Microsoft’s February 2026 “Six Zero-Days” Patch Tuesday: What Defenders Should Do Right Now

The news in context: six actively exploited zero-days in February 2026

Microsoft’s February 2026 Patch Tuesday addressed 59 vulnerabilities, including six “zero-days” confirmed as actively exploited in the wild. The six CVEs span Windows and Office components and include security feature bypasses, local privilege escalation, and denial of service conditions.

SecurityWeek also noted that CISA added these six vulnerabilities to its KEV (Known Exploited Vulnerabilities) catalog, a strong signal that defenders should treat remediation as urgent.

What is a “zero-day”?

What is a zero-day? A zero-day is a vulnerability that is exploited before (or very near the time) a vendor releases an official fix, giving defenders “zero days” of advance warning. In practice, “zero-day” often overlaps with in-the-wild exploitation, where attacks are observed outside of labs—raising the likelihood of rapid copycat activity after public patch releases.

Why is Patch Tuesday important?

Why is Patch Tuesday important? Patch Tuesday is Microsoft’s regular monthly release cadence for security updates, and it’s when many organizations can most efficiently plan change windows, testing, and deployment. When Patch Tuesday includes actively exploited issues, it becomes a time-critical risk decision: unpatched endpoints and servers may be vulnerable to real attackers, not just theoretical exploits.

The six exploited CVEs: what they are (and why they matter)

Below is a defender-focused summary of the six exploited vulnerabilities highlighted in reporting:

How does modern exploitation “chain” these bugs into a full breach?

How does exploitation chaining work? Real-world intrusions often combine multiple weaknesses into a single path: a security feature bypass reduces friction for user execution (e.g., fewer warnings), a loader or payload establishes a foothold, and a local elevation of privilege escalates to SYSTEM for credential theft, tamper protection disablement, or persistence. This “low-friction to high-privilege” pattern is why bypass + priv-esc combinations are especially dangerous.

What are the risks of “security feature bypass” vulnerabilities?

What are the risks of security feature bypass vulnerabilities? These bugs don’t always grant code execution by themselves; instead, they reduce or defeat safeguards like reputation checks, warnings, or mitigation policies. That matters because attackers win by reliability: bypassing a prompt can dramatically increase the success rate of phishing, malicious shortcuts, and booby-trapped documents—especially in high-volume campaigns.

What are the risks of local privilege escalation (LPE) in Windows?

What are the risks of local privilege escalation? LPE vulnerabilities let an attacker who already has some execution on a device (even as a low-privileged user) elevate to more powerful rights like SYSTEM. In enterprise incidents, LPE is frequently used to disable defenses, dump credentials, spread laterally, and persist. That’s why LPE zero-days are treated as “breach accelerators.”

Why CISA KEV inclusion changes the urgency calculus

What is the KEV catalog? The KEV catalog is CISA’s list of vulnerabilities with evidence of active exploitation. When issues land in KEV, it’s a practical signal for defenders: exploitation is not hypothetical, and attackers may already have working tooling. SecurityWeek reported CISA added these six Microsoft zero-days to KEV, increasing the priority for remediation programs.

Immediate defensive actions: a pragmatic 72-hour playbook

What are the best practices for emergency patch response? Prioritize (1) known exploited vulnerabilities, (2) high-exposure assets, and (3) endpoints used for email/web browsing. Then validate patch deployment with telemetry and spot-checking. Pair patching with compensating controls—like tightening shortcut/script execution paths—because attackers often surge activity after updates become public.

A practical sequence many teams use:

• Triage scope

  • Identify Windows fleets and Office versions most exposed to user-driven infection paths (email, browser, document handling).

  • Flag systems with Remote Desktop Services enabled as higher interest for privilege escalation scenarios.

• Patch rings

  • Ring 0: Security tooling, IT admin workstations, jump boxes, RDS hosts, exposed user groups (finance, exec assistants).

  • Ring 1: General endpoints.

  • Ring 2: Lower-risk or highly constrained environments.

• Verification

  • Confirm update KBs applied via endpoint management plus independent sampling (don’t rely on “compliant” dashboards alone).

  • Watch for abnormal failures/reboots and roll back only with a compensating control plan.

• Threat hunting (lightweight but high yield)

  • Look for spikes in .LNK execution from email/download locations.

  • Monitor suspicious Office child processes and unusual script host activity.

  • Alert on privilege escalation indicators (sudden local admin group changes, service configuration changes).

Hardening moves that reduce exploit-chain success (even before patching is perfect)

What are the best practices for reducing exploit-chain risk? Assume some endpoints will lag patches and reduce attacker “paths to success” with layered controls: restrict macro/script execution, require least privilege, isolate high-risk apps, and enforce strong phishing-resistant authentication. These steps don’t replace patching, but they meaningfully cut real-world intrusion rates.

High-impact options (defensive, broadly applicable):

• Privilege hygiene

  • Remove local admin where possible; use just-in-time admin elevation.

  • Enforce credential guardrails (separate admin accounts, limit token exposure).

• Attachment and shortcut controls

  • Tighten execution from user-writable paths (Downloads, Temp).

  • Add controls around shortcut (.LNK) and HTML file handling where feasible, since multiple covered CVEs reference malicious LNK/HTML or user-opened content.

• RDS posture

  • Reduce RDS footprint; ensure it’s only where required.

  • Protect with MFA (prefer phishing-resistant), network-level restrictions, and dedicated admin paths.

• Detection engineering

  • Create detection rules aligned to bypass → foothold → LPE sequences, not single events.

  • Ensure EDR tamper protection is enabled and monitored.

What defenders should communicate to leadership

What is a “business-ready” summary of this story? Microsoft patched six actively exploited zero-days in February 2026 across Windows and Office. These issues can enable more reliable user-targeted compromise and privilege escalation. The recommended response is rapid patching (starting with exposed endpoints and RDS-enabled systems), plus targeted monitoring for exploit-chain behaviors and temporary hardening where patch lag is unavoidable.

Forward-looking trend: “feature bypass” as the new force multiplier

The standout theme is that several exploited issues focus on bypassing protections rather than being flashy remote-code-execution headlines. That reflects attacker economics: defeating prompts, reputation checks, and mitigations can raise success rates across many campaigns—especially when paired with commodity loaders and privilege escalation.

Expect more of:

• User-interaction exploitation optimized for scale (documents, shortcuts, HTML handlers)

• Post-compromise privilege escalation as a standard stage

• Faster “weaponization waves” after patch releases, especially when exploitation is already confirmed in the wild