Microsoft is rolling out one of its most significant security updates of the year, closing six zero-day holes that attackers were already using in the wild. The latest Windows and cloud patches arrive as exploit activity grows and defenders race to keep up with a steady flow of bugs in core Microsoft platforms.
The Feb security release fixes dozens of flaws across Windows, Office and Azure, including vulnerabilities in Windows Shell and Windows Remote Access Connection Manager that had become attractive targets for phishing and targeted attacks. For anyone running Microsoft systems at home or in a business, this update cycle is less about routine maintenance and more about cutting off active intrusion paths.
The scale of Feb’s Patch Tuesday
Microsoft’s Feb Patch Tuesday is large by any standard, with reports putting the total number of fixed flaws at either 54 CVEs or 58 vulnerabilities, depending on how you count related issues. What matters for defenders is that six of those bugs are zero-days that attackers had already folded into real-world campaigns before patches were available. That mix of volume and urgency turns a regular monthly release into a high-priority event for security teams.
Several analyses describe the Feb drop as part of a pattern in which Microsoft Patch Tuesday now routinely includes multiple in-the-wild exploits, not just theoretical lab discoveries. One breakdown of the Feb package describes “Six Zero Days, 58 flaws Patched Amid Growing Exploit Activity,” while another notes that the February Patch Tuesday, Day Exploits across desktop and server products. Taken together, those assessments signal that Microsoft is dealing with live fire, not hypothetical scenarios, and that patching speed now directly tracks with risk exposure.
Six zero-days under active attack
The headline risk in this cycle is the cluster of six exploited zero-days, which span Windows Shell, Windows Remote Access Connection Manager and other core components. One of the most visible is CVE-2026-21510, a security feature bypass in Windows that lets an attacker sidestep protections and run code with fewer obstacles. Another bug, CVE-2026-21525, hits Windows Remote Access Connection Manager and carries a CVSS rating of 6.2, which might sound mid-range but still represents a serious issue in remote connectivity services that often sit close to sensitive networks.
Microsoft has confirmed that all six zero-days were under active exploitation, and independent write-ups of the six actively exploited bugs describe a mix of privilege escalation and security feature bypass flaws that attackers chained with phishing and browser exploits. One analysis of the Feb drop notes that these Six Zero, Days, Patched Amid Growing Exploit Activity, were already part of coordinated defensive analysis across vendors, which suggests that detection teams had begun to see common attacker tradecraft emerge around them. From my perspective, that makes prompt patching non-negotiable, especially on internet-facing systems and laptops that leave the office.
Windows Shell and shortcut-based attacks
One of the more worrying bugs for everyday users sits in Windows Shell, where a security feature bypass tracked as CVE-2026-21510 allows unauthorised code execution. Reports describe how this flaw lets an attacker manipulate how Windows Shell handles certain content, turning what should be a routine interaction with files or links into a silent compromise. Because Windows Shell underpins the desktop, File Explorer and many context menus, a successful exploit can give attackers a foothold without obvious warning signs for the person at the keyboard.
Researchers have also drawn attention to how .lnk shortcut files can be abused alongside these bugs, since Windows often treats those shortcuts as trusted pointers to documents or apps. A phishing email that includes a shortcut to a supposed OneDrive folder, for example, can quietly trigger malicious behaviour once a user double-clicks. That makes this class of flaw especially dangerous for mixed environments where staff open shared shortcuts to Microsoft Teams folders, CRM dashboards or even airline booking tools from their Windows desktops.
Beyond Windows: Office and Azure exposure
The Feb fixes are not limited to the operating system. Microsoft has also shipped patches for Office, including issues that affect the broader Office Product Group and could be abused through crafted documents. One advisory highlights CVE-2026-21514, which is tied to the Microsoft Office Product Group Security Team and illustrates how office files remain a favourite delivery method for attackers. For organisations that live in Excel models, Word templates and PowerPoint decks, a single unpatched workstation can become the weak link that lets a malicious attachment slip through.
On the cloud side, Microsoft has been dealing with a separate set of issues in Azure, including a critical vulnerability across Azure Arc and Azure Functions that the company classifies as critical. At the same time, a misconfiguration in Azure ( Microsoft Azure ) Front Door recently caused a major outage that hit Outlook, Teams, airline systems and other cloud services. Taken together, those events show how much risk is now concentrated in a handful of cloud control planes, and why I think patch hygiene on both Windows and Azure needs board-level attention, not just a ticket in the IT queue.
How defenders should prioritise and respond
Given the mix of zero-days and broader fixes, I would start by grouping systems into clear priority tiers. Internet-facing Windows servers, VPN gateways that rely on Windows Remote Access Connection Manager, and laptops used by executives or admins should receive the Feb updates first, since they are most exposed to Patch Tuesday exploit chains. From there, I would move to high-value Office users who handle sensitive files and then to the rest of the fleet, while keeping a close eye on any known issues that might affect line-of-business apps.
Defenders also need to assume that some attackers will keep probing even after patches land, using phishing and shortcut tricks linked to phishing and targeted campaigns. That means pairing patch deployment with user education about suspicious .lnk files, tightening macro and attachment policies in Office, and reviewing logs for signs of exploitation tied to Windows Shell and related CVE activity. In my experience, the organisations that come through cycles like this in good shape are the ones that treat Patch Tuesday as a starting gun for a broader security sprint, not just a monthly checkbox.
