Microsoft Patches 59 Vulnerabilities Including Six Actively Exploited Zero-Days

Estimated Reading Time: 9 minutes

Key Takeaways:

  • Microsoft has released patches for 59 vulnerabilities, including six zero-days currently exploited in the wild (CISA KEV).
  • Apple addressed a sophisticated zero-day (CVE-2026-20700) in its dynamic link editor affecting iOS and macOS.
  • A major supply chain compromise of the Notepad++ update infrastructure by the Lotus Blossom group has been identified.
  • New Windows security initiatives, including Baseline Security Mode, are being introduced to enhance runtime integrity.

Table of Contents:

Microsoft Patches 59 Vulnerabilities Including Six Actively Exploited Zero-Days

The February 2026 Microsoft release includes five vulnerabilities rated as Critical, 52 as Important, and two as Moderate. This patch cycle is paramount for system administrators and security engineers, as it targets flaws allowing for security feature bypasses and local privilege escalation (LPE).

The breakdown of these flaws by impact includes:

  • 25 privilege escalation vulnerabilities
  • 12 remote code execution (RCE) flaws
  • 7 spoofing vulnerabilities
  • 6 information disclosure risks
  • 5 security feature bypasses
  • 3 denial-of-service (DoS) issues
  • 1 cross-site scripting (XSS) vulnerability

Of particular concern are the six vulnerabilities flagged as being under active exploitation. These flaws are now listed in the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog.

Actively Exploited Zero-Days

  1. CVE-2026-21510 (CVSS 8.8): A protection mechanism failure in the Windows Shell. This allows an unauthorized attacker to bypass security features over a network.
  2. CVE-2026-21513 (CVSS 8.8): A failure in the MSHTML Framework. This allows attackers to bypass execution prompts when a user interacts with a malicious file. A single click can trigger actions without standard security prompts.
  3. CVE-2026-21514 (CVSS 7.8): Located in Microsoft Office Word, this flaw allows an unauthorized attacker to bypass local security features via untrusted inputs.
  4. CVE-2026-21519 (CVSS 7.8): A type confusion vulnerability in the Desktop Window Manager (DWM). An authorized attacker can exploit this locally to elevate privileges to the SYSTEM level.
  5. CVE-2026-21525 (CVSS 6.2): A null pointer dereference in the Windows Remote Access Connection Manager. This allows an unauthorized attacker to cause a local denial-of-service.
  6. CVE-2026-21533 (CVSS 7.8): Improper privilege management in Windows Remote Desktop. An authorized attacker can elevate privileges locally by modifying service configuration keys to add users to the Administrator group.

The combination of bypass vulnerabilities and privilege escalation provides a pathway for attackers to move from initial access to full domain compromise. Using a cyber threat intelligence platform helps in identifying the specific exploit binaries used in these campaigns.

Security administrator applying Microsoft's February 2026 security patches

Secure Boot and Windows Security Initiatives

Microsoft has begun rolling out updated Secure Boot certificates, as original 2011 certificates are set to expire in late June 2026. Failure to receive these updates will prevent systems from receiving future boot-level protections.

Two new security initiatives are being introduced:

  • Windows Baseline Security Mode: Enables runtime integrity safeguards by default, ensuring only signed apps and drivers are executed.
  • User Transparency and Consent: A framework that prompts users when applications attempt to access sensitive resources like files or cameras.

Apple Zero-Day Vulnerability: CVE-2026-20700

Apple has addressed a zero-day vulnerability, CVE-2026-20700, utilized in targeted, sophisticated attacks. The flaw exists in dyld, the dynamic link editor used across iOS, macOS, iPadOS, tvOS, and visionOS.

An attacker with memory write capability can execute arbitrary code on the affected device. This flaw was reportedly used in conjunction with two other vulnerabilities fixed in late 2025. Organizations should prioritize updates to iOS 18.7.5 and macOS Tahoe 26.3 to mitigate this risk.

Supply Chain Compromise: Notepad++ and Lotus Blossom

Between June and December 2025, the hosting infrastructure for Notepad++ was compromised by the state-sponsored group Lotus Blossom. This was an infrastructure-level hijack rather than a direct compromise of the source code.

The Attack Mechanism

The threat actors breached the shared hosting provider, allowing them to redirect traffic intended for the Notepad++ update server. This enabled an adversary-in-the-middle (AitM) capability to serve malicious update manifests to specific targets.

Two infection chains were identified:

  • Chrysalis Backdoor: Utilized DLL sideloading via a legitimate Bitdefender component (BluetoothService.exe) to load a malicious library (log.dll).
  • Cobalt Strike: A malicious NSIS installer executed a Lua script injection to deliver a Cobalt Strike beacon.

Organizations should utilize supply-chain risk monitoring to detect anomalies in third-party software update traffic.

Malicious Outlook Add-In: AgreeToSteal

A new supply chain attack vector has been identified involving the Microsoft Outlook add-in “AgreeTo.” The attack, named AgreeToSteal, exploited an abandoned domain previously used by the legitimate add-in.

Methodology of Domain Hijacking

Office add-ins utilize a manifest file pointing to a URL. The developer of “AgreeTo” abandoned the project in 2023. The attacker claimed the expired domain and staged a phishing kit. Because Microsoft reviews the manifest only during initial submission, the dynamic nature of the URL allowed for malicious code delivery long after approval.

This highlights the need for a dark web monitoring service and brand leak alerting to identify when trusted third-party tools are associated with malicious infrastructure.

Coordinated Cyber Defense and Risk Management

To manage these risks systematically, organizations are turning to frameworks like the NIST Risk Management Framework (SP 800-37). This involves a multi-tiered approach and continuous monitoring of information systems for breach detection.

Technical Analysis of Malware Components

The Chrysalis backdoor employs a mutex Global\Jdhfv_1.0.1 for persistence. Furthermore, the live ransomware API and real-time ransomware intelligence available to analysts can help correlate these infrastructure hijacks with known threat actor playbooks.

Practical Takeaways for Technical Teams

  • Patch Management: Prioritize Microsoft’s February 2026 updates, especially for RDP and administrative systems.
  • Verification Controls: Ensure third-party updaters enforce certificate and signature verification.
  • EDR/XDR Configuration: Implement custom detection rules for DLL sideloading (e.g., monitoring BluetoothService.exe).
  • Credential Monitoring: Use underground forum intelligence to monitor for leaked administrative credentials.

Practical Takeaways for Business Leaders

  • Supply Chain Audit: Review utility tools used by technical staff; ensure open-source tools are vetted.
  • Infrastructure Security: Move toward signed application environments in alignment with Microsoft’s Baseline Security Mode.
  • Risk Frameworks: Adopt standardized protocols to ensure security decisions are proactive rather than reactive.

Integration with PurpleOps Services

Managing sophisticated supply chain attacks requires integrated intelligence. Through our Cyber Threat Intelligence services, we provide the data necessary to mitigate active zero-day exploits. Our Platform enables real-time monitoring of indicators of compromise.

For organizations concerned about supply chain vulnerabilities, our Supply Chain Information Security service assists in auditing third-party update mechanisms. We also offer Dark Web Monitoring to detect stolen credentials.

To validate defenses, our Penetration Testing and Red Team Operations teams simulate real-world attacks. Additionally, our Protect Against Ransomware services focus on preventing the deployment of payloads like Cobalt Strike. For a detailed evaluation, contact the Services team at PurpleOps today.

Frequently Asked Questions

Which zero-day vulnerabilities were patched by Microsoft in February 2026?
Microsoft patched six zero-days: CVE-2026-21510, CVE-2026-21513, CVE-2026-21514, CVE-2026-21519, CVE-2026-21525, and CVE-2026-21533, ranging from security bypasses to local privilege escalation.

What was the nature of the Notepad++ supply chain attack?
The group Lotus Blossom compromised the hosting infrastructure of the update server, allowing them to perform Adversary-in-the-Middle attacks and deliver the Chrysalis backdoor and Cobalt Strike to specific targets.

What is the Apple zero-day CVE-2026-20700?
It is a memory write vulnerability in the dynamic link editor (dyld) across Apple platforms that allows arbitrary code execution. It has been seen in sophisticated, targeted attacks.

How does the “AgreeToSteal” attack work?
It leverages an abandoned domain previously linked to a legitimate Outlook add-in manifest. Attackers hijacked the domain to serve phishing kits and exfiltrate data via Telegram.