The tech giant’s monthly release of security updates fixes six vulnerabilities that are considered actively exploited, according to a Trend Micro threat tracker.
Microsoft’s monthly release of security updates Tuesday included fixes for six vulnerabilities that are known to be actively exploited in cyberattacks.
A total of 58 CVEs (Common Vulnerabilities and Exposures) received software patches as part of the release, popularly known as “Patch Tuesday.” This is a typical number of CVEs for a February release, according to Trend Micro’s Dustin Childs.
[Related: Microsoft’s Rob Lefferts On Rise Of AI Attacks: ‘Be Prepared To Go Faster’]
However, “the number of bugs under active attack is extraordinarily high,” wrote Childs, head of threat awareness for Trend Micro’s Zero Day Initiative, in a blog post Tuesday.
“Microsoft lists six bugs being exploited at the time of release, with three of these listed as publicly known,” he wrote. “Last month only had a single bug being exploited, although there were twice as many CVEs patched. We’ll see if we’re on our way to another ‘hot exploit summer’ as we saw a few years ago or if this is just an aberration.”
CRN has reached out to Microsoft for comment.
The six vulnerabilities that have seen active exploitation impact Windows, Office (Microsoft Word) and Internet Explorer:
- Windows Shell Security Feature Bypass Vulnerability (CVE-2026-21510)
- Microsoft Word Security Feature Bypass Vulnerability (CVE-2026-21514)
- Desktop Window Manager Elevation of Privilege Vulnerability (CVE-2026-21519)
- Windows Remote Desktop Services Elevation of Privilege Vulnerability (CVE-2026-21533)
- Internet Explorer Security Feature Bypass Vulnerability (CVE-2026-21513)
- Windows Remote Access Connection Manager Denial of Service Vulnerability (CVE-2026-21525)
Five of the six vulnerabilities that have been listed as exploited are considered “important” in severity, with severity scores ranging from 7.8 to 8.8 out of 10.0, according to Childs. The sixth flaw (CVE-2026-21525) is considered a medium-severity issue with a score of 6.2 out of 10.0.
Among the highest-severity flaws is the Windows Shell Security Feature Bypass Vulnerability (CVE-2026-21510), which has a severity score of 8.8 and “could also be classified as code execution,” he wrote.
“A one-click bug to gain code execution is a rarity,” Childs wrote. “Definitely test and deploy this fix quickly.”
The other vulnerability with a severity score of 8.8 is the Internet Explorer Security Feature Bypass Vulnerability (CVE-2026-21513), he noted.
“Although long gone by many measurements, IE does still exist on Windows systems, and calling it always results in a vulnerability somehow,” Childs wrote. “This bug manifests similarly to the Shell bug above, as it requires user interaction but could result in code execution. The bypass here is simply the ability to reach IE, which shouldn’t be possible. Again, test and deploy this fix quickly.”
Five other flaws addressed in the monthly release, meanwhile, are listed by Microsoft as critical-severity vulnerabilities, according to Childs.
The newly disclosed critical bugs affect several Azure services—Azure Arc, Azure Front Door, Azure Functions and ACI (Azure Container Instances) Confidential Containers.
