The Register Unveils Six Critical Zero-Day Vulnerability Fixes

On February’s Patch Tuesday, Microsoft addressed six critical zero-day vulnerabilities. These flaws were actively exploited before the release of patches, highlighting ongoing security challenges faced by users. In stark contrast, only one such vulnerability was under attack prior to the January Patch Tuesday.

The Six Critical Zero-Day Vulnerability Fixes Unveiled by Microsoft

Microsoft has not disclosed specific details about the attackers or the extent of the exploits. However, given that three of these vulnerabilities are publicly disclosed, additional reports of active exploitation can be expected. Here’s an overview of the six identified CVEs:

• Security Feature Bypass in Windows Shell (CVE-2026-21510):
  This vulnerability has a CVSS score of 8.8.
  Attackers can exploit it by enticing users to open malicious links or shortcut files.
  Upon opening, the attacker bypasses security prompts to execute code on the user’s system.
• Security Feature Bypass in Internet Explorer (CVE-2026-21513):
  Also rated at 8.8 CVSS, this flaw leads to remote code execution (RCE).
  Users are tricked into opening malicious HTML or shortcut files, allowing the attacker to execute code via the system.
• Security Feature Bypass in Microsoft Word (CVE-2026-21514):
  With a CVSS rating of 7.8, this vulnerability allows attackers to access COM and OLE controls by opening malicious Office files.
  Fortunately, the Preview Pane is not an attack vector for this flaw.
• Elevation of Privilege in Desktop Window Manager (CVE-2026-21519):
  This CVE was not disclosed prior to the update and has a CVSS score of 7.8.
  An attacker exploiting this bug can gain SYSTEM privileges, raising concerns about the effectiveness of previous patches.
• Denial of Service in Windows Remote Access Connection Manager (CVE-2026-21525):
  This vulnerability has a CVSS rating of 6.2.
  It allows unauthorized attackers to deny service locally via a null pointer dereference.
• Elevation of Privilege in Windows Remote Desktop Services (CVE-2026-21533):
  Rated at 7.8 CVSS, this flaw enables authorized attackers to locally elevate privileges.
  It stems from improper privilege management within Windows Remote Desktop.

With ongoing threats from these vulnerabilities, prompt application of the suggested patches is critical for all users. Enhanced cybersecurity measures are necessary to mitigate risks associated with these zero-day exploits.