## Microsoft Patches Six Actively Exploited Zero-Day Vulnerabilities **Microsoft**'s February Patch Tuesday addresses a significant number of security flaws, with a focus on vulnerabilities already being exploited in the wild. IT security professionals and privacy-conscious users should prioritize reviewing and applying these updates.  ## Zero-Day Vulnerabilities in Detail This month's patch batch includes fixes for the following zero-day vulnerabilities: * **CVE-2026-21510**: A security feature bypass vulnerability in **Windows Shell**. Exploitation allows attackers to bypass Windows protections and execute code without user consent via a malicious link. This affects all supported Windows versions. * **CVE-2026-21513**: A security bypass bug in **MSHTML**, the rendering engine of the default Windows web browser. * **CVE-2026-21514**: A related security feature bypass vulnerability in **Microsoft Word**. * **CVE-2026-21533**: A local privilege escalation vulnerability in **Windows Remote Desktop Services**, allowing attackers to gain SYSTEM-level access. * **CVE-2026-21519**: An elevation of privilege flaw in the **Desktop Window Manager** (DWM). This is the second DWM zero-day fixed in as many months. * **CVE-2026-21525**: A denial-of-service vulnerability in the **Windows Remote Access Connection Manager**, potentially disrupting VPN connections. ## AI-Related Vulnerabilities in GitHub Copilot and IDEs **Kev Breen** at **Immersive** highlighted the importance of patches addressing remote code execution vulnerabilities affecting **GitHub Copilot** and several integrated development environments (IDEs), including **VS Code**, **Visual Studio**, and **JetBrains** products. The relevant CVEs are **CVE-2026-21516**, **CVE-2026-21523**, and **CVE-2026-21256**. These AI vulnerabilities stem from a command injection flaw that can be triggered through prompt injection, potentially allowing attackers to execute malicious code through the AI agent. Breen emphasized the risk to developers, who often have access to sensitive data like API keys. Compromising these keys through a malicious AI prompt could have significant impact, especially in environments using Large Language Models (LLMs) and agentic AI. He recommends applying least-privilege principles and limiting the blast radius of compromised developer secrets. ## Additional Insights and Resources **Chris Goettl** at **Ivanti** noted that Microsoft has issued several out-of-band security updates since January, including fixes for credential prompt failures and a zero-day in **Microsoft Office** (**CVE-2026-21509**). The **SANS Internet Storm Center** provides a [clickable breakdown](https://isc.sans.edu/diary/Microsoft%20Patch%20Tuesday%20-%20February%202026/32700) of the individual fixes, indexed by severity and CVSS score. Enterprise admins can monitor [askwoody.com](https://www.askwoody.com/2026/february-2026-security-updates/) for information on problematic updates. Remember to back up your data before applying these updates.