Microsoft's February Patch Tuesday: Six Zero-Days and a Fire Drill for Every Windows Shop

From The Bit Baker newsletter — February 14, 2026

Microsoft's February 2026 Patch Tuesday landed on February 10 carrying 59 vulnerabilities and 6 actively exploited zero-days. Every one of them was already in CISA's Known Exploited Vulnerabilities catalog before most organizations finished their morning coffee. The Zero Day Initiative labeled the count "extraordinarily high." That's earned — January's Patch Tuesday had one. One exploited zero-day. This month: six.

So what's actually being exploited, and why should security teams treat this more like incident response than routine maintenance?

The bypass flaws jump off the page. CVE-2026-21510 goes after Windows Shell's SmartScreen warnings — send a crafted link or .lnk shortcut, and the target machine opens it without the "this file might be dangerous" prompt ever appearing. CVE-2026-21513 pulls the same trick through MSHTML, killing execution prompts for crafted HTML files. Both sit at CVSS 8.8. Both were public knowledge before Microsoft had a fix ready, which gave attackers a running start.

And then there's CVE-2026-21533 — the one CrowdStrike caught. Local privilege escalation in Remote Desktop Services. A standard user modifies a registry key. That's it. SYSTEM privileges. CrowdStrike's writeup calls it trivial to pull off once you've got local access. That makes it a perfect second stage: get in through a SmartScreen bypass, then own the box completely through RDS.

Why It Matters

Six exploited zero-days in one month isn't a busy patch cycle. It's a warning. The Zero Day Initiative pointed out that 58-59 total CVEs is pretty normal for February. What's abnormal is how many of them were already being used in attacks. One analyst floated the idea that we might be "on our way to another hot exploit summer" — alluding to past stretches where elevated zero-day exploitation foreshadowed larger campaigns.

The real concern is chaining. Picture this: an attacker uses CVE-2026-21510 or CVE-2026-21513 to push a malicious file past SmartScreen. Code execution follows. From there, CVE-2026-21533 escalates to SYSTEM. Two steps from initial access to full domain compromise, using nothing but vulnerabilities that were exploited before patches existed. That's not a theoretical exercise — those are the exact flaws under active attack.

CISA gave federal agencies until March 3. But let's be honest: any organization sitting on these patches until March is carrying known risk from confirmed exploitation. The clock started running on February 10.

What's Under the Hood

The other three zero-days shouldn't be overlooked. CVE-2026-21514 bypasses security features in Word — Microsoft has been sparse on details, but working exploit code is out there. CVE-2026-21525 is a denial-of-service in Remote Access (CVSS 6.2), lower severity but still confirmed exploited. CVE-2026-21511 hits Outlook with a spoofing vulnerability through deserialization (CVSS 7.5).

Step back and a pattern emerges across all six. Attackers are going after the trust mechanisms Windows depends on to shield users from malicious content. SmartScreen. MSHTML rendering safeguards. OLE object controls. These are the guardrails, and when they fail, everything behind them is exposed.

Microsoft also pushed out-of-band patches between January's and February's releases, including an emergency fix for CVE-2026-21509 — a Microsoft Office zero-day. Emergency patches between Patch Tuesdays are never routine. That tempo suggests Microsoft's own threat teams are tracking elevated activity across multiple fronts.

What to Watch

• Patch deployment speed should be accelerated for all six KEV entries. If your organization normally runs a 30-day testing cycle before deploying Patch Tuesday updates, this month warrants an exception. The exploit chains are practical and proven.
• Remote Desktop Services needs an immediate audit across your environment. CVE-2026-21533 converts any local foothold into SYSTEM. Every machine with RDS active is a potential escalation point sitting in the open.
• Spring 2026 zero-day trends deserve close attention. If March's Patch Tuesday brings another elevated count, we're looking at a sustained campaign rather than a one-off spike. ZDI's "hot exploit summer" warning might be more prophetic than cautionary.

References

1. The Hacker News — Microsoft Patches 59 Vulnerabilities Including Six Under Active Exploitation
2. Tenable — Microsoft's February 2026 Patch Tuesday Analysis
3. CrowdStrike — Patch Tuesday Analysis February 2026
4. Zero Day Initiative — February 2026 Security Update Review
5. Krebs on Security — Patch Tuesday, February 2026 Edition
6. SecurityWeek — 6 Actively Exploited Zero-Days Patched by Microsoft
7. Rapid7 — February 2026 Patch Tuesday
8. Sophos — February's Patch Tuesday Assumes Battle Stations
9. Malwarebytes — February 2026 Patch Tuesday Includes Six Actively Exploited Zero-Days