This week Microsoft published its monthly security update with a significant load: they have corrected a total of 59 vulnerabilities distributed by several products of the company, including six that, according to the company, were already being exploited in real environments. Most of the failures are listed as of high importance, although there are also five classified as critics and a pair as moderate. The corrections include problems that allow you to climb privileges, run remote code, suplantations, information filtration and other vectors that attackers often take advantage of.
Among the vulnerabilities that Microsoft stands out for being actively exploited are a number of entries with public identifiers. For example, CVE-2026-21510 describes a Windows Shell failure that breaks a protection mechanism and could allow an attacker to evade security controls over the network; the official detail can be consulted in the Microsoft guide: CVE-2026-21510. Other reported judgements include CVE-2026-21513, related to the MSHTML engine that renders HTML content in multiple applications, and CVE-2026-21514, which affects Microsoft Word and is used by malicious office files. The complete list of failures and their classification is available in the collection of the update: February 2026 update note.
Security community analysis helps to understand how these vulnerabilities work in practice. Action1 explained that, in the case of MSHTML failure, vulnerability allows you to design files that draw Windows security notices and run dangerous actions with a single click; more details and the perspective of your research appear in your article: comment by Action1. On the other hand, Tenable researchers point out similarities between several of these failures - for example, among those affecting Windows Shell, MSHTML and Office -, stressing that some can be activated through HTML files and others only through office documents.
In addition, one of the corrections (CVE-2026-21525) is linked to a zero-day that had already been investigated by the community: the 0patch service of ACROS Security published micropatches as it deepened a related problem in the same component, and its report on that research can be read on the 0patch blog: 0patch input. These pieces fit into a pattern we usually see: a problem is discovered in the context of other similar failures, and the vulnerability hunters end up finding several operating routes within the same subsystem.
Not all vulnerabilities are remotely exploitable without interaction. As experts recall, there are raising local privileges- for example, CVE-2026-21519 and CVE-2026-21533- which require that the attacker already have access to the system concerned. This pre-phase can be achieved by means of a malicious attachment, prior exploitation of CERs, or lateral movement within a compromised network; once the target system has been reached, the scaling vulnerabilities can reach SYSTEM privileges and, consequently, disable defenses, install persistent malware or extract credentials with potential to compromise entire domains, as Kev Breen explained in statements reproduced by specialized means.
The gravity of the package has forced the authorities to react: CISA added the six vulnerabilities exploited to its catalogue of Known Exploited Vulnerabilities (KEV), which means that U.S. federal agencies are obliged to deploy the patches before an established deadline (in this case, March 3, 2026). Such inclusion often results in additional pressure for large organizations and managers to accelerate the application of patches.
The update also coincides with another movement that will affect the safe start of many devices: Microsoft is deploying renewed Secure Boot certificates to replace the 2011 originals that expire this summer. The company has explained that the new certificates will be installed by means of monthly Windows updates, without additional user intervention. Microsoft warns, however, that if a team does not receive the certificates renewed before expiry, it will continue to work but will enter a state with degraded safety and, over time, at risk of incompatibilities: Microsoft explanation.
In parallel, Microsoft is changing how Windows protects and requests consent for sensitive actions. The initiatives called Windows Baseline Security Mode and User Transparency and Consent aim to tighten the default policy so that only signed and verified components can be executed in running time and at the same time provide clearer warnings when an application or agent - including those driven by IA - tries to access sensitive resources such as files or camera. The company presented these measures as part of its resilience efforts and the safe future of the operating system; there is a technical exhibition on the official blog: Windows Baseline Security Mode and User Transparency and Consent detail.
What should users and administrators do right now? In practical terms, the immediate priority is to test and install the official patches on all compatible equipment and servers, starting with systems exposed to the Internet and those that support critical services. At the same time, it is appropriate to review detection and response mechanisms: access records, side movement alerts and any signs of privilege climbing. In business environments it is recommended to coordinate the update with compatibility tests and contingency plans to minimize interruptions. On the other hand, verifying that the teams receive the update of Secure Boot certificates and maintaining implementation control policies, code signatures and permit lists will help reduce the attack area in the medium term.
For those who want to consult the primary sources and deepen each vulnerability, the Microsoft guide on the February update, Edge's security notes and the pages of each CVE contain the recommended technical information and mitigation. The references cited in this article include Microsoft's note on the February update ( MSRC), subsequent corrections for Edge ( Edge's security notes), the technical records of the above-mentioned EQs ( CVE-2026-21513, CVE-2026-21514, CVE-2026-21519, CVE-2026-21525, CVE-2026-21533), the analysis of Action1 ( Action 1), the entry of 0patch ( 0patch) and the notice of CISA on the inclusion in its KEV catalogue ( CISA).
There are no magic recipes in security: to park on time, to implement detection and to maintain minimum policies of implementation control and good access practices remain the best defenses against campaigns that take advantage of known failures. This Microsoft patch is a further reminder that continuous maintenance and attention to security notices are obligations that should not be postponed.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...
PinTheft the public explosion that could give you root on Arch Linux
A new public explosion has brought to the surface again the fragility of the Linux privilege model: the V12 Security team named the failure as PinTheft and published a concept t...