Microsoft Issues Urgent Fixes for 59 Vulnerabilities and Six Active Zero-Days

Critical zero-days under active exploitation across Windows

On Tuesday, February 10, 2026, Microsoft released its monthly security update addressing 59 vulnerabilities, a release distinguished by the high number of "zero-day" flaws already weaponized by threat actors. Of these, six were confirmed as being actively exploited in the wild, forcing the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add them immediately to its Known Exploited Vulnerabilities (KEV) catalog. The updates cover a wide range of services, including Windows Shell, Microsoft Office, and Azure, highlighting a broad offensive against both individual endpoints and enterprise cloud infrastructure.

Security bypasses allow "silent" malware execution

The most pressing threats in this month’s patch cycle involve "security feature bypasses" in Windows Shell and the MSHTML Framework. These flaws, specifically CVE-2026-21510 and CVE-2026-21513, allow attackers to circumvent Windows SmartScreen and other protective prompts. By convincing a user to click a malicious link or open a shortcut file, hackers can execute unauthorized code without any warning dialogs appearing on the victim's screen. This "silent" execution capability significantly increases the success rate of phishing campaigns by removing the final barrier of user consent.

Escalating privileges to "SYSTEM" through core services

Beyond initial access, three of the zero-days focus on Elevation of Privilege (EoP), a tactic used to gain total control over a compromised machine. CVE-2026-21533 and CVE-2026-21519 target the Remote Desktop Services and the Desktop Window Manager (DWM) respectively. If successfully exploited, an attacker with basic access can elevate their permissions to SYSTEM level—the highest possible authority on a Windows machine. At this level, threat actors can disable security software, steal stored credentials, and move laterally through an entire corporate network to access sensitive data.

Summary of the six actively exploited zero-days

The following table provides a breakdown of the most critical flaws addressed in the February 2026 update. All six of these were being used by hackers before a fix was available.

Critical cloud vulnerabilities in Azure and AI tools

While zero-days dominated the headlines, the update also addressed high-severity risks in Azure cloud services. CVE-2026-21531 and CVE-2026-24300 were identified as critical flaws in the Azure SDK and Azure Front Door, carrying near-perfect CVSS scores of 9.8. These vulnerabilities could allow for remote code execution across cloud environments if left unpatched. Furthermore, Microsoft continued its focus on AI security by patching a prompt injection vulnerability in GitHub Copilot that could have allowed malicious commands to be executed within a developer's integrated development environment (IDE).

The evolving landscape of enterprise cyber defense

The sheer volume of exploited zero-days in a single month suggests that threat actors—including state-sponsored groups and commercial spyware vendors—are becoming more efficient at identifying and weaponizing niche logic errors in legacy Windows components. As Microsoft rolls out its Secure Future Initiative and transitions to newer Secure Boot certificates later this year, the pressure on IT administrators to maintain a rigorous patching cycle has never been higher. For the general public, the primary takeaway is clear: the era of relying on "common sense" to avoid malware is over, as these new exploits are specifically designed to bypass the very warnings users have been trained to trust.