Six Zero-Days Under Active Attack: Inside February 2026’s Most Dangerous Patch Tuesday

A Patch Tuesday Unlike Any Other

Microsoft’s monthly security update for February 2026, released on February 10, arrived carrying a payload that set records and raised alarms across the cybersecurity community. Among the 58 vulnerabilities addressed — with Tenable counting 54 unique Microsoft CVEs, including two rated critical, 51 important, and one moderate — six were already under active exploitation in the wild before patches were available. Adobe’s simultaneous release addressed an additional 44 vulnerabilities across nine product advisories, compounding what was already the most dangerous Patch Tuesday in recent memory.

Six simultaneously exploited zero-days is exceptional by any historical measure. In a typical month, Microsoft patches zero to two actively exploited vulnerabilities. The breadth of the February 2026 batch — spanning the Windows Shell, MSHTML rendering framework, Microsoft Word, Remote Desktop Services, the Desktop Window Manager, and the Remote Access Connection Manager — indicates exploitation by multiple threat groups targeting different aspects of the Windows ecosystem simultaneously. Akamai researchers later linked one of the vulnerabilities to Russia’s APT28 state-sponsored group.

CISA responded by adding all six to its Known Exploited Vulnerabilities (KEV) catalog, mandating that Federal Civilian Executive Branch agencies apply patches by March 3, 2026. For security teams already stretched thin by the operational demands of continuous patching, the February update presented an impossible triage challenge.

The Six Zero-Days: Technical Breakdown

CVE-2026-21510: Windows Shell Security Feature Bypass (CVSS 8.8)

The most immediately dangerous vulnerability in the batch was a security feature bypass in the Windows Shell — the component responsible for handling file operations, shortcuts, and the user interface for file management. The vulnerability allowed attackers to bypass Windows SmartScreen and Shell security warning dialogs, enabling a crafted malicious file to execute without triggering the security prompts that users have been trained to rely on.

The vulnerability circumvented the Mark of the Web (MotW) protection — a security mechanism that tags files downloaded from the internet and triggers additional warnings when they are opened. By exploiting this flaw, attackers could deliver malicious link (.lnk) or shortcut files via email or web download that would execute without the standard consent dialogs. A single click was sufficient for exploitation.

This vulnerability was publicly disclosed prior to the patch being available and was exploited in the wild as a zero-day. It affects all currently supported versions of Windows.

CVE-2026-21513: MSHTML Framework Security Feature Bypass (CVSS 8.8)

MSHTML — the legacy HTML rendering engine that powers Internet Explorer components still embedded throughout Windows — continues to be a prolific source of critical vulnerabilities despite Internet Explorer’s official retirement. This security feature bypass, rooted in `ieframe.dll`’s hyperlink navigation logic, resulted from insufficient validation of target URLs. This allowed attacker-controlled input to reach code paths invoking `ShellExecuteExW`, enabling execution of local or remote resources outside the intended browser security context.

According to Akamai’s technical analysis, the exploit used nested iframes and multiple Document Object Model (DOM) contexts to manipulate trust boundaries, bypassing both MotW and IE Enhanced Security Configuration. Attackers delivered the exploit through malicious LNK files.

This vulnerability was later tied to Russia’s APT28 (Fancy Bear) by Akamai researchers, who identified a malicious artifact uploaded to VirusTotal on January 30, 2026 — before the patch was available — associated with infrastructure linked to the Russian state-sponsored group. Microsoft’s fix introduced stricter validation of the hyperlink protocol, ensuring that supported protocols execute within the browser context rather than being passed directly to `ShellExecuteExW`.

CVE-2026-21514: Microsoft Word Security Feature Bypass (CVSS 7.8)

This vulnerability allowed attackers to craft Word documents that bypassed OLE-based defensive measures in embedded components within Microsoft 365 and Microsoft Office. By exploiting this flaw, a malicious document could sidestep protections meant to prevent vulnerable COM/OLE controls from executing. The vulnerability does not activate through the Preview Pane, requiring the user to actually open the malicious document.

OLE mitigations have been one of the most effective defenses against document-based attacks, and their bypass represents a significant regression in the security posture of every organization that relies on Microsoft Office. The vulnerability was observed in targeted attacks where document exchange is a fundamental business process.

CVE-2026-21533: Remote Desktop Services Elevation of Privilege (CVSS 7.8)

Remote Desktop Protocol remains one of the most widely deployed remote access technologies in enterprise environments. This elevation of privilege vulnerability, caused by improper privilege management in Windows Remote Desktop Services, allowed an authenticated local attacker with low privileges to escalate to SYSTEM level on the target machine.

CrowdStrike identified and reported this vulnerability to Microsoft. CrowdStrike Intelligence retrospective hunting revealed that threat actors had been using the exploit binary in the wild to target U.S. and Canada-based entities since at least December 24, 2025 — nearly seven weeks before the patch was released. The exploit modifies a service configuration key, replacing it with an attacker-controlled key that enables privilege escalation, including adding a new user to the Administrator group.

In practical terms, any user who can establish an RDP session — including users with restricted access or attackers who have gained initial access through compromised low-privilege credentials — can escalate to full system control. CISA added this to the KEV catalog with a March 3, 2026 remediation deadline.

CVE-2026-21519: Desktop Window Manager Elevation of Privilege (CVSS 7.8)

The Desktop Window Manager (DWM) — the system component responsible for visual rendering effects including transparency, thumbnails, and window animations — contained a type confusion vulnerability (CWE-843: access of resource using incompatible type) that could be exploited by a local attacker to execute arbitrary code with SYSTEM privileges.

Type confusion vulnerabilities occur when software treats data as a different type than intended, leading to memory corruption that attackers can exploit. The DWM vulnerability required local access, making it primarily useful as a privilege escalation technique in multi-stage attacks. Observed exploitation involved the vulnerability being chained with an initial access exploit to achieve full system compromise from a single user interaction.

CVE-2026-21525: Remote Access Connection Manager Denial of Service (CVSS 6.2)

The sixth zero-day was a denial of service vulnerability in the Windows Remote Access Connection Manager (RasMan), caused by a null pointer dereference. While DoS vulnerabilities are often considered less severe than code execution flaws, this vulnerability was significant in practice because RasMan is the service responsible for maintaining VPN connections to corporate networks.

Exploitation caused the RasMan service to fault, disrupting VPN connectivity features that depend on it. The vulnerability was discovered via a publicly accessible malware repository, and despite its moderate CVSS rating, its active exploitation earned it a place in CISA’s KEV catalog alongside the five higher-severity zero-days.

The Adobe Factor: 44 Additional Vulnerabilities

Compounding the Microsoft vulnerabilities, Adobe’s February 2026 security update addressed 44 vulnerabilities across nine product advisories covering Audition, After Effects, InDesign Desktop, Substance 3D Designer, Substance 3D Stager, Substance 3D Modeler, Bridge, Lightroom Classic, and the DNG SDK. Twenty-seven of these received critical severity ratings, with successful exploitation potentially leading to arbitrary code execution. The remaining vulnerabilities were rated important, covering memory exposure and denial-of-service issues.

The confluence of Microsoft and Adobe vulnerabilities in the same update cycle creates a compounding risk for organizations. Defenders who prioritize patching one vendor’s products while deferring the other remain exposed through multiple independent attack paths.

What the Breadth Tells Us About Threat Actors

The simultaneous active exploitation of six zero-days across different Windows components is not random. It reveals several things about the current state of the threat landscape.

First, the breadth confirms multiple threat groups exploiting different vulnerabilities independently. CrowdStrike discovered the RDP vulnerability (CVE-2026-21533) through its own incident response work, while Akamai tied the MSHTML flaw (CVE-2026-21513) to Russia’s APT28. The diversity of affected components and different exploitation patterns confirm parallel exploitation by different actors with different capabilities and objectives.

Second, the presence of exploit chains — vulnerabilities designed to be used together, such as the DWM privilege escalation chained with an initial access exploit — indicates sophisticated actors who develop and maintain portfolios of zero-day exploits. The commoditization of the exploit market has made chained exploits available to a broader range of threat groups beyond traditional nation-state actors.

Third, the targeting of legacy components — MSHTML, in particular — demonstrates that attackers are actively mining deprecated code for vulnerabilities. The `ieframe.dll` flaw in CVE-2026-21513 exploits hyperlink navigation logic in a component that most users believe was retired with Internet Explorer, yet remains deeply embedded in Windows. This legacy attack surface is a persistent and growing risk.

The Patching Triage Challenge

For enterprise security teams, six simultaneous zero-days create a triage crisis. Standard vulnerability management processes — assess, prioritize, test, deploy — assume that organizations have time to evaluate patches before deploying them. When vulnerabilities are already under active exploitation, with CISA mandating remediation by March 3, the calculus changes: the risk of deploying an untested patch is weighed against the certainty of ongoing exploitation.

Several factors complicate rapid deployment. Enterprise environments typically require patch testing to ensure compatibility with critical applications before broad deployment. Some systems — operational technology, medical devices, legacy applications — cannot be easily patched without risk of operational disruption. Remote and distributed workforces mean that not all endpoints are immediately reachable for patch deployment.

The February 2026 Patch Tuesday has strengthened the argument for automated patch management systems that can deploy critical security updates with minimal manual intervention. Organizations that had implemented automated deployment for security-classified patches were able to begin remediation within hours, while those relying on manual processes were still conducting impact assessments when exploits were already active against their systems.

Defensive Recommendations

Beyond patching — which must be treated as an emergency for all six zero-days — organizations should take several additional defensive steps.

Disable or restrict MSHTML rendering where possible, particularly in email clients. Configure email systems to render messages in plain text by default. Enable Attack Surface Reduction (ASR) rules in Microsoft Defender that block Office applications from creating child processes and from creating executable content.

Restrict RDP access to the minimum required scope. Implement network-level authentication requirements, enforce MFA for all RDP sessions, and use privileged access management solutions that provide just-in-time RDP access rather than standing access. Given that CVE-2026-21533 was exploited in the wild since December 2025, organizations should review RDP access logs for signs of prior compromise.

Deploy endpoint detection and response tools with behavioral detection capabilities that can identify exploitation attempts regardless of the specific vulnerability being exploited. The attack patterns associated with these vulnerabilities — unusual process creation, unexpected privilege changes, anomalous service configuration modifications — are detectable through behavioral analysis even before specific detection signatures are available.

Review and strengthen email security controls, as email was the primary delivery vector for several of the exploited vulnerabilities. This includes attachment filtering, URL rewriting and inspection, and sandboxed analysis of suspicious attachments.

Sources & Further Reading

• Microsoft February 2026 Patch Tuesday Fixes 6 Zero-Days, 58 Flaws — BleepingComputer
• 6 Actively Exploited Zero-Days Patched by Microsoft With February 2026 Updates — SecurityWeek
• APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday — The Hacker News
• Inside the Fix: Analysis of In-the-Wild Exploit of CVE-2026-21513 — Akamai
• The February 2026 Security Update Review — Zero Day Initiative
• Patch Tuesday: Adobe Fixes 44 Vulnerabilities in Creative Apps — SecurityWeek