Microsoft Patch Tuesday Aftermath: 6 Zero-Days Under Fire and the "Silent Click" Threat
By Hacklido News Desk February 19, 2026
The February 2026 Patch Tuesday cycle has left sysadmins and red teams alike dissecting a particularly aggressive set of vulnerabilities. Microsoft addressed 59 flaws this month, but the spotlight is firmly on six zero-day vulnerabilities confirmed to be under active exploitation in the wild.
The common theme? Bypassing human intuition. Half of these zero-days are designed to silence the security prompts that usually give users a "second chance" before a compromise.
1. The "Silent Execution" Trio (Security Feature Bypasses)
Three of the zero-days (all carrying a CVSS of 8.8) focus on neutralizing the Mark-of-the-Web (MoTW) and SmartScreen protections. By exploiting these, attackers can execute malicious payloads the moment a user clicks a link or shortcut—no "Are you sure?" pop-ups required.
- CVE-2026-21510 (Windows Shell): Exploits improper metadata validation in Windows Shell. Attackers craft malicious .lnk (shortcut) files that trick the OS into treating them as trusted local files, bypassing SmartScreen entirely.
- CVE-2026-21513 (MSHTML Framework): Targets the "zombie" Trident engine still embedded in Windows for Office and Explorer compatibility. It allows attackers to launder malicious files through HTML content, stripping away security warnings.
- CVE-2026-21514 (Microsoft Word): A bypass of Object Linking & Embedding (OLE) mitigations. Malicious Word documents can execute vulnerable COM/OLE controls without user consent, effectively turning a "Read-Only" preview into an active infection vector.
2. Privilege Escalation: The "Second Stage" God-Mode
While the bypasses get the foot in the door, the remaining zero-days are being used for persistence and full system takeover.
- CVE-2026-21533 (Windows Remote Desktop Services): Reported by CrowdStrike, this flaw allows a local user to modify service configuration keys. By replacing these with attacker-controlled keys, they can escalate privileges to SYSTEM and add new users to the Administrator group.
- CVE-2026-21519 (Desktop Window Manager): A type confusion flaw in the DWM process. It allows local attackers with low privileges to reach SYSTEM status. This is the second month in a row DWM has been targeted, suggesting a specific campaign aimed at the Windows GUI core.
- CVE-2026-21525 (RasMan DoS): A null pointer dereference in the Remote Access Connection Manager. While technically a Denial of Service (DoS) flaw, it is being used strategically to crash VPN connections, forcing endpoints to "fail open" or "fail closed," disrupting remote management during an attack.
The "ClickFix" Campaign Connection
Intelligence from Huntress and Mandiant suggests these zero-days are being integrated into a campaign tracked as KongTuke. This actor uses "ClickFix" (or CrashFix) social engineering—convincing users to click "Fix" buttons on fake browser error pages—to deliver a new Remote Access Trojan (RAT) named ModeloRAT. By using the Shell and MSHTML bypasses, the malware installs silently in the background while the user thinks they are "fixing" their browser.
Hacklido’s Take: The Death of the "Are You Sure?" Prompt
For the Hacklido community, the technical takeaway is the erosion of User Interaction (UI) as a security boundary.
- MoTW is Leaking: The reliance on "Mark-of-the-Web" tags is failing as attackers find new ways to "launder" files through the Shell and MSHTML.
- Legacy Debt: MSHTML (IE's ghost) continues to be the #1 target for initial access. If your environment doesn't strictly need it, it’s a liability.
Local is the New Remote: The surge in Elevation of Privilege (EoP) zero-days shows that once an attacker has a "low-user" foothold, the jump to SYSTEM is becoming trivial.
Stay ahead. Stay dangerous.
Team Hacklido ❤️
Join our Community – https://t.me/hacklido
