Six Zero-Days, One Tuesday, and Your Approval Process Is Still Broken
Microsoft shipped its February 2026 Patch Tuesday yesterday. Six actively exploited zero-day vulnerabilities. Three of those were publicly disclosed before the patch was available.
Let that sink in for a moment. Three vulnerabilities where the exploit details were already circulating before Microsoft gave you the fix. That is not a theoretical risk assessment. That is attackers with working tools and you without a defence.
If your patch approval process involves committee meetings, change advisory boards that meet fortnightly, or "we'll get to it next maintenance window," you need to read this and then go patch your systems. In that order.
The Six That Matter Most
Here is the exploited set. Every major security vendor, from BleepingComputer to Tenable to the Zero Day Initiative, agrees on the same six CVEs. When sources that normally disagree on everything reach consensus, you should pay attention.
The Bypass Trinity: three flaws that eliminate your safety net.
CVE-2026-21510 targets Windows Shell itself. A user clicks a malicious link or shortcut file and Windows SmartScreen just steps aside. No warning dialog. No "are you sure?" prompt. No Mark of the Web protection. One click, code runs. This affects every currently supported version of Windows. CVSS 8.8.
CVE-2026-21513 hits the MSHTML framework, the legacy Internet Explorer rendering engine that Windows still uses under the bonnet for various components. Same result: a crafted HTML file or LNK shortcut bypasses security controls and can achieve code execution. CVSS 8.8.
CVE-2026-21514 goes after Microsoft Word and Microsoft 365 Apps directly. It bypasses OLE mitigations, meaning a malicious Office document can execute code that your security controls should have blocked. Microsoft confirms the preview pane is not an attack vector for this one, which is a small mercy, but it still requires only that someone opens the file. CVSS 7.8.
All three bypass flaws were publicly disclosed before the patch dropped. That means the window between "attackers know how to exploit this" and "you have a fix" was wider than zero. For some organisations with slow patching processes, that window is still open right now.
The Privilege Escalators: what happens after initial access.
CVE-2026-21519 is a type confusion flaw in the Desktop Window Manager that gives an attacker SYSTEM privileges from a local foothold. CVSS 7.8. This is the kind of vulnerability that turns "we had a minor incident" into "they owned the domain controller."
CVE-2026-21533 affects Windows Remote Desktop Services. An authenticated attacker with low privileges can escalate to SYSTEM. CrowdStrike discovered this one and has confirmed active abuse in the wild, including attackers adding themselves to the local administrators group. If you have any servers with RDP exposed, or terminal servers in your environment, this is your number one priority. CVSS 7.8.
CVE-2026-21525 targets the Remote Access Connection Manager with a denial of service attack. An exploit was found in a malware repository, meaning it is already packaged for distribution. If your users rely on VPN connections managed by Windows, a successful exploit crashes those connections. CVSS 6.2.
CISA added all six to the Known Exploited Vulnerabilities catalogue on Tuesday. That is not advisory language. That is "these are being used against real organisations right now."
Why the Bypass Flaws Should Terrify You
Let me explain why those first three are worse than they might sound.
Your users have been trained for years to look for security warnings. "Don't click that." "Check the URL." "Look for the warning banner." Mark of the Web, SmartScreen, Protected View in Office: these are the safety nets that catch the files your email gateway missed.
CVE-2026-21510, 21513, and 21514 cut those nets.
A malicious file arrives. Your user opens it. The warnings that should have appeared simply do not. From the user's perspective, the file looks completely normal. No yellow bar. No "this file came from the internet" dialog. No SmartScreen block.
As Satnam Narang at Tenable put it, users have grown accustomed to receiving these alerts, and when vulnerabilities bypass those protection mechanisms, users are at significantly greater risk of compromise.
Your security awareness training just became irrelevant for these specific attack vectors. The visual cues your staff were trained to spot are no longer there. That is why you patch these first, today, not next week.
The Numbers Game (Don't Play It)
Sources disagree on the total CVE count. BleepingComputer says 58. Tenable says 54. Qualys says 61. SecurityWeek rounds to 60. CyberScoop says 59.
It does not matter.
The differences come down to counting methodology: whether you include Edge fixes released earlier in the month, whether you count third-party CVEs bundled into Microsoft updates, whether you include the one moderate-severity libjpeg-turbo issue.
What matters is that the exploited set of six is consistent across every source. Patch those six immediately. Then patch the rest based on your exposure and business risk. Do not waste time arguing about whether the total is 54 or 61 when attackers are using six of them against you right now.
Beyond the Zero-Days: Critical Items You Cannot Ignore
The Zero Day Initiative flagged several Critical-rated vulnerabilities in Azure services that deserve attention even if they are not exploited yet.
CVE-2026-24300 is an elevation of privilege in Azure Front Door with a CVSS of 9.8. If you route traffic through Azure Front Door, validate that Microsoft's service-side fix has landed and check your dependent configurations.
CVE-2026-24302 is an elevation of privilege in Azure Arc, also rated Critical. Azure Arc agents run on your infrastructure, not just in the cloud. If you have hybrid deployments using Arc, you may need to take action.
CVE-2026-21532 is an information disclosure flaw in Azure Functions, rated Critical. Check your serverless deployments.
Even when cloud fixes are largely service-side, you still need to verify the change landed and did not break dependent components. "Microsoft will handle it" is not a patching strategy. It is hope dressed up as a process.
The January Hangover
If you skipped or deferred the January out-of-band Office update, February's cumulative updates should close that gap. CVE-2026-21509, an exploited Office security feature bypass, was patched in a late January emergency release. Several vendors note that February cumulative updates bundle many January fixes.
Check that your Office clients actually restarted after the update. Microsoft 365 Apps can sit on an old build for weeks if nobody restarts Word or Excel. The update is only effective when the application loads the new binaries.
Secure Boot: This Is Not Optional Maintenance
Microsoft has started rolling out updated Secure Boot certificates to replace the 2011 certificates that expire in June 2026. The February cumulative update for Windows 11 includes targeting data that identifies which devices are ready for the new certificates.
This is a change programme, not just a security patch.
If you have legacy hardware, air-gapped devices, or systems that do not receive Windows Update regularly, you need to identify them now and plan how they will receive the new certificates before June. A device that loses Secure Boot validation in June because it missed the certificate rollout will have a very bad day. So will you.
NTLM: The Retirement Clock Is Ticking
Microsoft is laying the groundwork for phased NTLM disablement. Newer operating systems will start with stronger auditing, working toward disabling NTLM by default over time.
If your estate still relies on NTLM fallback for line-of-business applications, legacy printers, or older network services, start mapping that usage now. Run NTLM auditing on your domain controllers. Identify what breaks when NTLM is not available. Do this proactively, because the alternative is discovering your critical application stopped working the morning after an update.
It Is Not Just Microsoft
Patch Tuesday is not a Microsoft-only event. If you patch Windows but ignore everything else, you are locking the front door while leaving the back windows open.
Adobe released nine security advisories covering 44 vulnerabilities across Audition, After Effects, InDesign, Substance 3D products, Bridge, Lightroom Classic, and DNG SDK. Twenty-seven of those are rated Critical with potential for arbitrary code execution. Adobe says none are exploited in the wild yet. But "yet" is doing heavy lifting in that sentence. If you have Adobe creative tools on shared workstations that nobody thinks to update, fix that today.
SAP shipped 26 new security notes and one update. The headline is CVE-2026-0488, a code injection vulnerability in SAP CRM and SAP S/4HANA Scripting Editor with a CVSS of 9.9. An authenticated attacker with low privileges can inject and execute arbitrary code, including arbitrary SQL statements against your database. If you run SAP CRM or S/4HANA, this is a "drop everything" priority. A second Critical flaw, CVE-2026-0509 in SAP NetWeaver ABAP with a CVSS of 9.6, allows low-privileged users to execute remote function calls without proper authorisation.
Ivanti published a security update for Ivanti Endpoint Manager. They say there is no evidence of exploitation and it does not affect other Ivanti solutions. But given Ivanti's recent history, "no evidence of exploitation" should prompt verification, not complacency.
Your Patching Priority List
Here is your action plan, in order. Print this. Stick it on the wall. Work through it this week, not next week.
Wave 1 (Today/Tomorrow): The exploited six.
Prioritise user endpoints for CVE-2026-21510, 21513, and 21514. These are the bypass flaws that require user interaction. Every laptop and desktop that opens files or clicks links is a target. Roll the Office update for 21514 at the same time.
Prioritise terminal servers and RDP-exposed hosts for CVE-2026-21533. CrowdStrike confirmed active abuse.
Patch CVE-2026-21519 on any system used as a jump box or shared administrative host.
Apply CVE-2026-21525 if you rely on Windows remote access tooling.
Wave 2 (This Week): Critical cloud and infrastructure.
Validate Azure Front Door, Azure Arc, and Azure Functions configurations.
Apply SAP notes for CVE-2026-0488 (CVSS 9.9) and CVE-2026-0509 (CVSS 9.6) if you run SAP.
Update Ivanti Endpoint Manager.
Wave 3 (Within 10 Days): Everything else.
Remaining Windows and Office patches. Adobe Creative suite updates. Standard testing and rollout.
Ongoing: Operational readiness.
Begin Secure Boot certificate planning for June 2026 deadline. Start NTLM usage auditing. Verify Office clients actually loaded the latest builds.
What to Test Before Broad Rollout
If you have a staging environment (and you should), test these workflows before pushing to production:
RDP and remote application access. Especially if you run DirectAccess or terminal servers. CVE-2026-21533 patches could interact with remote access configurations.
Office document opening. Test protected view, blocked file types, and OLE object handling. The bypass patches change how Office evaluates file origins.
SmartScreen and Mark of the Web. Download files from external sources and verify that warnings appear correctly after patching.
Restart behaviour on shared devices. Kiosk systems, shared workstations, and multi-user environments need validation that privilege elevation fixes take effect after restart.
Secure Boot paths on older hardware. Windows 11 machines with older firmware need particular attention.
How to Turn This Into a Competitive Advantage
Patch Tuesday is not just a chore. It is a differentiator.
Win customer trust. If you can tell your clients and partners that you patched six exploited zero-days within 48 hours of release, you are demonstrating operational maturity that most of your competitors cannot match. Put it in your next proposal or tender response.
Strengthen your supply chain position. Large enterprise clients increasingly audit their suppliers' patching cadence. Being able to demonstrate a documented, rapid patching process makes you a lower-risk vendor.
Reduce insurance premiums. Cyber insurers are asking increasingly specific questions about patch management. "We apply critical patches within 48 hours" is a significantly better answer than "we patch monthly during our maintenance window."
Use vendor diversity as protection. Understanding that Patch Tuesday includes SAP, Adobe, and Ivanti alongside Microsoft shows your risk management extends beyond just Windows. That is the kind of mature posture that wins contracts.
How to Sell This to Your Board
If you need budget for faster patching tools, more testing infrastructure, or dedicated patch management time, here are your talking points.
The risk is documented and specific. Six vulnerabilities are being actively exploited. CISA has catalogued them. CrowdStrike has confirmed abuse. This is not theoretical.
The cost of delay is calculable. Every day these remain unpatched, your organisation is exposed to attacks that bypass your existing security controls. Your security awareness training, your SmartScreen protections, your Mark of the Web defences: three of these zero-days render them ineffective.
The regulatory exposure is real. ICO expects organisations to apply security patches in a timely manner. "Our change advisory board meets fortnightly" is not a reasonable defence if you suffer a breach through a vulnerability that was patched two weeks before the attack.
The competitive advantage is tangible. Rapid patching demonstrates operational maturity to clients, insurers, and auditors. It is a business differentiator, not just an IT cost centre.
What This Means for Your Business
First: Patch the exploited six today. Not tomorrow. Not after the change advisory board meets. Today. If your process does not allow emergency patching for actively exploited vulnerabilities, your process is broken and needs fixing as urgently as the vulnerabilities themselves.
Second: Check your Office clients actually updated. The Word bypass (CVE-2026-21514) requires the application to restart to load the patched build. If your users have not closed Word since Monday, they are still vulnerable.
Third: Start the Secure Boot and NTLM conversations now. June 2026 is four months away. Certificate expiry does not negotiate with your change schedule.
Fourth: Do not forget the non-Microsoft vendors. Adobe's 27 Critical-rated flaws and SAP's CVSS 9.9 code injection deserve the same urgency you give Windows patches.
Fifth: Document everything you do. Your patching timeline, your testing results, your deployment records. When the auditor, the insurer, or the ICO asks what you did about February 2026 Patch Tuesday, "we had it handled within 48 hours" is the answer that keeps you out of trouble.
| Source | Article |
|---|---|
| BleepingComputer | Microsoft February 2026 Patch Tuesday fixes 6 zero-days, 58 flaws |
| Tenable | Microsoft's February 2026 Patch Tuesday Addresses 54 CVEs |
| CyberScoop | Microsoft Patch Tuesday matches last year's zero-day high |
| SecurityWeek | 6 Actively Exploited Zero-Days Patched by Microsoft |
| Qualys | Microsoft and Adobe Patch Tuesday February 2026 Security Update Review |
| Krebs on Security | Patch Tuesday, February 2026 Edition |
| Trend Micro ZDI | The February 2026 Security Update Review |
| CSO Online | February 2026 Patch Tuesday: Six actively exploited vulnerabilities addressed |
| SAP | SAP Security Patch Day February 2026 |
| Onapsis | SAP Security Patch Day for February 2026 |
| Infosecurity Magazine | Microsoft Fixes Six Zero Day Vulnerability in February Patch Tuesday |
| Microsoft | Windows 11 February 10 2026 Cumulative Update KB5077181 |
Related Posts:
Compliance Alone Is Digital Security Theatre - Why your change process might be the vulnerability
Stolen Credentials Are the New Normal - How attackers get the initial access these patches defend against
ConnectWise ScreenConnect: The MSP Tool That Keeps Getting Hacked - When your remote access tools become the attack vector
About Graham Falkner
Graham brings decades of hands-on experience in IT infrastructure and security implementation. He focuses on translating complex technical vulnerabilities into practical action plans that resource-constrained businesses can actually execute.