Microsoft on Saturday released security updates addressing 59 vulnerabilities across its software ecosystem, including a critical set of six actively exploited “zero-day” flaws. The patches cover Windows operating systems and related software, with the most severe vulnerabilities posing immediate risks to users.
One of the zero-day vulnerabilities, CVE-2026-21510, impacts Windows Shell and allows attackers to bypass security features with a single click on a malicious link. This enables the execution of attacker-controlled content without any warning or consent prompts, affecting all supported Windows versions. A related flaw, CVE-2026-21513, targets MSHTML, the rendering engine for web pages in Windows, while CVE-2026-21514 affects Microsoft Word, both presenting security bypass risks.
The updates also address CVE-2026-21533, a vulnerability in Windows Remote Desktop Services that could allow local attackers to gain “SYSTEM” level access – the highest level of privilege on a Windows machine. Another elevation of privilege flaw, CVE-2026-21519, was found in the Desktop Window Manager (DWM), a core component responsible for managing windows on the screen. Microsoft recently issued a fix for a separate DWM vulnerability last month.
A sixth zero-day, CVE-2026-21525, targets the Windows Remote Access Connection Manager, potentially causing denial-of-service disruptions to VPN connections used by corporate networks.
Chris Goettl, a security researcher at Ivanti, noted that Microsoft has been actively releasing out-of-band security updates in recent weeks. On January 17, a fix was released to address a credential prompt failure affecting remote desktop and remote application connections. Another zero-day security bypass in Microsoft Office, CVE-2026-21509, was patched on January 26.
Beyond the zero-days, the February Patch Tuesday also includes fixes for remote code execution vulnerabilities affecting GitHub Copilot and several integrated development environments (IDEs), including VS Code, Visual Studio, and JetBrains products (CVE-2026-21516, CVE-2026-21523, and CVE-2026-21256). Kev Breen, a researcher at Immersive, explained that these vulnerabilities stem from a command injection flaw triggered by prompt injection – essentially, tricking AI agents into executing unintended code.
“Developers are high-value targets for threat actors, as they often have access to sensitive data such as API keys and secrets that function as keys to critical infrastructure, including privileged AWS or Azure API keys,” Breen said. He emphasized that while organizations shouldn’t abandon AI tools, they must understand the risks, identify systems with AI access, and implement least-privilege principles to limit potential damage from compromised developer secrets.
The SANS Internet Storm Center has published a detailed breakdown of each fix included in this month’s Patch Tuesday, categorized by severity and CVSS score. Administrators testing patches before widespread deployment are advised to consult askwoody.com for information on potential issues with the updates. Users are also reminded to back up their data before applying the updates.
