- February 11, 2026
Critical Vulnerabilities in Microsoft Windows and Office Under Active Widespread Exploitation (CVE-2026-21510)
Microsoft's February 2026 Patch Tuesday addresses several critical security vulnerabilities, with six zero-day flaws reported as actively exploited in the wild before patches were made available to the public. The disclosed vulnerabilities affect built in Windows components including Windows Shell, MSHTML, Microsoft Word, Windows Notepad, Desktop Window Manager, Remote Desktop Services, and Remote Access Connection Manager.
Executive Summary
Microsoft's February 2026 Patch Tuesday addresses several critical security vulnerabilities, with six zero-day flaws reported as actively exploited in the wild before patches were made available to the public. The disclosed vulnerabilities affect built in Windows components including Windows Shell, MSHTML, Microsoft Word, Windows Notepad, Desktop Window Manager, Remote Desktop Services, and Remote Access Connection Manager.
These zero-day flaws enable attackers to bypass security features, with potential to trick users into executing malicious code with minimal user interaction through phishing attacks and other social engineering methods.
With exploitation campaigns widespread and public proof-of-concept code circulating, Beazley Security strongly recommends organizations patch these vulnerabilities immediately.
Affected Systems or Products
Affected Product | MS CVE Advisory | CVSS Score |
|---|---|---|
Windows Shell | 8.8 | |
MSHTML Platform | 8.8 | |
Microsoft Word | 7.8 | |
Desktop Window Manager | 7.8 | |
Remote Desktop Services | 7.8 | |
Remote Access Connection Manager | 6.2 |
*This table does not include all vulnerabilities from Microsoft’s February Patch Tuesday disclosure but highlights critical flaws either under active or imminent exploitation.
A comprehensive list of vulnerability disclosures can be found via Microsoft’s Security Update Guide.
Mitigations / Workarounds
Beazley Security strongly recommends applying February 2026 updates as soon as possible to help protect affected systems. Additionally, the following steps can be taken to help reduce risk:
Restrict user privileges on endpoints to limit impact of privilege escalation
Monitor for suspicious activity across endpoints and ensure endpoint protection defenses are up to date
Screen email attachments with secure email gateways and other file-sharing systems for malicious files and links
Patches
Affected organizations should accelerate deployment of February 2026 security updates to their environments, prioritizing CVEs known to be under active exploitation as listed in the “Affected Systems and Products” section above.
A comprehensive list of fixes can be found by reviewing Microsoft’s Patch Tuesday release notes.
Technical Details
Of the six zero-days reported to be under active exploitation, the three with the highest CVSS scores are:
CVE-2026-21510 (8.8) – Affects the Windows shell, threat actors successfully luring targeted users into clicking on a malicious link could bypass Microsoft SmartScreen to install malware
CVE-2026-21513 (8.8) – Affects the MSHTML framework, threat actors successfully luring targeted users into clicking on a malicious HTML or lnk file could bypass Microsoft security features to install malware
CVE-2026-21514 (7.8) – Affects Microsoft 365 and Microsoft Office, threat actors successfully luring targeted users into opening a malicious Office file could bypass security mitigations to install malware
Of those three, CVE-2026-21510 is reported by Google Threat Intelligence to be “under widespread, active exploitation”. All three require user interaction, and the nature of each vulnerability is a strong indication that the current exploit waves are phishing or malicious email types of campaigns.
These vulnerabilities are particularly dangerous as they are likely to be weaponized by threat actors to conduct phishing and social engineering attacks. Their “one click” exploitability through malicious links or attachments makes them ideal for large scale phishing and malware delivery campaigns that target users within enterprise environments.
How Beazley Security is responding
Beazley Security is monitoring and conducting threat hunts across MDR environments to detect potential exploitation attempts against our clients.
If you believe your organization may have been impacted by these attacks and need support, please contact our Incident Response team.