Home Articles SecurityClaw Demos Tools Privacy

Microsoft Patch Tuesday February 2026: 6 Zero-Days Exploited in the Wild

Published: February 14, 2026 Reading time: 7 minutes 🔥 Breaking Security News

📢 Affiliate Disclosure: This site contains affiliate links to Amazon. We earn a commission when you purchase through our links at no additional cost to you.

Six actively exploited zero-days. Fifty-nine total CVEs. Critical Windows Shell and MSHTML bypasses. Microsoft's February 2026 Patch Tuesday is one of the most critical security updates of the year so far.

If you're managing Windows infrastructure, performing security assessments, or hunting bugs in Microsoft products, these actively exploited vulnerabilities represent both an immediate threat and valuable intelligence for understanding current attack patterns. Here's what you need to know.

February 2026 Patch Tuesday Overview

Severity Breakdown:

  • Total CVEs: 59 vulnerabilities patched
  • Critical: 2 vulnerabilities (including Azure services)
  • Important: 51 vulnerabilities
  • Moderate: 1 vulnerability
  • Actively Exploited: 6 zero-day vulnerabilities confirmed in the wild

Affected Products:

  • Windows 10, 11, Server 2016-2025
  • Microsoft Office (Word, Outlook)
  • MSHTML (legacy browser engine)
  • Remote Desktop Services
  • Azure services and components

⚠️ Urgent Action Required: Six vulnerabilities are actively exploited in the wild. Patch immediately - attackers already have working exploits for these issues.

The 6 Actively Exploited Zero-Days

CVE-2026-21510: Windows Shell SmartScreen Bypass (CVSS 8.8)

What it does: Allows attackers to bypass Windows SmartScreen protection, the security feature that warns users about potentially malicious files and websites.

Attack scenario:

  1. Attacker creates malicious link or shortcut (.lnk) file
  2. Victim is convinced to open the file (via phishing, malicious download, USB drop)
  3. SmartScreen bypass allows payload execution without security warnings
  4. Malware installs silently, often ransomware or info-stealers

Why it matters: SmartScreen is Windows' primary defense against drive-by downloads and phishing attacks. Bypassing it removes a critical security layer that users depend on to identify threats. This vulnerability affects all currently supported Windows versions.

Real-world impact: Actively exploited by ransomware groups and APT actors to distribute malware through seemingly innocuous downloads.

CVE-2026-21513: MSHTML Security Feature Bypass (CVSS 8.8)

What it does: Bypasses security features in MSHTML, the legacy rendering engine still present in Windows (even though Edge replaced Internet Explorer).

Attack scenario:

  1. Attacker crafts malicious HTML document or shortcut file
  2. User opens the file (email attachment, malicious website, file share)
  3. MSHTML renders content and executes attacker-controlled code
  4. Security features like Protected Mode or Mark of the Web are bypassed

Why it matters: Even though Internet Explorer is "retired," the MSHTML engine is deeply embedded in Windows. Many applications (including Outlook, help files, and legacy enterprise software) still use MSHTML for rendering HTML content. This makes the attack surface massive.

Bug bounty perspective: MSHTML vulnerabilities are valuable findings ($10k-50k+ on Microsoft's bounty program). If you're researching Windows exploitation, MSHTML remains a rich target despite IE's official sunset.

CVE-2026-21533: Windows RDP Privilege Escalation (CVSS 7.8)

What it does: Allows local authenticated users to escalate privileges to SYSTEM level via Remote Desktop Services.

Attack scenario:

  1. Attacker gains initial access (compromised user account, low-privilege shell)
  2. Exploit CVE-2026-21533 to elevate to SYSTEM privileges
  3. No user interaction required - fully automated privilege escalation
  4. Complete control over the target system achieved

Why it matters: RDP is enabled on millions of Windows servers and workstations. Once an attacker has a foothold (even low-privilege access), this vulnerability provides instant escalation to full control. No user interaction required makes this especially dangerous for automated attacks.

Enterprise impact: In corporate environments where RDP is standard, this vulnerability enables rapid lateral movement. Compromise one user account, escalate to admin, move to domain controllers. Classic APT playbook.

CVE-2026-21514: Microsoft Word Security Bypass (CVSS 5.5)

What it does: Bypasses Office security features designed to block execution of macros and embedded content from untrusted sources.

Attack scenario:

  1. Attacker creates weaponized Word document with malicious macros
  2. User opens document (email attachment, file share)
  3. Security bypass allows blocked content to execute despite Protected View
  4. Macro payload runs, often dropping additional malware

Why it matters: Microsoft has spent years hardening Office against macro-based attacks (blocking macros by default, Protected View, etc.). This bypass undermines those protections. Email-based phishing campaigns leveraging this vulnerability are already active in the wild.

CVE-2026-21525: Windows Remote Access Connection Manager DoS (CVSS 6.2)

What it does: Allows unauthenticated attackers to crash the Remote Access Connection Manager service or entire system.

Attack scenario:

  1. Attacker sends crafted network packets to target system
  2. No authentication required - fully remote attack
  3. Service or system crashes, disrupting availability
  4. Repeated exploitation can cause persistent denial of service

Why it matters: While "only" a DoS vulnerability (not RCE or privilege escalation), unauthenticated remote DoS attacks are valuable for disruption campaigns, extortion, or covering tracks during other attacks. Being actively exploited suggests it's part of broader attack campaigns.

CVE-2026-21511: Microsoft Outlook Spoofing (CVSS 7.5)

What it does: Allows attackers to spoof email headers and bypass Outlook's security warnings through crafted emails.

Attack scenario:

  1. Attacker crafts email with spoofed sender information
  2. Email appears to come from trusted source (CEO, IT department, partner organization)
  3. Victim trusts spoofed identity and follows malicious instructions
  4. Leads to credential theft, wire fraud, or malware installation

Why it matters: Exploitable via the preview pane means victims don't even need to open the email. Simply viewing it in the preview pane triggers the vulnerability. This dramatically lowers the bar for successful exploitation in phishing campaigns.

Business email compromise (BEC) impact: Spoofing vulnerabilities are gold for BEC attackers conducting wire fraud and CEO fraud schemes. Expect this to be heavily exploited in financial fraud campaigns.

Additional Critical Vulnerabilities

Beyond the actively exploited zero-days, Microsoft patched two critical (CVSS 9.8) vulnerabilities in Azure services:

CVE-2026-21531: Azure Service Critical Vulnerability (CVSS 9.8)

Critical vulnerability in Azure service components. Specific details limited, but CVSS 9.8 indicates network-based attack with high impact. Azure customers should prioritize patching immediately.

CVE-2026-24300: Azure Service Critical Vulnerability (CVSS 9.8)

Second critical Azure vulnerability patched this month. Microsoft's limited disclosure suggests potential for severe cloud infrastructure compromise. If you're running Azure services, apply these patches without delay.

Learn Azure Security: Cloud Security Handbook →

Current Exploitation Patterns

Who's exploiting these vulnerabilities?

Ransomware Groups

SmartScreen and MSHTML bypasses (CVE-2026-21510, CVE-2026-21513) are being used by ransomware operators to distribute payloads via:

  • Malicious email attachments pretending to be invoices, shipping notices, tax documents
  • Drive-by downloads from compromised legitimate websites
  • Malvertising campaigns redirecting to exploit kits
  • USB-based attacks (physical drops in parking lots, lobbies)

Advanced Persistent Threats (APTs)

Nation-state actors are leveraging the RDP privilege escalation (CVE-2026-21533) for:

  • Lateral movement in enterprise environments
  • Escalating access from compromised workstations to servers
  • Establishing persistence with SYSTEM-level privileges
  • Credential harvesting for further exploitation

Business Email Compromise (BEC)

Financial fraud groups are exploiting the Outlook spoofing vulnerability (CVE-2026-21511) for:

  • CEO fraud - spoofing executive emails to authorize wire transfers
  • Vendor impersonation - spoofing suppliers to redirect payments
  • Credential harvesting - spoofing IT department to steal passwords
  • Tax season fraud - spoofing accountants and HR departments

💰 Bug Bounty Tip: Pay attention to Microsoft's patch patterns. When multiple SmartScreen/MSHTML bypasses are found in short succession, it suggests a vulnerability class. Hunt for similar bypass techniques in related Windows components for high-value findings.

Mitigation: Immediate Actions Required

1. Patch Immediately

Windows Update:

  • Settings → Windows Update → Check for updates
  • Install all available updates, restart as required
  • Verify installation: Settings → Windows Update → Update history

Enterprise deployments:

  • Deploy via WSUS, SCCM, or Intune with emergency priority
  • Prioritize internet-facing systems and high-value targets first
  • Test patches in controlled environment if possible, but don't delay production deployment

Microsoft Office:

  • File → Account → Update Options → Update Now
  • Or wait for automatic updates (typically within 24-48 hours)

2. Compensating Controls (Until Patched)

If you can't patch immediately:

SmartScreen bypass mitigation (CVE-2026-21510):

  • Block .lnk files at email gateway and web proxy
  • Enable Windows Defender Application Control (WDAC) to block unsigned executables
  • Deploy AppLocker policies restricting execution from user-writable directories

MSHTML bypass mitigation (CVE-2026-21513):

  • Block HTML email attachments at email gateway
  • Configure Outlook to display emails in plain text by default
  • Disable IE mode in Edge browser via Group Policy

RDP privilege escalation mitigation (CVE-2026-21533):

  • Disable RDP on systems that don't require it
  • Implement network segmentation to isolate RDP access
  • Require RDP access through VPN or jump box with MFA
  • Monitor for unusual privilege escalation attempts

Word macro bypass mitigation (CVE-2026-21514):

  • Block Office macros entirely via Group Policy if not required
  • Only allow macros from trusted locations (digitally signed)
  • Train users to recognize macro-based phishing attempts

3. Detection and Monitoring

Indicators of exploitation:

  • SmartScreen bypass: Execution of files from unusual locations (AppData, Temp) without SmartScreen prompts
  • MSHTML exploitation: Unusual mshta.exe or iexplore.exe process activity
  • RDP privilege escalation: Local accounts suddenly gaining SYSTEM privileges
  • Word exploitation: WINWORD.EXE spawning cmd.exe, powershell.exe, or cscript.exe
  • Outlook spoofing: Unusual email headers, SPF/DKIM/DMARC failures on internal-looking emails

Essential security tools:

Secure Your Accounts: YubiKey 5 NFC →

What This Means for Bug Bounty Hunters

Vulnerability Classes to Hunt

SmartScreen and security feature bypasses:

  • Test how applications handle Mark of the Web (MOTW) on downloaded files
  • Look for ways to bypass security warnings through file type confusion
  • Test shortcut files (.lnk) with unusual properties or embedded content
  • Examine how different file types are handled by Windows security features

MSHTML exploitation paths:

  • Test applications that embed HTML rendering (help viewers, email clients, PDF readers)
  • Look for ways to force MSHTML rendering even when Edge is default browser
  • Test file format handlers that might invoke MSHTML (CHM, MHT, etc.)
  • Research security zone bypasses and same-origin policy violations

Privilege escalation opportunities:

  • Test Windows services running with elevated privileges
  • Look for insecure file operations, registry writes, or IPC mechanisms
  • Test service dependencies and initialization routines
  • Focus on services that interact with user input or network data

Testing Tools and Resources

📚 Windows Internals, Part 1 - $50

Essential reading for Windows security researchers. Deep dive into how SmartScreen, MSHTML, and RDP services work at the kernel level. Understanding internals is key to finding bypasses.

Get on Amazon →

📚 The Shellcoder's Handbook - $45

Learn exploitation techniques for privilege escalation, bypass development, and Windows exploitation. Classic resource for security researchers hunting critical vulnerabilities.

Get on Amazon →

Microsoft Vulnerability Research Program

Current bounty ranges for similar findings:

  • SmartScreen bypass: $10,000 - $30,000
  • MSHTML security feature bypass: $15,000 - $50,000
  • RDP privilege escalation: $20,000 - $40,000
  • Office security bypass: $10,000 - $25,000
  • Azure critical vulnerabilities: $50,000 - $250,000+

Bonus opportunities: Microsoft offers up to 3x multipliers for vulnerabilities affecting multiple products or demonstrating novel exploitation techniques.

🎯 Research Tip: Microsoft patches come out monthly. Within 24-48 hours of Patch Tuesday, analyze patches using binary diffing tools (BinDiff, Diaphora) to understand the vulnerability. Then hunt for similar patterns in unpatched components. This technique (patch gapping) has yielded numerous high-value findings.

Frequently Asked Questions

Why should I patch immediately instead of waiting for my normal maintenance window?

Six of these vulnerabilities are actively exploited in the wild RIGHT NOW. Attackers have working exploits and are using them against unpatched systems. Every day you wait increases risk of compromise. Patch Tuesday exploits typically see mass exploitation within 24-72 hours of patch release as attackers reverse-engineer the fixes. This isn't theoretical - ransomware groups and APTs are hitting vulnerable systems today.

How are these zero-days being exploited in the real world?

CVE-2026-21510/21513 (SmartScreen/MSHTML bypasses) via phishing emails with malicious attachments. CVE-2026-21533 (RDP privilege escalation) by attackers who gained initial access. CVE-2026-21514/21525 (NTLM hash disclosure, DWM) for credential theft and persistence. Attack chain: Phishing → bypass SmartScreen → execute payload → escalate privileges → steal credentials → lateral movement. This is active, organized exploitation - not opportunistic scanning.

Which of the 6 zero-days is most dangerous?

CVE-2026-21510 (SmartScreen bypass, CVSS 8.8) is the most impactful because it breaks Windows' primary defense against malicious downloads. Anyone can be targeted via email/web with no prior access needed. CVE-2026-21513 (MSHTML) is close second due to massive attack surface. Both are user interaction exploits but require minimal social engineering. The RDP escalation (CVE-2026-21533) is critical for attackers who already have access.

Can I safely test for these vulnerabilities in my bug bounty lab?

Yes, with proper precautions. Set up isolated Windows VMs (unpatched, Feb 2026), test SmartScreen/MSHTML bypasses with crafted files, practice RDP privilege escalation locally. NEVER test on production systems or systems you don't own. Document your findings, create PoC videos. If you find similar bugs in other products, report responsibly. Public PoCs exist for some of these - study them in isolated environments only.

I'm running the latest Windows 11 - do I still need to patch?

YES. Windows 11 is affected by all 6 actively exploited zero-days. "Latest version" without February 2026 patches = vulnerable. Microsoft doesn't automatically install patches immediately - check Windows Update manually. Verify patch installation: Settings → Windows Update → Update History → look for KB articles from February 11, 2026. Don't assume you're protected just because you're on Windows 11.

What's the typical bug bounty payout for vulnerabilities like these?

Microsoft's bounty program pays $10,000-$250,000 for critical vulnerabilities. SmartScreen bypass: $15k-30k. MSHTML security feature bypass: $10k-50k. RDP privilege escalation: $15k-40k. NTLM hash disclosure: $10k-25k. Zero-days with confirmed exploitation pay premium. But you can't report these specific CVEs now (already patched) - find NEW similar vulnerabilities in Windows components.

How do attackers chain multiple Patch Tuesday vulnerabilities together?

Common chain: CVE-2026-21510 (SmartScreen bypass) for initial access → CVE-2026-21533 (RDP escalation) for SYSTEM privileges → CVE-2026-21514 (NTLM disclosure) for credential theft → lateral movement to domain controllers. Single vulnerability = foothold. Multiple vulnerabilities = full domain compromise. This is why comprehensive patching matters - attackers combine exploits for maximum impact. Defense in depth only works if all layers are patched.

What tools should I use to test for Patch Tuesday vulnerabilities?

Metasploit (check for modules targeting these CVEs), Nessus/OpenVAS for vulnerability scanning, Windows Exploit Suggester (PowerShell tool), Microsoft Baseline Security Analyzer, custom PoC scripts (study public exploits on GitHub). For bug hunting: Burp Suite for web-based bypasses, WinDbg for debugging, Process Monitor for behavior analysis. Practice on vulnerable VMs before attempting real bug bounty research.

Key Takeaways

  1. Patch immediately: Six actively exploited zero-days means attackers have working exploits right now
  2. Prioritize internet-facing systems: SmartScreen, MSHTML, and RDP vulnerabilities are remotely exploitable
  3. Layer your defenses: Even with patches, implement additional controls (AppLocker, macro blocking, network segmentation)
  4. Monitor for exploitation: Watch for unusual process spawning, privilege escalation, and security feature bypasses
  5. Research opportunities: These vulnerability classes are rich hunting grounds for security researchers

For Enterprise Security Teams:

  • Deploy patches within 24-48 hours maximum
  • Review security controls around RDP, email, and file downloads
  • Conduct threat hunting for indicators of exploitation
  • Test incident response plans for ransomware and BEC scenarios

For Bug Bounty Hunters:

  • Study these patches to understand current attack patterns
  • Hunt for similar vulnerability classes in your target programs
  • Focus on security feature bypasses - they're consistently high-value
  • Consider specializing in Windows exploitation for consistent bounty payouts

⚠️ Critical Reminder: These vulnerabilities are being actively exploited in the wild RIGHT NOW. Every hour you delay patching increases your exposure to ransomware, APT intrusions, and business email compromise attacks. Patch today, not tomorrow.

Related Reading

Advertisement