Overview
- Microsoft released patches for 59 vulnerabilities across Windows, Office, Azure, Exchange and developer tools, with five rated Critical and a heavy concentration of elevation‑of‑privilege bugs.
- The six exploited zero-days affect Windows Shell/SmartScreen (CVE-2026-21510), MSHTML/Internet Explorer (CVE-2026-21513), Microsoft Word (CVE-2026-21514), Desktop Window Manager (CVE-2026-21519), Remote Access Connection Manager/RasMan (CVE-2026-21525) and Remote Desktop Services (CVE-2026-21533).
- Three of the zero-days were publicly disclosed before patching, and security teams warn that the SmartScreen, MSHTML and Word bypasses remove key user prompts that typically blunt phishing attempts.
- CISA added all six vulnerabilities to its Known Exploited Vulnerabilities catalog and requires federal remediation by March 3, 2026.
- Microsoft credited Google Threat Intelligence Group, its internal teams, CrowdStrike and Acros/0patch for discoveries, noted prior in‑the‑wild use of CVE‑2026‑21533 reported by CrowdStrike, and continued a phased rollout of replacement Secure Boot certificates.