Microsoft’s Zero-Day Playbook Feb 2026
Microsoft’s Zero-Day Playbook Feb 2026
Microsoft has released its February 2026 Patch Tuesday security updates, resolving 59 vulnerabilities across its product ecosystem. Notably, six of these flaws are zero-day vulnerabilities that are already being actively exploited in the wild.
The Big Picture: Six Zero-Days Under Active Attack!
Think of a zero-day as a secret backdoor that hackers discovered and started using before Microsoft even knew it existed. This month, we have six of them, meaning there are active campaigns out there targeting these very weaknesses.
1. CVE-2026-21510: Windows Shell Bypass
This is a serious vulnerability in the Windows Shell that lets attackers completely bypass Microsoft SmartScreen protections.
SmartScreen is your first line of defense against dodgy downloads and malicious websites. If a hacker can bypass it, they can trick you into running almost anything.
Imagine getting a convincing phishing email. You click a link, and instead of SmartScreen warning you about a suspicious file, it lets the malicious download sail right through, straight onto your machine. Game over.
CVSS Score: 8.8
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21510
2. CVE-2026-21513: MSHTML Framework Bypass
A flaw within the old-but-still-around MSHTML framework. This framework is used by various legacy applications and parts of Microsoft Office. The vulnerability allows attackers to break out of security sandboxes.
Sandboxes are like secure playpens for potentially dangerous code. They're supposed to contain threats. When an attacker escapes, they can then roam freely and do damage to your entire system.
Often, these types of flaws are triggered by specially crafted Office documents (think a malicious Word or Excel file). You open it, and behind the scenes, the hacker uses this bug to escape the safe sandbox and install malware or steal data.
CVSS Score: 8.8
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21513
3. CVE-2026-21514: Microsoft Word OLE Bypass
A vulnerability in Microsoft Word’s handling of "Object Linking and Embedding" (OLE). OLE is the tech that lets you put an Excel chart or a specialized media object directly into a Word document.
Microsoft previously added "mitigations" (security walls) specifically to stop hackers from using OLE to run malicious code. This zero-day finds a hole in those walls, allowing dangerous objects to run without the usual "Enable Content" or "Protected View" warnings
An attacker sends a docx file that looks harmless. Because it bypasses OLE protections, the moment you open the file, it can silently trigger a command to download malware in the background. It turns a document into a silent delivery vehicle.
CVSS Score: 7.8
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21514
4. CVE-2026-21519: Desktop Window Manager (DWM) Elevation
This is a "Type Confusion" bug in the Desktop Window Manager (DWM). If exploited, it can grant an attacker SYSTEM privileges on your machine.
"SYSTEM" is the highest level of control on a Windows machine – it's basically God Mode. If an attacker gets SYSTEM privileges, they own your computer entirely. They can install anything, delete anything, and steal anything without you ever knowing.
This is typically a post-exploitation bug. An attacker might first gain a foothold with lower privileges and then use this DWM bug to instantly elevate their access to full administrative control. This is the ultimate prize for a hacker.
CVSS Score: 7.8
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21519
5. CVE-2026-21533: Remote Desktop Services (RDS) Elevation
An elevation of privilege flaw in Windows Remote Desktop Services (RDS). It stems from improper privilege management. Basically, the system gets confused about who is allowed to change critical settings.
This is a "Post-Exploitation" dream for hackers. Once they have any access to a server (even a low-level guest account), they can use this bug to modify service configuration keys.
After getting a foothold on a server, a hacker runs a small binary that swaps out a legitimate system key for their own. This allows them to instantly add a brand new user to the Local Administrator group, giving them permanent, high-level access to the entire server network.
CVSS Score: 7.8
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21533
6. CVE-2026-21525: Remote Access Connection Manager (RasMan) DoS
A "Null Pointer Dereference" bug in the Remote Access Connection Manager (RasMan). This is the core Windows service that handles your VPN and dial-up connections.
While it doesn't steal data, it's a Denial of Service (DoS) attack. For a remote-first company, crashing RasMan means every single VPN user is instantly disconnected and can't log back in until the service is manually restarted.
How it's likely exploited: A local attacker (even one with Guest privileges) sends a specifically malformed request to the service. The service tries to read a piece of data that doesn't exist (the NULL pointer) and immediately crashes. It’s the digital equivalent of pulling the fire alarm to cause chaos and lock everyone out of the building
CVSS Score: 6.2
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21525
Hacklido's Angle: The Phishing to Full Takeover Playbook
It begins with a convincing phishing email. An urgent IT notice, an unpaid invoice or a delivery alert pushes the user to act quickly. Everything looks legitimate.
“You click the link or open the attachment.”
Normally, Windows SmartScreen would warn you before running suspicious files. But this vulnerability allows attackers to bypass those security prompts.The malicious shortcut or file runs quietly, no red flags or no warning pop-ups. [CVE-2026-21510]
“The attacker now has initial access.”
If the payload is disguised as an HTML or Office file, this flaw can bypass “Mark of the Web” protections, allowing the file to escape its restricted environment. [CVE-2026-21513]
“The attacker gains deeper access to the system.”
Finally, using a privilege escalation flaw in Desktop Window Manager, the attacker elevates privileges to SYSTEM, the highest level of control in Windows. [CVE-2026-21519]
“At this stage, they can install backdoors, steal credentials, deploy ransomware, or move across the network.”
See how these vulnerabilities chain together? That's what makes this Patch Tuesday so critical!
Stay safe out there,
The Hacklido Team