Microsoft on Tuesday released security updates to address a set of 59 flaws across its software, including six vulnerabilities that it said have been exploited in the wild.
Of the 59 flaws, five are rated Critical, 52 are rated Important, and two are rated Moderate in severity. Twenty-five of the patched vulnerabilities have been classified as privilege escalation, followed by remote code execution (12), spoofing (7), information disclosure (6), security feature bypass (5), denial-of-service (3), and cross-site scripting (1).
It’s worth noting that the patches are in addition to three security flaws that Microsoft has addressed in its Edge browser since the release of the January 2026 Patch Tuesday update, including a Moderate vulnerability impacting the Edge browser for Android (CVE-2026-0391, CVSS score: 6.5) that could allow an unauthorized attacker to perform spoofing over a network by taking advantage of a “user interface misrepresentation of critical information.”
Topping the list of this month’s updates are six vulnerabilities that have been flagged as actively exploited –
- CVE-2026-21510 (CVSS score: 8.8) – A protection mechanism failure in Windows Shell that allows an unauthorized attacker to bypass a security feature over a network.
- CVE-2026-21513 (CVSS score: 8.8) – A protection mechanism failure in MSHTML Framework that allows an unauthorized attacker to bypass a security feature over a network.
- CVE-2026-21514 (CVSS score: 7.8) – A reliance on untrusted inputs in a security decision in Microsoft Office Word that allows an unauthorized attacker to bypass a security feature locally.
- CVE-2026-21519 (CVSS score: 7.8) – An access of resource using incompatible type (‘type confusion’) in the Desktop Window Manager that allows an authorized attacker to elevate privileges locally.
- CVE-2026-21525 (CVSS score: 6.2) – A null pointer dereference in Windows Remote Access Connection Manager that allows an unauthorized attacker to deny service locally.
- CVE-2026-21533 (CVSS score: 7.8) – An improper privilege management in Windows Remote Desktop that allows an authorized attacker to elevate privileges locally.
Microsoft’s own security teams and Google Threat Intelligence Group (GTIG) have been credited with discovering and reporting the first three flaws, which have been listed as publicly known at the time of release. There are currently no details on how the vulnerabilities are being exploited, and if they were weaponized as part of the same campaign.
“CVE-2026-21513 is a security feature bypass vulnerability in the Microsoft MSHTML Framework, a core component used by Windows and multiple applications to render HTML content,” Jack Bicer, director of vulnerability research at Action1, said. “It is caused by a protection mechanism failure that allows attackers to bypass execution prompts when users interact with malicious files. A crafted file can silently bypass Windows security prompts and trigger dangerous actions with a single click.”
Satnam Narang, senior staff research engineer at Tenable, said CVE-2026-21513 and CVE-2026-21514 bear a “lot of similarities” to CVE-2026-21510, the main difference being that CVE-2026-21513 can also be exploited using an HTML file, while CVE-2026-21514 can only be exploited using a Microsoft Office file.
As for CVE-2026-21525, it’s linked to a zero-day that ACROS Security’s 0patch service said it discovered in December 2025 while investigating another related flaw in the same component (CVE-2025-59230).
“These [CVE-2026-21519 and CVE-2026-21533] are local privilege escalation vulnerabilities, which means an attacker must have already gained access to a vulnerable host,” Kev Breen, senior director of cyber threat research at Immersive, told The Hacker News via email. “This could occur through a malicious attachment, a remote code execution vulnerability, or lateral movement from another compromised system.”
“Once on the host, the attacker can use these escalation vulnerabilities to elevate privileges to SYSTEM. With this level of access, a threat actor could disable security tooling, deploy additional malware, or, in worst-case scenarios, access secrets or credentials that could lead to full domain compromise.”
Cybersecurity vendor CrowdStrike, which has been acknowledged for reporting CVE-2026-21533, said it does not attribute the exploitation activity to a specific adversary, but noted that threat actors in possession of the exploit binaries will likely ramp up their efforts to use or sell them in the near term.
“The CVE-2026-21533 exploit binary modifies a service configuration key, replacing it with an attacker-controlled key, which could enable adversaries to escalate privileges to add a new user to the Administrator group,” Adam Meyers, head of Counter Adversary Operations at CrowdStrike, told The Hacker News in an emailed statement.
The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add all six vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by March 3, 2026.
The update also coincides with Microsoft rolling out updated Secure Boot certificates to replace the original 2011 certificates that will expire in late June 2026. The new certificates will be installed through the regular monthly Windows update process without any additional action.
“If a device does not receive the new Secure Boot certificates before the 2011 certificates expire, the PC will continue to function normally, and existing software will keep running,” the tech giant said. “However, the device will enter a degraded security state that limits its ability to receive future boot-level protections.”
“As new boot‑level vulnerabilities are discovered, affected systems become increasingly exposed because they can no longer install new mitigations. Over time, this may also lead to compatibility issues, as newer operating systems, firmware, hardware, or Secure Boot–dependent software may fail to load.”
In tandem, the company said it’s also strengthening default protections in Windows through two security initiatives, Windows Baseline Security Mode and User Transparency and Consent. The updates come under the purview of the Secure Future Initiative and Windows Resiliency Initiative.
“With Windows Baseline Security Mode, Windows will move toward operating with runtime integrity safeguards enabled by default,” it noted. “These safeguards ensure that only properly signed apps, services, and drivers are allowed to run, helping to protect the system from tampering or unauthorized changes.”
User Transparency and Consent, analogous to Apple macOS Transparency, Consent, and Control (TCC) framework, aims to introduce a consistent approach to handling security decisions. The operating system will prompt users when apps try to access sensitive resources, such as files, the camera, or the microphone, or when they attempt to install other unintended software.
“These prompts are designed to be clear and actionable, and you’ll always have the ability to review and change your choices later,” Logan Iyer, Distinguished Engineer at Microsoft, said. “Apps and AI agents will also be expected to meet higher transparency standards, giving both users and IT administrators better visibility into their behaviors.”
