Microsoft’s Valentine’s Day Patch: 6 Critical Zero-Day Fixes

Microsoft’s February security update, affectionately dubbed a “Valentine’s Day Patch,” delivered critical fixes for a concerning number of vulnerabilities already being exploited by attackers. This month’s Patch Tuesday addressed a total of 59 CVEs, with six of these flaws actively exploited as zero-days before Microsoft could release the official fixes. This marks a significant increase from the single exploited vulnerability reported in January, highlighting a more aggressive threat landscape. While the company has not disclosed details about the attackers or the scale of the attacks, the public disclosure of three of these bugs suggests that proof-of-concept exploit code is likely already circulating online, increasing the risk of wider exploitation.

Among the most critical issues patched is a Windows Shell Security Feature Bypass Vulnerability tracked as CVE-2026-21510. Rated 8.8 on the CVSS scale, this flaw requires an attacker to trick a user into opening a malicious link or shortcut file. Successfully doing so allows the attacker to bypass critical Windows security prompts like SmartScreen, enabling code execution on the victim’s system without any warning. Security experts warn that this bug, which is both exploited and publicly known, should be a top priority for patching due to its potential for significant harm.

Another high-severity flaw is the Internet Explorer Security Feature Bypass Vulnerability, CVE-2026-21513, also scoring an 8.8 CVSS rating. This vulnerability, under active attack and publicly disclosed, can lead to remote code execution. The attack method is similar, relying on a user opening a malicious HTML or shortcut file delivered via email or a website. The file manipulates how the browser and Windows Shell handle content, allowing the attacker to circumvent security features. A potential mitigating factor is that Internet Explorer reached its end of support in 2022, though any remaining users are at extreme risk.

The trend of security feature bypasses continues with CVE-2026-21514, a Microsoft Word vulnerability. With a CVSS score of 7.8, this publicly known flaw is triggered when a user opens a malicious Office document. This action grants the attacker access to COM and OLE controls, which can be abused to achieve remote code execution. Fortunately, the Preview Pane in Outlook is not a viable attack vector for this particular bug.

A particularly dangerous elevation of privilege bug was found in the Desktop Window Manager, identified as CVE-2026-21519. Unlike the others, this flaw was not publicly disclosed before the patch. Exploiting it allows an attacker to gain SYSTEM-level privileges on a compromised machine. This marks the second consecutive month a DWM vulnerability has been exploited, leading analysts to suspect the previous patch may not have fully resolved the underlying issue.

The update also fixes a Denial of Service vulnerability in Windows Remote Access Connection Manager, CVE-2026-21525. Rated 6.2, this bug is caused by a null pointer dereference that allows an unauthorized local attacker to trigger a service disruption.

Finally, CVE-2026-21533, an Elevation of Privilege flaw in Windows Remote Desktop Services, was also under active exploitation. With a 7.8 CVSS score, this vulnerability stems from improper privilege management and enables an authorized attacker to locally elevate their privileges to SYSTEM level, granting them full control over the system. Administrators are urged to apply these patches immediately to protect their networks from these active threats.

(Source: The Register)