Microsoft Patch Tuesday (Feb 2026): 6 Zero-Days Exploited & Critical Secure Boot Updates

Microsoft’s February 2026 Patch Tuesday is a heavy hitter, addressing 58 vulnerabilities across its ecosystem.

The headline concern for administrators this month is the patch for six actively exploited zero-day vulnerabilities, three of which were publicly disclosed prior to the fix.

In addition to the security flaws, Microsoft has initiated a critical infrastructure update: the rollout of new Secure Boot certificates to replace the 2011 keys set to expire in June 2026.

The Numbers

• Total Flaws: 58 (*59 per article)
• Zero-Days (Actively Exploited): 6
• Critical Severity: 5 (3 Elevation of Privilege, 2 Information Disclosure)
• RCE Vulnerabilities: 12

The 6 Zero-Days Under Attack

Immediate attention is required for these six vulnerabilities currently being leveraged by threat actors:

1.  CVE-2026-21510 (Windows Shell)

A security feature bypass that circumvents SmartScreen and Windows Shell prompts. Attackers use malicious links or shortcut files to execute content without user warnings (Mark of the Web bypass)

2.  CVE-2026-21513 (MSHTML Platform)

A security feature bypass allowing unauthorized actors to circumvent network-based security features.

3.  CVE-2026-21514 (Microsoft Word)

Exploits a weakness in how Word handles COM/OLE controls, bypassing OLE mitigations. It requires a user to open a malicious file (Preview Pane is safe).

4.  CVE-2026-21519 (Desktop Window Manager)

An Elevation of Privilege (EoP) flaw allowing attackers to gain SYSTEM privileges.

5.  CVE-2026-21525 (Windows Remote Access Connection Manager)

A Denial of Service (DoS) vulnerability via null pointer dereference. Originally discovered by 0patch in a malware repository in late 2025.

6.  CVE-2026-21533 (Windows Remote Desktop Services)

An EoP flaw that allows an authenticated attacker to modify service configuration keys and add a new user to the local Administrator group.

Critical Infrastructure: Secure Boot Certificate Rotation

Microsoft is replacing the original 2011 Secure Boot certificates, which expire in June 2026.  This update (KB5077181 & KB5075941 for Windows 11) includes a phased rollout. Devices will only receive the new certificates after broadcasting "sufficient successful update signals" to prevent boot failures.

Other Vendor Updates

• Adobe: Updates for After Effects, InDesign, and Substance 3D (no zero-days).
• CISA: Issued a Binding Operational Directive for federal agencies regarding End-of-Support network edge devices.
• Cisco & Fortinet: Security updates released for Secure Web Appliance and FortiOS/FortiSandbox respectively.