABILITIES & THREATS APPLICATION SECURITY VULNERABILITIES & THREATS NEWS Microsoft Patches 6 Actively Exploited Zero-Days Three of those zero-days are security feature bypass flaws, which give attackers a way to slip past built-in protections in multiple Microsoft products. Jai Vijayan, Contributing Writer February 10, 2026 4 Min Read SOURCE: MAYAM_STUDIO VIA SHUTTERSTOCK Attackers are already actively exploiting six of the 59 vulnerabilities Microsoft disclosed in its latest security update, meaning security teams will need to treat February's Patch Tuesday more as an active defense exercise rather than just routine maintenance. Three of the six zero-days are security feature bypass flaws in different Microsoft products, which is particularly troubling for organizations, because they give attackers a way to slip past built-in protections organizations rely on. Microsoft issued an out-of-band for one of the zero-days, underscoring its urgency. Two of the remaining actively exploited bugs are elevation-of-privilege issues that allow an attacker to gain admin-level privileges on affected systems, while the remaining bug enables denial-of-service attacks. If that wasn't enough to keep admins busy, Microsoft assessed five other CVEs it disclosed this week as bugs that attackers are "more likely" to exploit. That's a term Microsoft uses for bugs for which exploit code could be developed relatively quickly, or can be exploited with little complexity, or because it affects a high-value target for attackers. Related:Second Round of Critical RCE Bugs in n8n Spikes Corporate Risk Security Feature Bypass Bugs The three security feature bypass vulnerabilities in Microsoft's February update are CVE-2026-21510, CVE-2026-21513 and CVE-2026-21514. Technical details of the bugs are already publicly available, which usually means more attacks will follow soon. CVE-2026-2150 (CVSS 8.8), according to Microsoft, allows attackers to bypass Windows Shell and Windows SmartScreen and run code of their choice on a victim's system without any warning or user consent. To exploit the flaw, an attacker would first need to convince a user to interact with a malicious file or line. CVE-2026-21513 (CVSS 8.8) affects Microsoft's MSHTML framework. Attackers can abuse the flaw by tricking users into opening a specially crafted HTML file or shortcut link and tricking the browser and operating system into executing it like code instead of treating it like data. The third security feature bypass zero-day, CVE-2026-21514 (CVSS 7.8), affects Microsoft Word and once again involves user interaction for a successful exploit. In this case, an attacker who tricks a user into opening a malicious Word document can bypass OLE security controls in Microsoft 365 and Microsoft Office to execute arbitrary code. Microsoft issued an emergency out-of-band patch for a similar vulnerability in Office CVE-2026-21509 on Jan. 26 amid reports of active exploit activity. Related:'Semantic Chaining' Jailbreak Dupes Gemini Nano Banana, Grok 4 "Security feature bypass vulnerabilities significantly increase the success rate of phishing and malware campaigns," said Jack Bicer, director of vulnerability research at Action1, in prepared commentary. "In enterprise environments, this flaw can lead to unauthorized code execution, malware deployment, credential theft, and system compromise." What makes remediation even more urgent for organizations is the wide prevalence of the affected components. Word is both widely used and heavily targeted already, while MSHTML is a core component for rendering HTML content in the Windows ecosystem. Similarly, vulnerabilities, like CVE-2026-2150 that allow attackers to bypass SmartScreen and Windows Shell protections are dangerous because of how they can enable more effective malware delivery and phishing campaigns, noted Mike Walters, president and co-founder of Action1. "Organizations may face unauthorized code execution, malware infections, credential theft, and lateral movement within networks," he said in an emailed comment. "Because Windows Shell is a core component used by nearly all users, the attack surface is broad and difficult to fully restrict without patching." Two Elevation of Privilege and 1 DoS Zero-Days The two other zero-days — tracked as CVE-2026-21519, CVE-2026-21525, and CVE-2026-21533 — affect Desktop Windows Manager, Windows Remote Access Connection Manager, and Windows Remote Desktop Services, respectively. Related:Fortinet Confirms New Zero-Day Behind Malicious SSO Logins CVE-2026-21519 (CVSS 6.2) and CVE-2026-21533 both allow attackers to escalate their privileges on a system to administrator-level access. CVE-2026-21525 (CVSS 6.2) in Windows Remote Access Connection Manager allows an attacker to trigger denial-of-service conditions locally. "An attacker with a foothold as a standard, non-admin user can run a small script that crashes the RAS manager service," explained Ryan Braunstein, security manager at Automox, in a prepared statement. "The attack requires no elevated privileges and can be triggered after initial access through phishing or a malicious browser extension," he noted. While the vulnerability does not enable any data theft or code execution, "its potential for disruption is significant," Braunstein added. The 59 bugs Microsoft disclosed this month is much lower than the 112 CVEs for January. But that doesn't make it any less impactful. "The good news, there's not a lot of CVEs to deal with; the bad news, there's actually a lot to unpack here," said Tyler Reguly, associate director of security R&D at Fortra, in prepared comments. He pointed to 10 CVEs in Azure in particular as vulnerabilities that security teams should pay attention to, in addition to the bugs that attackers are already actively exploiting. "While three of these (CVE-2026-21532 [CVSS 8.2], CVE-2026-24300 [CVSS 9.8], and CVE-2026-24302 [CVSS 8.6]) are all marked as 'No Customer Action Required,' I'd stil want to ensure that there was no evidence of issues in my cloud — or cloud-adjacent — environments," Reguly said in an emailed statement. "For the other seven CVEs, however, I'd hope that my team is looking closely at the variety of fixes that need to be performed to upgrade my environment." About the Author Jai Vijayan, Contributing Writer Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill. More Insights Industry Reports ThreatLabz 2025 Ransomware Report The Total Economic Impact™ Of Zscaler Private Access (ZPA) Zscaler ThreatLabz 2025 VPN Risk Report GigaOm Radar for CNAPP The Total Economic Impact™ of Google SecOps Access More Research Webinars Ransomware and the Supply Chain: A Fireside Chat with the CISOs Who Literally Wrote the Book on Third-Party Risk The Hidden AI Attack Surface: How GenAI Tools Expand Data Exposure Risk Beyond the Model: The Expanded Attack Surface of AI Agents AI-Powered Threat Hunting: Staying Ahead of Evolving Attack Patterns AI-Powered Cloud Security Posture Management More Webinars You May Also Like VULNERABILITIES & THREATS Hackers Can Crack Into Car Cameras in Minutes Flat by Becky Bracken, Senior Editor, Dark Reading FEB 27, 2025 VULNERABILITIES & THREATS Cisco's Wave of Actively Exploited Zero-Day Bugs Targets Firewalls, IOS by Alexander Culafi SEP 25, 2025 VULNERABILITIES & THREATS Cursor Issue Paves Way for Credential-Stealing Attacks by Elizabeth Montalbano, Contributing Writer NOV 17, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice THREAT INTELLIGENCE EnCase Driver Weaponized as EDR Killers Persist byRob Wright FEB 5, 2026 4 MIN READ CYBERSECURITY OPERATIONS Extra Extra! Announcing DR Global Latin America byTara Seals FEB 4, 2026 2 MIN READ CYBER RISK TransUnion's Real Networks Deal Focuses on Robocall Blocking byJeffrey Schwartz FEB 9, 2026 2 MIN READ Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Ransomware and the Supply Chain: A Fireside Chat with the CISOs Who Literally Wrote the Book on Third-Party Risk THURS, FEB 19, 2026 AT1PM EST The Hidden AI Attack Surface: How GenAI Tools Expand Data Exposure Risk ON-DEMAND WEBINAR Beyond the Model: The Expanded Attack Surface of AI Agents THURS, FEB 26, 2026 AT 1PM EST AI-Powered Threat Hunting: Staying Ahead of Evolving Attack Patterns THURS, FEB 12, 2026 AT 11AM ET AI-Powered Cloud Security Posture Management WED, FEB 18,2026 AT 1:00PM EST More Webinars White Papers The Threat Prevention Buyer's Guide FInd the best AI-driven threat protection solution to stop file-based attacks. Assessing Security Architectures: Zero Trust vs. Network-Centric Models 5 Steps to Stop Ransomware With Zero Trust 10 Ways a Zero Trust Architecture Protects Against Ransomware Why Removing Admin Rights Is the Key to Better Cyber Insurance Rates eBook Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packe