Microsoft’s Valentine’s gift to admins: 6 exploited zero-day fixes
Summary
Microsoft’s February Patch Tuesday shipped fixes for six vulnerabilities that were being actively exploited before the updates landed. Three of those bugs were publicly disclosed prior to the patch release, increasing the risk of wider exploitation. Microsoft has not shared attribution or the scale of attacks; organisations should assume urgency and act accordingly.
The six CVEs include Windows Shell and Internet Explorer security feature bypasses that can lead to remote code execution, a Microsoft Word feature-bypass affecting COM/OLE controls, a Desktop Window Manager elevation-of-privilege flaw, a Remote Access Connection Manager denial-of-service, and a Remote Desktop Services privilege-elevation issue.
Key Points
- Six Microsoft CVEs were exploited in the wild prior to the February 2026 Patch Tuesday release.
- CVE-2026-21510 (Windows Shell) — 8.8 CVSS; SmartScreen/Windows Shell bypass via malicious links/shortcuts; listed as exploited and publicly disclosed.
- CVE-2026-21513 (Internet Explorer) — 8.8 CVSS; security feature bypass allowing RCE via crafted HTML or .lnk files; exploited and publicly disclosed.
- CVE-2026-21514 (Microsoft Word) — 7.8 CVSS; security feature bypass through malicious Office files enabling COM/OLE abuse and possible RCE; publicly disclosed.
- CVE-2026-21519 (Desktop Window Manager) — 7.8 CVSS; local elevation to SYSTEM; not publicly disclosed before the patch, but actively exploited.
- CVE-2026-21525 (Remote Access Connection Manager) — 6.2 CVSS; local denial-of-service via null pointer dereference.
- CVE-2026-21533 (Remote Desktop Services) — 7.8 CVSS; improper privilege management allows local privilege elevation to SYSTEM.
- Three of the six are publicly disclosed, which raises the likelihood of proof-of-concept code or exploit details circulating online.
Why should I read this
Yep, another urgent patch round — if you’re responsible for Windows kits, this is one to prioritise. Six zero-days sounds like headline panic, but the practical takeaway is simple: test and deploy these fixes quickly, especially where users can be tricked into opening links or Office files. Save yourself future fire-fighting.
Author style
Punchy: this write-up underlines that the fixes are essential reading for sysadmins and security teams. If you manage Windows endpoints or servers, treat the details here as operationally important rather than optional weekend reading.
Context and relevance
This Patch Tuesday continues a trend of active zero-day exploitation against Windows components and repeated issues with Desktop Window Manager patches. Public disclosure of several flaws increases exposure, while user-interaction vectors (links, .lnk files, Office documents) keep social-engineering-based attacks effective. Organisations should combine timely patching with user-awareness and endpoint protections to reduce risk.