February 2026 Microsoft updates include six exploited flaws

Threat summary

On February 10, 2026, Microsoft issued its Security Update Guide entry listing 59 vulnerabilities. Of those, five are rated Critical, 52 are rated Important, and two are rated Moderate in severity.

Six are reportedly being exploited in the wild. Across all six, exploitation depends on user interaction or existing local access, which increases the effort required to exploit them.

CVE‑2026‑21510 (CVSS: 8.8) is a Windows Shell security feature bypass that allows an attacker to bypass user‑facing security protections, including Windows SmartScreen and related Shell warnings, when a user opens attacker‑controlled content such as a malicious link or shortcut (.LNK) file. The vulnerability weakens the safeguards that normally prompt users before executing untrusted content, enabling a one‑click execution path once user interaction occurs.

CVE‑2026‑21513 (CVSS: 8.8) is an MSHTML (Internet Explorer/Trident) security feature bypass allowing an attacker to bypass built‑in security checks over a network when a user interacts with attacker‑supplied content, such as opening a malicious file or link that invokes MSHTML rendering paths. The vulnerability undermines safeguards such as zone enforcement and related trust decisions, enabling attacker‑controlled content to be processed with fewer restrictions once user interaction occurs.

CVE‑2026‑21514 (CVSS: 7.8) is a Microsoft Word security feature bypass in which Word incorrectly relies on untrusted inputs when making security decisions. This allows an adversary to bypass existing OLE mitigations in Microsoft 365 and Microsoft Office that are specifically designed to protect users from vulnerable COM/OLE controls when a user opens a malicious document. Exploitation requires explicit user interaction (opening the document), and Microsoft confirmed that the Preview Pane is not an attack vector, which limits exposure compared to other Office flaws that trigger during preview.

CVE‑2026‑21519 (CVSS: 7.8) affects Desktop Window Manager and enables elevation of privilege to SYSTEM.

CVE‑2026‑21533 (CVSS: 7.8) affects Windows Remote Desktop Services and enables elevation of privilege to SYSTEM. The flaw increases the risk of lateral movement on systems running Remote Desktop Services.

CVE‑2026‑21525 (CVSS: 6.2) is a Windows Remote Desktop Services (RDS) flaw caused by improper privilege management, allowing a locally authenticated attacker to escalate privileges to SYSTEM once they have access to the affected host. The flaw enables post‑access escalation on systems where Remote Desktop components are present, making it particularly relevant for RDS servers, VDI hosts, jump boxes, and shared Windows systems.

Analysis & mitigation

Organizations should prioritize deployment of Microsoft’s February security updates across all supported Windows and Office assets, as six vulnerabilities have been confirmed exploited in the wild. 

Field Effect MDR clients will receive an ARO alert identifying any instances vulnerable to the noted flaws, with remediation guidance. Additionally, by correlating network traffic, endpoint behavior, and indicators of compromise, Field Effect MDR detects and blocks exploit attempts and flags anomalies such as malformed requests, suspicious outbound connections, or unauthorized privilege changes.

Organizations can reduce exposure to the initial access vectors by strengthening phishing defenses, enforcing Mark-of-the-Web handling for downloaded files, and applying Microsoft Defender Attack Surface Reduction rules to block risky behaviors, such as Office spawning child processes or execution of shortcut files from user-writable locations. Where feasible, disable or tightly restrict legacy components that expand attack surface, particularly MSHTML and Internet Explorer mode.

To limit post-compromise impact, enforce least privilege principles by removing unnecessary local administrator rights. Further, tighten access to Remote Desktop Services with network-level authentication and multifactor authentication (MFA).

High-risk systems such as RDS hosts, jump servers, and shared endpoints should be prioritized for patching and monitored for signs of privilege escalation, unexpected service configuration changes, or crashes in components such as Desktop Window Manager and Remote Access Connection Manager.

Together, rapid patching combined with endpoint hardening, identity controls, and enhanced monitoring significantly reduces the likelihood that user-assisted exploitation can escalate into full SYSTEM compromise or lateral movement.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up