Microsoft Updates: 59 Vulnerabilities Fixed, Including Six Zero-Day Exploits
On Tuesday, Microsoft announced significant security updates addressing a total of 59 vulnerabilities across its software. Among these, six have been identified as actively exploited in the wild.
Overview of Microsoft Updates
Out of the 59 vulnerabilities, five are classified as Critical, 52 as Important, and two as Moderate. The breakdown of the vulnerabilities reveals key areas of concern:
- Privilege escalation: 25
- Remote code execution: 12
- Spoofing: 7
- Information disclosure: 6
- Security feature bypass: 5
- Denial-of-service: 3
- Cross-site scripting: 1
Notable Zero-Day Vulnerabilities
Among the critical vulnerabilities, six are highlighted due to active exploitation:
- CVE-2026-21510: Protection bypass in Windows Shell (CVSS score: 8.8)
- CVE-2026-21513: Protection bypass in MSHTML Framework (CVSS score: 8.8)
- CVE-2026-21514: Untrusted input reliance in Microsoft Word (CVSS score: 7.8)
- CVE-2026-21519: Type confusion in Desktop Window Manager (CVSS score: 7.8)
- CVE-2026-21525: Null pointer dereference in Windows Remote Access Manager (CVSS score: 6.2)
- CVE-2026-21533: Improper privilege management in Windows Remote Desktop (CVSS score: 7.8)
Microsoft’s security teams collaborated with the Google Threat Intelligence Group to identify and report these vulnerabilities.
Exploitation Insights
Specific vulnerabilities such as CVE-2026-21513 allow attackers to bypass security prompts when users interact with malicious files, as noted by Jack Bicer, director of vulnerability research at Action1. This flaw and others like it can lead to severe risks if exploited.
Kev Breen, senior director of cyber threat research at Immersive, indicated that local privilege escalation vulnerabilities, such as CVE-2026-21519 and CVE-2026-21533, require attackers to already access vulnerable systems. The exploitation of these vulnerabilities could lead to further attacks, including disabling security tools or accessing sensitive credentials.
Action Required
In light of these findings, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included all six critical vulnerabilities in its Known Exploited Vulnerabilities (KEV) catalog. Federal agencies must apply the necessary security patches by March 3, 2026.
Additionally, Microsoft is enhancing its security by updating Secure Boot certificates from 2011, set to expire in June 2026. Without these new certificates, devices may function normally but will enter a degraded security state, increasing vulnerability.
Future Security Initiatives
Microsoft’s updates also include initiatives to improve default protections within Windows. The Windows Baseline Security Mode aims to enable runtime integrity safeguards by default, protecting against unauthorized changes.
The User Transparency and Consent initiative will provide clearer prompts for users when applications attempt to access sensitive resources. This improvement aligns with efforts to enhance user awareness and control over their data.
Stay updated with the latest developments in Microsoft security updates and related news at Filmogaz.com.
