Microsoft's February 2026 Patch Tuesday landed on February 11 with patches for 54 CVEs, including 6 actively exploited zero-day vulnerabilities. That zero-day count ties with some of the most eventful Patch Tuesdays in recent memory, and the severity distribution makes this one that demands immediate attention from security teams and IT administrators alike.
Of the 54 CVEs, 8 are rated Critical, 38 High, and 8 Medium. The 6 zero-days span Windows desktop components, Microsoft Office, Azure cloud services, and the legacy MSHTML rendering engine. Three of them are security feature bypasses, meaning attackers are actively circumventing the defenses that organizations rely on to prevent initial compromise.
Here is the full breakdown of what matters, what to patch first, and what this means for your vulnerability management program.
The 6 Actively Exploited Zero-Days
CVE-2026-21510: Windows Shell SmartScreen Bypass
CVSS: 8.1 | Type: Security Feature Bypass | Exploitation: Active
This vulnerability allows attackers to bypass the Windows SmartScreen reputation-based protection when users open files downloaded from the internet. SmartScreen is one of Microsoft's primary defenses against malicious downloads. It flags executables and documents that lack a reputation score or have known malicious signatures. CVE-2026-21510 allows a specially crafted file to bypass these checks entirely, presenting no warning dialog to the user.
In practice, this means phishing attachments and drive-by downloads can execute without the usual SmartScreen interception. Microsoft has observed this being used in targeted phishing campaigns, primarily against organizations in the financial services and government sectors. The attack requires user interaction (opening the file), but the absence of the SmartScreen warning significantly increases the success rate of social engineering.
CVE-2026-21513: MSHTML/IE Security Feature Bypass
CVSS: 7.5 | Type: Security Feature Bypass | Exploitation: Active
Despite Internet Explorer being officially retired, the MSHTML rendering engine persists in Windows for backward compatibility and is used by various applications including Microsoft Office, Outlook, and third-party software. CVE-2026-21513 allows attackers to bypass security zone restrictions in the MSHTML engine, enabling content from the Internet zone to execute with the privileges typically reserved for the Local Intranet or Trusted Sites zones.
This vulnerability is being exploited through specially crafted Office documents and emails rendered in Outlook. The attack chain typically involves sending a document that triggers MSHTML rendering, which then loads content that would normally be blocked by zone-based security policies. Exploitation has been linked to APT groups targeting organizations in Europe and the Middle East.
CVE-2026-21514: Microsoft Word Security Feature Bypass
CVSS: 7.8 | Type: Security Feature Bypass | Exploitation: Active
This vulnerability bypasses Microsoft Word's Protected View, the sandbox environment that limits what documents can do when opened from untrusted sources. A specially crafted Word document can escape the Protected View sandbox and execute macros or embedded content without the user being prompted to enable editing or content.
Protected View has been one of the most effective mitigations against document-based malware for over a decade. This bypass undermines a critical layer of defense. The vulnerability is being actively exploited in spear-phishing campaigns where the attacker sends a Word document that, when opened, immediately executes a payload without the recipient seeing any security warnings. This is particularly dangerous because user training typically emphasizes "don't click Enable Content," but with this bypass, that warning never appears.
CVE-2026-24300: Azure Front Door Elevation of Privilege
CVSS: 9.8 | Type: Elevation of Privilege | Exploitation: Active
The highest-severity vulnerability in this month's release, CVE-2026-24300 affects Azure Front Door, Microsoft's global content delivery and load-balancing service. The vulnerability exists in the request routing and authentication handling layer of Azure Front Door. An unauthenticated attacker can exploit a flaw in how custom domain configurations process authentication tokens to gain elevated privileges on the Azure Front Door instance.
Successful exploitation allows an attacker to modify routing rules, intercept traffic, inject content into responses served to end users, and potentially redirect traffic to attacker-controlled infrastructure. Given that Azure Front Door sits in front of web applications as a reverse proxy, compromise of this layer can affect every application behind it.
Microsoft has confirmed active exploitation and is deploying the patch across Azure infrastructure. However, organizations with custom domain configurations on Azure Front Door should verify that their instances have received the update and review their routing rules and access logs for signs of unauthorized modification.
CVE-2026-24302: Azure Arc Elevation of Privilege
CVSS: 8.4 | Type: Elevation of Privilege | Exploitation: Active
Azure Arc enables organizations to manage on-premises, multi-cloud, and edge infrastructure through the Azure control plane. CVE-2026-24302 allows an authenticated attacker with low-privilege access to an Azure Arc-connected machine to escalate to SYSTEM/root privileges through the Azure Connected Machine Agent.
The vulnerability exists in how the agent processes extension installation commands. An attacker with local access to an Arc-connected machine can craft a malicious extension installation request that executes arbitrary code with SYSTEM privileges. This is being exploited as part of post-compromise lateral movement chains, where attackers who have already gained initial access to a network target Azure Arc-connected machines to escalate privileges and establish persistent access.
CVE-2026-21519: Desktop Window Manager Elevation of Privilege
CVSS: 7.8 | Type: Elevation of Privilege | Exploitation: Active
The Desktop Window Manager (DWM) is a Windows system service responsible for rendering the visual elements of the desktop. CVE-2026-21519 is a use-after-free vulnerability in DWM that allows a local attacker to escalate from standard user to SYSTEM privileges.
DWM runs as a SYSTEM process on every Windows desktop and server installation with a GUI. The vulnerability is triggered by a specific sequence of window manipulation API calls that cause DWM to reference freed memory. Exploitation is reliable and has been observed in the wild as part of multi-stage attack chains where attackers use it to escalate privileges after initial code execution through a browser exploit or phishing payload.
Full Severity Breakdown
| CVE | Component | CVSS | Type | Exploited |
|---|---|---|---|---|
| CVE-2026-24300 | Azure Front Door | 9.8 | Elevation of Privilege | Yes |
| CVE-2026-24302 | Azure Arc | 8.4 | Elevation of Privilege | Yes |
| CVE-2026-21510 | Windows SmartScreen | 8.1 | Security Feature Bypass | Yes |
| CVE-2026-21514 | Microsoft Word | 7.8 | Security Feature Bypass | Yes |
| CVE-2026-21519 | Desktop Window Manager | 7.8 | Elevation of Privilege | Yes |
| CVE-2026-21513 | MSHTML / IE Engine | 7.5 | Security Feature Bypass | Yes |
Patch Prioritization Guidance
Not all 54 CVEs need to be patched simultaneously, but the zero-days demand immediate action. Here is a practical prioritization framework for this month's release.
Tier 1: Patch within 24 hours
- CVE-2026-24300 (Azure Front Door). CVSS 9.8, actively exploited, unauthenticated, network-accessible. If you use Azure Front Door with custom domains, verify that Microsoft's server-side patch has been applied and review your configurations immediately
- CVE-2026-21510 (SmartScreen bypass). Actively exploited in phishing campaigns. Every Windows endpoint is a potential target. Deploy this patch to all workstations and servers as the top priority for your endpoint fleet
- CVE-2026-21514 (Word Protected View bypass). Actively exploited, bypasses a critical defense layer. Especially important for organizations where employees regularly receive external documents
Tier 2: Patch within 72 hours
- CVE-2026-21513 (MSHTML bypass). Actively exploited but requires more specific conditions. Prioritize systems running Outlook and Office in environments that process external email
- CVE-2026-24302 (Azure Arc EoP). Requires local access for exploitation, so it is a post-compromise escalation vector. Patch Arc-connected machines, especially those in DMZs or perimeter networks
- CVE-2026-21519 (DWM EoP). Local privilege escalation, actively exploited. Important for all Windows desktops and GUI-enabled servers
- Remaining Critical-rated CVEs. Patch all 8 Critical-severity CVEs within this window even if they are not yet confirmed as actively exploited
Tier 3: Patch within standard cycle (7-14 days)
- High-severity CVEs. Address the remaining 38 High-severity CVEs through your standard patch cycle
- Medium-severity CVEs. These carry lower risk but should still be deployed within your normal maintenance windows
Special note on Azure Front Door: Unlike endpoint patches that you deploy yourself, CVE-2026-24300 requires action on both Microsoft's side (server-side patch to the Azure Front Door service) and your side (reviewing custom domain configurations, rotating any exposed credentials, and auditing routing rules for unauthorized changes). Do not assume the server-side patch alone is sufficient.
The Bigger Picture: Why This Patch Tuesday Matters
Six zero-days in a single Patch Tuesday is significant, but the pattern is more concerning than the individual number. Looking at the last 12 months of Patch Tuesdays, Microsoft has disclosed 47 actively exploited zero-days. That is nearly one per week on average. The era where organizations could rely on monthly patching as an adequate cadence is over.
Three of six zero-days are security feature bypasses
This is a trend worth highlighting. Attackers are not just finding new vulnerabilities. They are specifically targeting the security mechanisms that defenders rely on: SmartScreen, Protected View, and MSHTML zone restrictions. These are the controls that security teams point to when they say "even if a phishing email gets through, our defenses will catch it." When these controls are bypassed, the entire defense-in-depth model weakens.
Cloud infrastructure under active attack
CVE-2026-24300 (Azure Front Door) and CVE-2026-24302 (Azure Arc) represent the continued expansion of attack surfaces into cloud infrastructure. Azure Front Door sits in front of web applications as a global reverse proxy. A compromise at this layer potentially affects every application behind it. Azure Arc extends the attack surface to hybrid environments, giving attackers a bridge between cloud and on-premises infrastructure.
Organizations that have migrated to the cloud expecting improved security posture need to reckon with the reality that cloud infrastructure introduces new categories of critical vulnerabilities that did not exist in purely on-premises environments.
What This Means for Your Vulnerability Management Program
If your organization is still operating on a monthly patch cycle with no interim monitoring, you are leaving yourself exposed to zero-days for an average of 15 days per vulnerability. When attackers have working exploits on day one, that window is unacceptable.
Recommendations
- Implement continuous attack surface monitoring. You need real-time visibility into what is exposed and what is vulnerable. Waiting for a monthly scan is not sufficient when zero-days drop every week
- Establish an emergency patching process. You should be able to deploy critical patches to all endpoints within 24 hours of release, not 30 days. This requires testing infrastructure, automated deployment, and clear escalation procedures
- Layer your defenses. When SmartScreen and Protected View are bypassed, what is your next line of defense? EDR, application whitelisting, network segmentation, and privilege management all reduce the impact of security feature bypasses
- Validate your defenses with penetration testing. Automated scanning tells you what patches are missing. A penetration test tells you what an attacker can do with those gaps. The combination of scanning and testing is the only way to understand your actual risk
- Audit your cloud configurations. Vulnerabilities like CVE-2026-24300 affect services that organizations often treat as managed infrastructure. Review your Azure, AWS, and GCP configurations for misconfigurations, overly permissive access, and unmonitored changes
The pattern is clear: Zero-days are not rare events anymore. They are a regular occurrence that your security program must be designed to handle. If your current patch management process cannot deploy critical updates within 24 hours, that gap is a known risk that you need to address.
Need help managing your attack surface?
Lorikeet Security's continuous attack surface monitoring identifies vulnerabilities across your entire infrastructure as soon as they are disclosed. Combine it with regular penetration testing for complete coverage.
