Microsoft recently issued security updates to resolve 59 vulnerabilities found in its software. Six of these flaws have been actively exploited.
Among the 59 vulnerabilities, five are categorized as Critical, 52 as Important, and two as Moderate. The patched issues include 25 privilege escalation flaws, 12 remote code execution vulnerabilities, 7 spoofing issues, 6 information disclosure flaws, 5 security feature bypasses, 3 denial-of-service vulnerabilities, and 1 cross-site scripting flaw.
These updates also supplement three security flaws previously addressed in Microsoft Edge since the release of the January 2026 Patch Tuesday update. One notable fix was for a Moderate vulnerability in Edge for Android (CVE-2026-0391, CVSS score: 6.5) that could enable spoofing via a user interface misrepresentation.
This month’s updates highlight six vulnerabilities that are currently being actively exploited:
- CVE-2026-21510 (CVSS score: 8.8) – A protection mechanism failure in Windows Shell that allows an unauthorized attacker to bypass a security feature over a network.
- CVE-2026-21513 (CVSS score: 8.8) – A protection mechanism failure in MSHTML Framework that allows an unauthorized attacker to bypass a security feature over a network.
- CVE-2026-21514 (CVSS score: 7.8) – A reliance on untrusted inputs in a security decision in Microsoft Office Word that allows an unauthorized attacker to bypass a security feature locally.
- CVE-2026-21519 (CVSS score: 7.8) – An access of resource using incompatible type (‘type confusion’) in the Desktop Window Manager that allows an authorized attacker to elevate privileges locally.
- CVE-2026-21525 (CVSS score: 6.2) – A null pointer dereference in Windows Remote Access Connection Manager that allows an unauthorized attacker to deny service locally.
- CVE-2026-21533 (CVSS score: 7.8) – An improper privilege management in Windows Remote Desktop that allows an authorized attacker to elevate privileges locally.
Microsoft’s security teams and Google Threat Intelligence Group (GTIG) are credited with finding and reporting the first three vulnerabilities, which were publicly known at the time of the patch release. Specific details regarding their exploitation or whether they were part of a unified campaign are not yet available.
According to Jack Bicer, director of vulnerability research at Action1, CVE-2026-21513 is a security feature bypass in the Microsoft MSHTML Framework. This flaw allows attackers to bypass execution prompts when users interact with malicious files, enabling dangerous actions with a single click.
Satnam Narang, a senior staff research engineer at Tenable, noted similarities between CVE-2026-21513 and CVE-2026-21514 with CVE-2026-21510. The key distinction is that CVE-2026-21513 can be exploited via an HTML file, whereas CVE-2026-21514 requires a Microsoft Office file.
CVE-2026-21525 is connected to a zero-day vulnerability that ACROS Security’s 0patch service reportedly discovered in December 2025 during an investigation into a related flaw (CVE-2025-59230) in the same component.
Kev Breen, senior director of cyber threat research at Immersive, explained that CVE-2026-21519 and CVE-2026-21533 are local privilege escalation vulnerabilities. Exploitation requires an attacker to have already accessed a vulnerable host, potentially through a malicious attachment, a remote code execution flaw, or lateral movement from another compromised system.
Once on a host, these vulnerabilities can be used to elevate privileges to SYSTEM level. This high level of access could allow a threat actor to disable security tools, deploy more malware, or access sensitive data and credentials, potentially leading to a complete domain compromise.
CrowdStrike, credited for reporting CVE-2026-21533, has not attributed its exploitation to a specific adversary. However, the company anticipates that threat actors possessing exploit binaries will likely increase their efforts to utilize or sell them soon.
Adam Meyers, head of Counter Adversary Operations at CrowdStrike, stated that the CVE-2026-21533 exploit binary alters a service configuration key, replacing it with an attacker-controlled key. This action could allow adversaries to escalate privileges and add a new user to the Administrator group.
In response, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added all six vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. Federal Civilian Executive Branch (FCEB) agencies are mandated to apply these fixes by March 3, 2026.
This update also includes Microsoft’s deployment of updated Secure Boot certificates. These new certificates replace the original 2011 versions, which are set to expire in late June 2026, and will be installed automatically via the standard monthly Windows update.
Microsoft stated that if a device does not receive the new Secure Boot certificates before the 2011 certificates expire, it will still function, and existing software will run. However, the device will operate in a degraded security state, limiting its capacity to receive future boot-level protections.
Without these updates, systems become more vulnerable to new boot-level flaws as they cannot install new mitigations. This could also lead to compatibility problems, preventing newer operating systems, firmware, hardware, or Secure Boot-dependent software from loading.
Additionally, Microsoft is enhancing Windows’ default protections through two security initiatives: Windows Baseline Security Mode and User Transparency and Consent. These efforts fall under the Secure Future Initiative and Windows Resiliency Initiative.
Microsoft indicated that Windows Baseline Security Mode will enable runtime integrity safeguards by default. These safeguards will ensure that only properly signed applications, services, and drivers can run, protecting the system from unauthorized modifications.
User Transparency and Consent, similar to Apple macOS’s Transparency, Consent, and Control (TCC) framework, seeks to standardize security decision-making. The operating system will notify users when applications attempt to access sensitive resources like files, cameras, or microphones, or try to install unwanted software.
Logan Iyer, a Distinguished Engineer at Microsoft, mentioned that these prompts are designed to be clear and actionable, allowing users to review and modify their choices later. Applications and AI agents will also be required to meet higher transparency standards, providing users and IT administrators with better insight into their activities.
