~/home/news/microsoft-patch-tuesday-feb-2026-2026-02-13
newsThursday, February 12, 20268 min read👁 11 views

Microsoft Patch Tuesday Feb 2026: Six Zero-Days, Including Critical Shell Bypass CVE-2026-21510, Fixed

Microsoft’s February 2026 Patch Tuesday delivered updates for more than 50 vulnerabilities, among them six actively exploited zero-days. The most severe, CVE-2026-21510, bypasses Windows Shell protections, enabling silent execution of malicious links across all supported Windows versions.

MicrosoftPatch TuesdayZero-DaySecurity

Overview/Introduction

On Friday, February 13, 2026, Microsoft released its monthly security bulletin, fixing a record-high concentration of zero-day flaws. More than 50 security issues were addressed, including six vulnerabilities that were already being weaponised in the wild. This marks the most critical Patch Tuesday in recent memory, with the flagship zero-day CVE-2026-21510 targeting the Windows Shell - the component that mediates user interaction with the operating system.

The patches affect Windows client and server platforms (Windows 10, Windows Server 2019/2022), Microsoft Office, and related enterprise services. Attackers have been exploiting these flaws for weeks, forcing organisations to accelerate their patch cycles.

Technical Details

The six zero-days span a range of attack vectors, from remote code execution to privilege escalation and denial-of-service. Below is a breakdown of each CVE, the underlying component, and the exploitation methodology observed in the wild.

  • CVE-2026-21510 - Windows Shell Bypass
    Component: Windows Shell (Explorer.exe)
    Impact: Allows a single click on a malicious hyperlink to bypass SmartScreen, Controlled Folder Access, and other user-consent prompts. The payload runs silently with the privileges of the logged-in user, often achieving persistence via registry run keys.
  • CVE-2026-21513 - MSHTML Security Bypass
    Component: MSHTML (Trident) engine used by Internet Explorer and legacy WebView controls.
    Impact: Crafted HTML/JavaScript can escape the sandbox, executing arbitrary code in the context of the host process. Exploited primarily through phishing emails that embed malicious pages.
  • CVE-2026-21514 - Microsoft Word Feature Bypass
    Component: Microsoft Word rendering engine.
    Impact: Malicious DOCX files can trigger a bypass of the Protected View security barrier, allowing macros or embedded OLE objects to run without user consent.
  • CVE-2026-21533 - Remote Desktop Services (RDS) Privilege Escalation
    Component: Windows Remote Desktop Services (rdpclip.exe).
    Impact: A low-privileged attacker who can establish an RDS session can elevate to SYSTEM, effectively taking full control of the host.
  • CVE-2026-21519 - Desktop Window Manager (DWM) Elevation of Privilege
    Component: DWM, the compositor responsible for visual effects. Impact: Exploits a race condition in window handling to gain SYSTEM privileges. The flaw is similar to a DWM zero-day patched in January 2026.
  • CVE-2026-21525 - Remote Access Connection Manager (RASCM) DoS
    Component: RASCM, which maintains VPN tunnels. Impact: Crafted packets can cause the service to crash, disrupting corporate VPN connectivity. While not a direct code-execution issue, the outage can be leveraged for broader disruption.

Impact Analysis

The breadth of affected products means virtually every Windows environment in the wild is at risk. The most severe consequences stem from CVE-2026-21510 and CVE-2026-21533, which provide a pathway from a user-level foothold to full system compromise.

Who is affected?

  • Enterprises running Windows 10, Windows Server 2019/2022, and Windows 11 - especially those with legacy applications that still rely on MSHTML or older Office formats.
  • Managed service providers (MSPs) that host RDS or VPN services for multiple customers.
  • Developers using Microsoft Office automation or embedding Office documents in internal tools.
  • End-users who regularly click links in email or chat clients - the Shell bypass can be triggered with a single click.

Given the public exploitation, the risk rating for each of these CVEs is Critical (9.8-10.0 CVSS). The cumulative effect of six concurrent zero-days elevates the overall threat landscape to an unprecedented level for a single Patch Tuesday.

Timeline of Events

2026-01-17  | Out-of-band update for RDP credential prompt issue
2026-01-26  | Zero-day CVE-2026-21509 (Office feature bypass) patched
2026-02-05  | First intelligence reports of active exploitation of CVE-2026-21510 in phishing campaigns
2026-02-09  | Exploit kits observed delivering CVE-2026-21513 payloads via malicious web pages
2026-02-13  | Microsoft releases Patch Tuesday fixing >50 bugs, including six zero-days
2026-02-14  | Security vendors publish detection signatures for CVE-2026-21510 and CVE-2026-21533
2026-02-15  | Large-scale ransomware campaigns begin leveraging the Shell bypass to drop payloads silently

Mitigation/Recommendations

Immediate actions are essential to contain the threat:

  1. Deploy the February 2026 updates without delay. Use WSUS, SCCM, or Intune to push patches to all Windows endpoints, including legacy systems still on Windows 10.
  2. Enable Enhanced Mitigation Experience Toolkit (EMET) style mitigations. Turn on Block non-Microsoft signed scripts and enforce AppLocker rules that block unknown executables from user-writable locations.
  3. Restrict hyperlink handling. Configure Group Policy to display the “Open link” warning for all URLs and enforce Safe Links protection in Microsoft Defender for Office 365.
  4. Audit RDP and VPN configurations. Disable Network Level Authentication (NLA) if not required, enforce MFA for all remote connections, and monitor for anomalous RDS sessions that could indicate exploitation of CVE-2026-21533.
  5. Apply the latest Microsoft Defender for Endpoint (MDfE) detection rules. The vendor has released signatures for the known exploits; ensure your endpoint protection is up-to-date.
  6. Review Office macro policies. Enforce “Protected View” for all Office documents received via email and block macros from running unless explicitly whitelisted.
  7. Network segmentation. Isolate critical servers from user workstations to limit lateral movement should an attacker gain a foothold via the Shell bypass.

For organisations that cannot patch immediately, temporary mitigations include disabling the Windows Shell’s handling of “file:” and “ms-shortcut:” protocols via registry, and enforcing URL filtering at the perimeter.

Real-World Impact

Early telemetry shows a spike in credential-stealing malware that leverages CVE-2026-21510 to drop “QuasarRAT” and “Emotet” payloads without triggering any security prompts. Financial institutions have reported attempts to exfiltrate banking credentials by embedding malicious links in routine client communications.

In the enterprise sphere, MSPs that manage RDS farms for multiple clients observed a wave of “SYSTEM” level compromise attempts tied to CVE-2026-21533. The resulting breach allowed attackers to install backdoors across several tenant environments, amplifying the attack surface.

Additionally, the DoS bug (CVE-2026-21525) caused intermittent VPN outages for a multinational manufacturing firm, leading to production delays and a temporary loss of remote access for field engineers.

Expert Opinion

From a strategic standpoint, the sheer volume of zero-days in a single release signals a shift in attacker tactics: rather than waiting for a vulnerability to be disclosed, threat actors are actively hunting for unpatched flaws in the latest Windows releases. Microsoft’s rapid out-of-band updates in January and February demonstrate an improved response cadence, but the industry must still grapple with the “patch-first” dilemma - the time between discovery and remediation is now a critical window of exposure.

For defenders, the lesson is clear: assume breach. Relying solely on user education to prevent malicious clicks is insufficient when a single click can silently bypass built-in protections. Organizations must adopt a layered defense model that incorporates behavioural analytics, strict application whitelisting, and zero-trust network segmentation.

Looking ahead, the integration of AI-driven code-generation tools (e.g., GitHub Copilot) introduces a new attack surface, as highlighted by the additional CVEs (CVE-2026-21516, CVE-2026-21523, CVE-2026-21256) that affect IDEs and LLM agents. The industry must treat AI tooling as a privileged vector and enforce rigorous security controls around API keys and execution environments.

In summary, the February 2026 Patch Tuesday is a wake-up call. The convergence of multiple zero-days, active exploitation, and the rise of AI-related code-execution flaws demands a proactive, defense-in-depth approach that goes beyond patching - it requires continuous monitoring, threat-intel integration, and a culture of security-first development.