Yesterday was Patch Tuesday, and Microsoft’s February 2026 release is one security teams should not ignore, particularly with six actively exploited zero-days already being used in real-world attacks.
This month’s update addresses 58 vulnerabilities, including six actively exploited zero-days and three that were publicly disclosed before patches were available. Alongside those, Microsoft fixed five Critical vulnerabilities, made up of three elevation of privilege flaws and two information disclosure issues.
The flaws span multiple categories:
As with standard reporting, only vulnerabilities released by Microsoft on Patch Tuesday are counted here. This does not include three Microsoft Edge issues that were addressed earlier this month.
Alongside the vulnerability fixes, Microsoft has started rolling out updated Secure Boot certificates, replacing the original 2011 certificates which expire in late June 2026.
According to Microsoft’s Windows 11 update notes, quality updates now include targeting data to determine whether devices are ready to receive the new certificates. Systems will only receive them once sufficient successful update signals are observed. The aim is a phased and controlled rollout to minimise disruption.
For organisations running mixed or legacy environments, this is one to track carefully over the coming months.
This month’s most pressing issue is the number of zero-days already being used in the wild. Of the six actively exploited vulnerabilities, three were also publicly disclosed before patches were released.
Microsoft defines a zero-day as either publicly disclosed or actively exploited while no official fix is available.
Here’s what matters.
Windows Shell Security Feature Bypass
An attacker can bypass Windows SmartScreen and Windows Shell security prompts by convincing a user to open a specially crafted link or shortcut file. Improper handling in Windows Shell components allows attacker-controlled content to execute without the usual warnings.
While details remain limited, this likely involves bypassing Mark of the Web protections. The flaw was discovered by multiple teams including MSTIC, MSRC, the Office Product Group Security Team, Google Threat Intelligence Group, and an anonymous researcher.
MSHTML Framework Security Feature Bypass
This vulnerability allows an unauthorised attacker to bypass a security feature over a network due to a protection mechanism failure in the MSHTML Framework. Exploitation details have not been released.
It was identified by MSTIC, MSRC, the Office Product Group Security Team, and Google Threat Intelligence Group.
Microsoft Word Security Feature Bypass
This actively exploited flaw allows attackers to bypass OLE mitigations in Microsoft 365 and Microsoft Office. Exploitation requires convincing a user to open a malicious Office file.
Microsoft confirmed the vulnerability cannot be exploited through the Office Preview Pane. Discovery was again attributed to MSTIC, MSRC, the Office Product Group Security Team, Google Threat Intelligence Group, and an anonymous researcher.
At present, it is unclear whether these three bypass vulnerabilities were exploited as part of the same campaign.
Desktop Window Manager Elevation of Privilege
Successful exploitation grants SYSTEM privileges. No further technical detail has been disclosed. The issue was identified by MSTIC and MSRC.
Windows Remote Access Connection Manager Denial of Service
A null pointer dereference vulnerability allows an unauthorised attacker to trigger a local denial of service.
ACROS Security identified the flaw. Their team discovered an exploit in a public malware repository in December 2025 while investigating another vulnerability. At the time, it was a zero-day and was micropatched via 0patch before being reported to Microsoft. There is currently no confirmed attribution regarding exploitation in the wild.
Windows Remote Desktop Services Elevation of Privilege
This flaw allows an authorised attacker to elevate privileges locally through improper privilege management in Windows Remote Desktop Services.
CrowdStrike’s Advanced Research Team observed exploitation that modifies a service configuration key, enabling attackers to add a new user to the Administrator group. While no specific adversary has been attributed, CrowdStrike expects increased attempts to weaponise or sell the exploit.
Several additional vendors released security updates this month:
Separately, Microsoft has begun rolling out built-in Sysmon functionality in Windows 11 Insider builds. While not a security fix, this will be a welcome addition for many Windows administrators.
Six actively exploited zero-days in a single month reinforces a pattern we continue to see. Security feature bypass, privilege escalation, and user interaction driven exploits remain reliable entry points for attackers.
Patch cadence matters. But so does visibility into where exploitation risk intersects with user behaviour, privilege management, and endpoint exposure.
To review the complete list of resolved vulnerabilities and affected systems, you can view the full February 2026 Patch Tuesday report directly via Microsoft’s official advisory.