Microsoft has released security updates addressing 59 vulnerabilities across its software, including six zero-day flaws currently exploited in the wild. The patch rollout was announced on Tuesday, highlighting the urgent need for users and organizations to apply fixes.
Severity Breakdown
Of the 59 vulnerabilities, five are marked Critical, 52 Important, and two Moderate. Privilege escalation accounts for 25 of the patched issues, followed by remote code execution (12), spoofing (7), information disclosure (6), security feature bypass (5), denial-of-service (3), and cross-site scripting (1).
These updates come in addition to three security fixes for Microsoft Edge, including a Moderate Android-specific flaw (CVE-2026-0391, CVSS 6.5) that could allow spoofing via UI misrepresentation of sensitive information.
Actively Exploited Zero-Days
The six actively exploited vulnerabilities include:
- CVE-2026-21510 (CVSS 8.8): Windows Shell protection failure enabling network-based security bypass
- CVE-2026-21513 (CVSS 8.8): MSHTML Framework protection failure, allowing attackers to bypass execution prompts
- CVE-2026-21514 (CVSS 7.8): Security bypass in Microsoft Office Word via untrusted inputs
- CVE-2026-21519 (CVSS 7.8): Desktop Window Manager type confusion leading to local privilege escalation
- CVE-2026-21525 (CVSS 6.2): Null pointer dereference in Windows Remote Access Connection Manager causing local denial-of-service
- CVE-2026-21533 (CVSS 7.8): Improper privilege management in Windows Remote Desktop enabling local privilege escalation
Microsoft’s security teams and Google Threat Intelligence Group reported the first three flaws, which were publicly known at release. Details of active exploitation remain limited.
Expert Insights
Jack Bicer, director of vulnerability research at Action1, noted that CVE-2026-21513 allows attackers to bypass Windows security prompts silently using crafted HTML files. Tenable’s Satnam Narang added that CVE-2026-21513 and CVE-2026-21514 resemble CVE-2026-21510, with differences in the types of files exploited.
CVE-2026-21525 was identified as a zero-day in December 2025 by ACROS Security while investigating a related flaw. Local privilege escalation vulnerabilities CVE-2026-21519 and CVE-2026-21533 require prior access to a compromised host, potentially allowing attackers to elevate privileges to SYSTEM, disable security tools, deploy malware, or access sensitive credentials.
CISA and Federal Advisory
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added all six vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. Federal Civilian Executive Branch (FCEB) agencies must apply patches by March 3, 2026.
Secure Boot and Windows Protection Updates
Microsoft is also updating Secure Boot certificates to replace the 2011 certificates expiring in June 2026. Devices that miss the update will function but enter a degraded security state, risking future protections and compatibility with new software.
Alongside patches, Microsoft is enhancing Windows security with two initiatives:
- Windows Baseline Security Mode: Enables runtime integrity safeguards by default, allowing only properly signed apps, services, and drivers
- User Transparency and Consent: Similar to macOS TCC, it provides clear prompts when apps request sensitive permissions, improving visibility for users and administrators
Logan Iyer, Distinguished Engineer at Microsoft, emphasized that these measures will give users better control and ensure apps and AI agents meet higher transparency standards.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
