Microsoft Patches 6 Active Zero-Days in Valentine’s Update

New Delhi, February 11, 2026: In a significant February “Patch Tuesday” rollout—often dubbed a “Valentine’s Day gift” for IT administrators—Microsoft has released fixes for 58 vulnerabilities, including six zero-day flaws that were actively being exploited in the wild.

The update arrives at a critical time for cybersecurity professionals, as three of these zero-days were publicly known before the patches were issued, heightening the risk of widespread exploitation.

The Six Zero-Day Vulnerabilities

The highlights of the February 2026 update are the six flaws already leveraged by threat actors. These vulnerabilities primarily target the Windows Shell, Office, and system management components:

1. CVE-2026-21510 (Windows Shell Security Feature Bypass): This high-severity flaw allows attackers to bypass Windows SmartScreen and Shell security prompts. By tricking a user into clicking a malicious link or shortcut file, an attacker can execute content without the usual “Mark of the Web” (MoTW) warnings that protect users from untrusted files.
2. CVE-2026-21513 (MSHTML Framework Security Feature Bypass): Despite the retirement of Internet Explorer, the underlying MSHTML engine remains a target. This flaw allows attackers to bypass security controls over a network, often leading to unauthorized code execution through malicious HTML files.
3. CVE-2026-21514 (Microsoft Word Security Feature Bypass): This vulnerability specifically targets OLE (Object Linking and Embedding) mitigations in Microsoft 365 and Office. If a user is convinced to open a malicious Word document, the attacker can bypass safeguards designed to block dangerous COM/OLE controls.
4. CVE-2026-21519 (Desktop Window Manager Elevation of Privilege): This flaw allows an attacker who has already gained a foothold on a system to escalate their privileges to SYSTEM level—the highest level of access on a Windows machine.
5. CVE-2026-21533 (Remote Desktop Services Elevation of Privilege): Affecting nearly all versions of Windows Server, this bug allows a local user to gain SYSTEM privileges by exploiting improper privilege management within RDP services.
6. CVE-2026-21525 (Remote Access Connection Manager Denial of Service): While rated as “Moderate” in severity, this flaw is being actively exploited to cause system crashes or instability, allowing even low-privileged users to disrupt services.

CISA Issues “Must-Patch” Mandate

Following Microsoft’s disclosure, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) immediately added all six vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog. This move signals that these flaws represent a clear and present danger to both federal and private-sector networks.

CISA has set a strict deadline of March 3, 2026, for federal agencies to apply these updates, though security experts recommend that private organizations act much sooner given the active nature of the threats.

Broad Impact Across the Ecosystem

Beyond the zero-days, the February update addresses five vulnerabilities classified as “Critical” and over 50 rated as “Important.” The patches cover a wide range of products including:

• Azure: Specifically addressing privilege escalation in Confidential Containers.
• Exchange Server: Resolving several remote code execution risks.
• Microsoft Defender and GitHub Copilot: Fixing various spoofing and information disclosure bugs.

Summary of Vulnerability Classes (February 2026)

What Admins Need to Do

The “Valentine‘s” theme is a reminder that in cybersecurity, neglect can lead to heartbreak. Administrators are urged to prioritize the deployment of these cumulative updates, particularly for Windows 10, Windows 11, and Windows Server 2022/2025.

For environments running legacy versions like Office 2016 or 2019, manual updates or registry adjustments may be required to fully mitigate the OLE bypass risks.