Microsoft on Tuesday released a security update that addresses 59 flaws across its software. This includes six vulnerabilities that are said to have been actually exploited.
Of the 59 deficiencies, 5 are rated as ‘severe’, 52 are rated as ‘important’, and 2 are rated as ‘moderate’ severity. 25 of the patched vulnerabilities are classified as privilege escalation, followed by remote code execution (12), spoofing (7), information disclosure (6), security feature bypass (5), denial of service (3), and cross-site scripting (1).
It’s worth noting that this patch is in addition to three security flaws that Microsoft has addressed in its Edge browser since the release of the January 2026 Patch Tuesday update. Among them is a moderate vulnerability affecting the Edge browser for Android (CVE-2026-0391, CVSS score: 6.5), which could allow an unauthorized attacker to perform spoofing on the network by leveraging “misrepresentation of sensitive information in the user interface.”
Topping the list of updates this month are six vulnerabilities reported to be actively exploited.
CVE-2026-21510 (CVSS Score: 8.8) – Failure in the Windows Shell protection mechanism allows an unprivileged attacker to bypass security features via the network. CVE-2026-21513 (CVSS Score: 8.8) – Failure in a protection mechanism in the MSHTML framework allows an unprivileged attacker to bypass security features via the network. CVE-2026-21514 (CVSS Score: 7.8) – Reliance on untrusted input in security decisions in Microsoft Office Word allows an unprivileged attacker to locally bypass security features. CVE-2026-21519 (CVSS score: 7.8) – Accessing resources using incompatible types (“type confusion”) in a desktop window manager allows an authorized attacker to locally escalate privileges. CVE-2026-21525 (CVSS score: 6.2) – Null pointer dereference in Windows Remote Access Connection Manager allows unauthorized attackers to locally cause a denial of service. CVE-2026-21533 (CVSS score: 7.8) – Improper privilege management in Windows Remote Desktop allows an authorized attacker to locally escalate privileges.
Microsoft’s own security team and the Google Threat Intelligence Group (GTIG) are credited with discovering and reporting the first three flaws, which are listed as publicly known at the time of release. At this time, details about how the vulnerability was exploited and whether it was weaponized as part of the same campaign are unknown.
“CVE-2026-21513 is a security feature bypass vulnerability in the Microsoft MSHTML Framework, a core component used by Windows and multiple applications to render HTML content,” said Jack Bicer, Director of Vulnerability Research at Action1. “This issue occurs due to a failure in a protection mechanism that allows an attacker to bypass the Run prompt when a user interacts with a malicious file. A crafted file can silently bypass Windows security prompts and cause dangerous actions with a single click.”
Satnam Nanang, senior staff research engineer at Tenable, said CVE-2026-21513 and CVE-2026-21514 have “many similarities” to CVE-2026-21510, but the main difference is that CVE-2026-21513 uses HTML I mentioned that CVE-2026-21514 can only be exploited using a Microsoft file, whereas it can be exploited using a file. office file.
CVE-2026-21525 is related to a zero-day that ACROS Security’s 0patch service announced in December 2025 that it discovered while investigating another related flaw in the same component (CVE-2025-59230).
“these [CVE-2026-21519 and CVE-2026-21533] “This is a local privilege escalation vulnerability, which means the attacker should already have access to a vulnerable host. This could occur through a malicious attachment, a remote code execution vulnerability, or lateral movement from another compromised system,” Kev Breen, senior director of cyber threat research at Immersive, told Hacker News in an email.
“Once a host is compromised, an attacker can leverage these escalation vulnerabilities to escalate privileges to SYSTEM. This level of access could allow a threat actor to disable security tools, deploy additional malware, or, in a worst-case scenario, access secrets and credentials that could lead to a domain-wide compromise.”
In response to this development, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added all six vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog and is requiring Federal Civilian Executive Branch (FCEB) agencies to patch them by March 3, 2026.
This update coincides with Microsoft rolling out updated Secure Boot certificates that will replace the original 2011 certificates that are set to expire in late June 2026. The new certificate will be installed through the normal monthly Windows update process without any additional action.
“If your device does not receive a new Secure Boot certificate before the 2011 certificate expires, your PC will continue to function normally and your existing software will continue to run,” the tech giant said. “However, the device will be placed in a compromised state, limiting its ability to receive future boot-level protections.”
“When new boot-level vulnerabilities are discovered, affected systems become increasingly at risk because new mitigations cannot be installed. Over time, compatibility issues can also arise because new operating systems, firmware, hardware, or software that relies on Secure Boot may not be able to load.”
At the same time, the company said it is also strengthening Windows default protections through two security initiatives: Windows Baseline Security Mode and User Transparency and Consent. This update falls within the scope of the Secure Future Initiative and Windows Resiliency Initiative.
“Windows Baseline Security Mode will cause Windows to operate with runtime integrity protections enabled by default,” the report said. “These safeguards ensure that only properly signed apps, services, and drivers are allowed to run, helping to protect systems from tampering and unauthorized changes.”
User Transparency and Consent is similar to the Transparency, Consent, and Control (TCC) framework in Apple macOS and aims to introduce a consistent approach to handling security decisions. The operating system displays a message to the user when an app attempts to access sensitive resources such as files, camera, microphone, or install other unintended software.
“These prompts are designed to be clear and actionable, and you can always review and change your selections later,” said Logan Iyer, Distinguished Engineer at Microsoft. “Apps and AI agents are also expected to meet higher transparency standards, giving both users and IT administrators better visibility into their actions.”
Source link
