Microsoft Patches 59 Vulnerabilities Together with Six Actively Exploited Zero-Days

Microsoft on Tuesday launched safety updates to handle a set of 59 flaws throughout its software program, together with six vulnerabilities that it mentioned have been exploited within the wild.

Of the 59 flaws, 5 are rated Crucial, 52 are rated Vital, and two are rated Average in severity. Twenty-five of the patched vulnerabilities have been categorized as privilege escalation, adopted by distant code execution (12), spoofing (7), data disclosure (6), safety characteristic bypass (5), denial-of-service (3), and cross-site scripting (1).

It is value noting that the patches are along with three safety flaws that Microsoft has addressed in its Edge browser for the reason that launch of the January 2026 Patch Tuesday replace, together with a Average vulnerability impacting the Edge browser for Android (CVE-2026-0391, CVSS rating: 6.5) that might enable an unauthorized attacker to carry out spoofing over a community by profiting from a “person interface misrepresentation of crucial data.”

Topping the record of this month’s updates are six vulnerabilities which have been flagged as actively exploited –

• CVE-2026-21510 (CVSS rating: 8.8) – A safety mechanism failure in Home windows Shell that enables an unauthorized attacker to bypass a safety characteristic over a community.
• CVE-2026-21513 (CVSS rating: 8.8) – A safety mechanism failure in MSHTML Framework that enables an unauthorized attacker to bypass a safety characteristic over a community.
• CVE-2026-21514 (CVSS rating: 7.8) – A reliance on untrusted inputs in a safety determination in Microsoft Workplace Phrase that enables an unauthorized attacker to bypass a safety characteristic domestically.
• CVE-2026-21519 (CVSS rating: 7.8) – An entry of useful resource utilizing incompatible kind (‘kind confusion’) within the Desktop Window Supervisor that enables a licensed attacker to raise privileges domestically.
• CVE-2026-21525 (CVSS rating: 6.2) – A null pointer dereference in Home windows Distant Entry Connection Supervisor that enables an unauthorized attacker to disclaim service domestically.
• CVE-2026-21533 (CVSS rating: 7.8) – An improper privilege administration in Home windows Distant Desktop that enables a licensed attacker to raise privileges domestically.

Microsoft’s personal safety groups and Google Menace Intelligence Group (GTIG) have been credited with discovering and reporting the primary three flaws, which have been listed as publicly recognized on the time of launch. There are at the moment no particulars on how the vulnerabilities are being exploited, and in the event that they have been weaponized as a part of the identical marketing campaign.

“CVE-2026-21513 is a safety characteristic bypass vulnerability within the Microsoft MSHTML Framework, a core element utilized by Home windows and a number of functions to render HTML content material,” Jack Bicer, director of vulnerability analysis at Action1, mentioned. “It’s attributable to a safety mechanism failure that enables attackers to bypass execution prompts when customers work together with malicious recordsdata. A crafted file can silently bypass Home windows safety prompts and set off harmful actions with a single click on.”

Satnam Narang, senior employees analysis engineer at Tenable, mentioned CVE-2026-21513 and CVE-2026-21514 bear a “lot of similarities” to CVE-2026-21510, the primary distinction being that CVE-2026-21513 may also be exploited utilizing an HTML file, whereas CVE-2026-21514 can solely be exploited utilizing a Microsoft Workplace file.

As for CVE-2026-21525, it is linked to a zero-day that ACROS Safety’s 0patch service mentioned it found in December 2025 whereas investigating one other associated flaw in the identical element (CVE-2025-59230).

“These [CVE-2026-21519 and CVE-2026-21533] are native privilege escalation vulnerabilities, which suggests an attacker should have already gained entry to a susceptible host,” Kev Breen, senior director of cyber menace analysis at Immersive, advised The Hacker Information through electronic mail. “This might happen by way of a malicious attachment, a distant code execution vulnerability, or lateral motion from one other compromised system.”

“As soon as on the host, the attacker can use these escalation vulnerabilities to raise privileges to SYSTEM. With this degree of entry, a menace actor might disable safety tooling, deploy further malware, or, in worst-case eventualities, entry secrets and techniques or credentials that might result in full area compromise.”

Cybersecurity vendor CrowdStrike, which has been acknowledged for reporting CVE-2026-21533, mentioned it doesn’t attribute the exploitation exercise to a selected adversary, however famous that menace actors in possession of the exploit binaries will seemingly ramp up their efforts to make use of or promote them within the close to time period.

“The CVE-2026-21533 exploit binary modifies a service configuration key, changing it with an attacker-controlled key, which might allow adversaries to escalate privileges so as to add a brand new person to the Administrator group,” Adam Meyers, head of Counter Adversary Operations at CrowdStrike, advised The Hacker Information in an emailed assertion. 

The event has prompted the U.S. Cybersecurity and Infrastructure Safety Company (CISA) so as to add all six vulnerabilities to its Identified Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Government Department (FCEB) companies to use the fixes by March 3, 2026.

The replace additionally coincides with Microsoft rolling out up to date Safe Boot certificates to switch the unique 2011 certificates that may expire in late June 2026. The brand new certificates might be put in by way of the common month-to-month Home windows replace course of with none further motion.

“If a tool doesn’t obtain the brand new Safe Boot certificates earlier than the 2011 certificates expire, the PC will proceed to operate usually, and present software program will hold operating,” the tech big mentioned. “Nonetheless, the system will enter a degraded safety state that limits its skill to obtain future boot-level protections.”

“As new boot‑degree vulnerabilities are found, affected methods develop into more and more uncovered as a result of they’ll now not set up new mitigations. Over time, this may increasingly additionally result in compatibility points, as newer working methods, firmware, {hardware}, or Safe Boot–dependent software program could fail to load.”

In tandem, the corporate mentioned it is also strengthening default protections in Home windows by way of two safety initiatives, Home windows Baseline Safety Mode and Person Transparency and Consent. The updates come underneath the purview of the Safe Future Initiative and Home windows Resiliency Initiative.

“With Home windows Baseline Safety Mode, Home windows will transfer towards working with runtime integrity safeguards enabled by default,” it famous. “These safeguards make sure that solely correctly signed apps, providers, and drivers are allowed to run, serving to to guard the system from tampering or unauthorized modifications.”

Person Transparency and Consent, analogous to Apple macOS Transparency, Consent, and Management (TCC) framework, goals to introduce a constant method to dealing with safety selections. The working system will immediate customers when apps attempt to entry delicate sources, comparable to recordsdata, the digicam, or the microphone, or after they try to put in different unintended software program.

“These prompts are designed to be clear and actionable, and you will all the time have the power to assessment and alter your selections later,” Logan Iyer, Distinguished Engineer at Microsoft, mentioned. “Apps and AI brokers can even be anticipated to satisfy larger transparency requirements, giving each customers and IT directors higher visibility into their behaviors.”