Pull to refresh
Logo
Daily Brief
Following Why Ranks Sign Up
Microsoft's ongoing battle against zero-day exploits

Microsoft's ongoing battle against zero-day exploits

Rule Changes

Monthly security patches struggle to keep pace with attackers exploiting Windows vulnerabilities

February 11th, 2026: February 2026 Patches Six Actively Exploited Zero-Days

Overview

Microsoft released its February 2026 Patch Tuesday update, fixing 58 security flaws including six zero-day vulnerabilities that attackers were already exploiting. The most severe allows attackers to bypass Windows SmartScreen protections, tricking users into running malicious software without seeing the usual security warnings. The United States Cybersecurity and Infrastructure Security Agency (CISA) added all six vulnerabilities to its Known Exploited Vulnerabilities catalog, giving federal agencies until March 3, 2026, to patch their systems.

This monthly ritual has repeated since October 2003, when Microsoft introduced the predictable patch schedule in response to the chaos of the Blaster worm era. Yet attackers continue finding and exploiting vulnerabilities before patches arrive. In 2025, Microsoft patched 24 zero-days that were already being exploited in the wild. Security feature bypasses—attacks that defeat Windows' built-in protections—have tripled since 2020, rising from 30 to 90 disclosures annually. The question is no longer whether new zero-days will emerge, but how quickly organizations can deploy patches before attackers weaponize them.

Play on this story Voices Debate Predict

Key Indicators

6
Zero-days patched in February 2026
All six were actively exploited before patches were available
1,139
Total vulnerabilities patched in 2025
Second-largest annual total ever, trailing 2020 by only 111
24
Exploited zero-days in 2025
Of 41 total zero-days patched, 24 were actively exploited in the wild
3x
Increase in security bypass flaws since 2020
Security feature bypass vulnerabilities rose from 30 to 90 annual disclosures

Voices

Curated perspectives — historical figures and your fellow readers.

Ever wondered what historical figures would say about today's headlines?

Sign up to generate historical perspectives on this story.

Log in Sign Up

Play

Exploring all sides of a story is often best achieved with Play.

Log in to play. Track your picks, climb the leaderboards. Log in Sign Up
Predict 4 ways this could play out. Contrarian picks score more — points lock when the scenario resolves. Log in to play
Timeline Five events from this story — drag them oldest to newest. Log in to play
Connections Sixteen names from the news. Find the four hidden groups of four. Log in to play

People Involved

Satya Nadella
Satya Nadella
Leading company's Secure Future Initiative

Organizations Involved

Microsoft
Microsoft
Public technology company
Primary maintainer of Windows operating system security

Developer of Windows, which runs on over a billion devices worldwide and remains a primary target for cyberattacks.
Cybersecurity and Infrastructure Security Agency (CISA)
Cybersecurity and Infrastructure Security Agency (CISA)
Federal Agency
Tracking and mandating remediation of exploited vulnerabilities

United States federal agency responsible for cybersecurity and critical infrastructure protection.

Timeline

October 2003 February 2026

11 events Latest: February 11th, 2026 · 3 months ago Showing 8 of 11
Tap a bar to jump to that date

  1. February 2026 Patches Six Actively Exploited Zero-Days

    Latest Patch

    Microsoft fixes 58 flaws including six zero-days exploited in the wild. Vulnerabilities allow SmartScreen bypass, privilege escalation, and Office security defeats. CISA mandates federal patching by March 3.

  2. Emergency Office Zero-Day Patch Released

    Patch

    Microsoft issues out-of-band emergency patch for CVE-2026-21509, a high-severity security bypass in Microsoft Office under active exploitation.

  3. January 2026 Patches 112 Flaws

    Patch

    Microsoft patches 112 vulnerabilities including multiple zero-days. One Desktop Window Manager flaw is already under active attack.

  4. 2025 Ends with 1,139 Vulnerabilities Patched

    Patch

    Final Patch Tuesday of 2025 fixes 56 flaws including three zero-days. Annual total reaches 1,139 vulnerabilities, a 12% increase over 2024.

  5. 2025 Opens with 150+ Vulnerabilities Patched

    Patch

    Microsoft delivers largest Patch Tuesday of the 2020s with fixes for over 150 vulnerabilities, including eight zero-days.

  6. LNK Stomping Zero-Day Added to KEV

    Vulnerability

    CISA adds CVE-2024-38217 to KEV catalog. The Mark of the Web bypass technique had been exploited for at least six years before discovery.

  7. Microsoft Announces Secure Future Initiative

    Policy

    Microsoft launches its largest cybersecurity engineering effort, committing to security-first engineering practices across all products.

  8. BlueKeep RDP Vulnerability Patched

    Patch

    Microsoft patches CVE-2019-0708, a wormable Remote Desktop vulnerability. NSA issues rare public advisory warning of potential WannaCry-scale attacks.

  9. WannaCry Ransomware Attack Strikes

    Attack

    WannaCry ransomware using EternalBlue infects 200,000 computers across 150 countries. Microsoft releases emergency patches for unsupported Windows XP and Server 2003.

  10. Microsoft Patches EternalBlue Vulnerability

    Patch

    Microsoft releases MS17-010 patching the SMB vulnerability exploited by EternalBlue. The NSA had known about the flaw for five years before disclosure.

  11. Microsoft Introduces Patch Tuesday

    Policy

    Microsoft establishes monthly security update schedule on the second Tuesday of each month, following the 2003 Blaster worm crisis. The move brings predictability to IT security management.

Historical Context

3 moments from history that rhyme with this story — and how they unfolded.

May 2017

WannaCry Ransomware Attack (2017)

The WannaCry ransomware exploited a Windows SMB vulnerability called EternalBlue, infecting over 200,000 computers across 150 countries in a single weekend. The UK's National Health Service saw hospitals disrupted. FedEx, Renault, and Telefonica suffered operational impacts. The vulnerability had been patched two months earlier, but many organizations hadn't updated.

Then

Microsoft released emergency patches for unsupported Windows XP and Server 2003. Organizations scrambled to patch vulnerable systems. The attack highlighted the danger of delayed patching and legacy system exposure.

Now

WannaCry became the standard reference point for wormable vulnerability risk. It demonstrated that a single unpatched flaw could cascade globally within hours, reshaping how organizations prioritize security updates.

Why this matters now

The February 2026 Remote Desktop Services vulnerability (CVE-2026-21533) raises similar concerns about privilege escalation that could enable network-wide compromise. Security researchers explicitly compare current RDP vulnerabilities to the BlueKeep-WannaCry lineage.

May-November 2019

BlueKeep Remote Desktop Vulnerability (2019)

CVE-2019-0708 was a wormable vulnerability in Remote Desktop Services affecting Windows 7 and older systems. Both Microsoft and the NSA issued public warnings comparing it to EternalBlue's potential. Microsoft took the unusual step of patching Windows XP, which it had stopped supporting five years earlier.

Then

Security researchers raced to develop exploits while defenders pushed emergency patches. Cryptocurrency mining malware using BlueKeep appeared by November 2019, though the feared large-scale worm attack never materialized.

Now

BlueKeep established a template for how the security community responds to high-severity wormable vulnerabilities: urgent patching mandates, proof-of-concept embargoes, and public awareness campaigns.

Why this matters now

February 2026's Remote Desktop privilege escalation flaw (CVE-2026-21533) continues the pattern of RDP as a persistent attack surface. Each new RDP vulnerability triggers BlueKeep comparisons and intensified patching urgency.

2022-2024

Mark of the Web Bypass Epidemic (2022-2024)

Attackers discovered multiple ways to bypass Windows' Mark of the Web protection, which warns users before running files downloaded from the internet. Techniques like LNK Stomping stripped security markers from malicious files. Russian threat actors exploited these bypasses in campaigns against Ukraine. By 2024, security feature bypass vulnerabilities had tripled compared to 2020.

Then

Microsoft patched individual bypass techniques as they emerged. CISA added multiple MotW bypasses to the KEV catalog. Security vendors developed detection rules for bypass attempts.

Now

The recurring bypasses revealed that legacy security features designed in the Windows XP era struggle against modern phishing toolkits. Each patch addressed symptoms rather than the underlying architectural weakness.

Why this matters now

February 2026's CVE-2026-21510 SmartScreen bypass continues this pattern. The vulnerability allows attackers to suppress security warnings on downloaded files, demonstrating that Windows security dialogs remain a vulnerable chokepoint.

Sources

(12)
+6
BleepingComputer Krebs on Security Help Net Security Tenable The Hacker News CISA Security Affairs Dark Reading Malwarebytes Security Boulevard Microsoft Security Blog Wikipedia