System administrators are likely to have a busy February after Microsoft released updates to fix six actively exploited zero-day vulnerabilities, three of which have been publicly disclosed.
The zero-days are as follows:
- CVE-2026-21510 is a security feature bypass vulnerability in Windows Shell which enables unauthorized attackers to circumvent Windows SmartScreen and security prompt protections by tricking victims into clicking on a malicious link
- CVE-2026-21513 is a security feature bypass vulnerability in the Microsoft MSHTML Framework, which is used by Windows and various applications to render HTML content. “A crafted file can silently bypass Windows security prompts and trigger dangerous actions with a single click,” warned Action1 director of vulnerability research, Jack Bicer
- CVE-2026-21514 is a security feature bypass vulnerability in Microsoft Word. Exploitation requires no privileges but the victim must open a malicious document
- CVE-2026-21519 is an elevation of privilege (EoP) flaw in the Windows Desktop Window Manager (DWM) which allows attackers turn basic access into full system control. It’s unclear how it is being exploited
- CVE-2026-21525 is a denial-of-service vulnerability affecting the Windows Remote Access Connection Manager. “Exploitation is local, requires no privileges, and does not rely on user interaction,” explained Action1 president, Mike Walters. “An attacker with basic local access can repeatedly trigger the flaw to cause persistent service disruption.”
- CVE-2026-21533 is another EoP vulnerability in Windows Remote Desktop Services. Exploitation is local, requires only low privileges, and does not need user interaction, noted Bicer
Read more on Patch Tuesday: Microsoft Fixes Three Zero-Days on Busy Patch Tuesday.
In total this month, most CVEs disclosed by Microsoft were EoP (25), followed by remote code execution (12), spoofing (7), information disclosure (6) and security feature bypass (5).
None of the actively exploited vulnerabilities are rated critical. In fact, only five CVEs out of the 58 patched this month are critical.
SAP Adds to the Patch Load
Elsewhere, SAP released 26 new security “notes” yesterday, and one update to a previously released note.
The two most serious CVEs include a missing authorization check vulnerability (CVE-2026-0509) in SAP NetWeaver Application Server ABAP and ABAP Platform – which has a CVSS score of 9.6.
The second (CVE-2026-0488) is a code injection vulnerability in SAP CRM and SAP S/4HANA (Scripting Editor), which has a CVSS score of 9.9.
Pathlock SAP security analyst, Jonathan Stross, explained that the affected systems are commonly used by call center agents and CRM support staff.
“A realistic attack chain could start from attackers compromising a standard CRM user through phishing, password reuse, or endpoint compromise. Then, the attacker accesses the Scripting Editor-related functionality and leverages the generic call flaw,” he continued.
“Finally, they execute unauthorized database-level actions (SQL), resulting in broad control. Once there, an attacker can compromise the database, steal or modify data, and cause operational disruption by manipulating CRM/S/4 data at the persistence layer.”
