![Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VIDEO]](https://assets.crowdstrike.com/is/image/crowdstrikeinc/video-ATTCK2-1?wid=530&hei=349&fmt=png-alpha&qlt=95,0&resMode=sharp2&op_usm=3.0,0.3,2,0)
![Qatar’s Commercial Bank Chooses CrowdStrike Falcon®: A Partnership Based on Trust [VIDEO]](https://assets.crowdstrike.com/is/image/crowdstrikeinc/Edward-Gonam-Qatar-Blog2-1?wid=530&hei=349&fmt=png-alpha&qlt=95,0&resMode=sharp2&op_usm=3.0,0.3,2,0)
Microsoft has addressed 59 vulnerabilities in its February 2026 security update release. These include six actively exploited vulnerabilities, three of which were publicly known, and five Critical vulnerabilities.
This month's leading risk types by exploitation technique are elevation of privilege with 25 patches (42%), remote code execution (RCE) with 12 patches (20%), and spoofing with 8 patches (14%).
Figure 1. Breakdown of February 2026 Patch Tuesday exploitation techniques
Figure 2. Breakdown of product families affected by February 2026 Patch Tuesday
CVE-2026-21533 is an Important elevation of privilege vulnerability affecting Windows Remote Desktop Services and has a CVSS score of 7.8. Microsoft has confirmed this vulnerability is being actively exploited in the wild but had not been publicly disclosed. CrowdStrike identified and reported this vulnerability to Microsoft.
The CVE-2026-21533 exploit binary modifies a service configuration key, replacing it with an attacker-controlled key, which could enable adversaries to escalate privileges to add a new user to the Administrator group. CrowdStrike Intelligence retrospective hunting has revealed that threat actors had used this binary in the wild to target U.S. and Canada-based entities since at least December 24, 2025. CrowdStrike Intelligence assesses that Microsoft's public disclosure of CVE-2026-21533 will almost certainly encourage threat actors possessing CVE-2026-21533 exploit binaries, as well as any exploit brokers possessing the underlying exploit, to use or monetize the exploits in the near term. CrowdStrike customers can learn more details in CSA-260174.
| Severity | CVSS Score | CVE | Description |
| Important | 7.8 | CVE-2026-21533 | Windows Remote Desktop Services Elevation of Privilege Vulnerability |
CVE-2026-21513 is an Important security feature bypass vulnerability affecting MSHTML Framework and has a CVSS score of 8.8. Microsoft has confirmed this vulnerability is being actively exploited in the wild and had been publicly disclosed.
The vulnerability allows remote attackers with no privileges to bypass security prompts when executing files by convincing users to open malicious HTML files or shortcut (.lnk) files delivered via social engineering. The specially crafted files manipulate browser and Windows Shell handling, causing content to be executed by the operating system without proper security warnings. This bypass can potentially lead to code execution with high impact to confidentiality, integrity, and availability. The vulnerability requires user interaction but has low attack complexity, and affects multiple versions of Windows 10, Windows 11, and Windows Server systems dating back to Server 2012.
| Severity | CVSS Score | CVE | Description |
| Important | 8.8 | CVE-2026-21513 | MSHTML Framework Security Feature Bypass Vulnerability |
CVE-2026-21510 is an Important security feature bypass vulnerability affecting Windows Shell and has a CVSS score of 8.8. Microsoft has confirmed this vulnerability is being actively exploited in the wild and had been publicly disclosed.
The vulnerability allows remote attackers with no privileges to bypass Windows SmartScreen and Windows Shell security prompts by convincing users to open malicious links or shortcut files. The specially crafted files exploit improper handling in Windows Shell components, causing attacker-controlled content to be executed without user warning or consent. This bypass can lead to code execution. The attack requires user interaction, but complexity is low, making it readily exploitable through social engineering techniques.
| Severity | CVSS Score | CVE | Description |
| Important | 8.8 | CVE-2026-21510 | Windows Shell Security Feature Bypass Vulnerability |
CVE-2026-21514 is an Important security feature bypass vulnerability affecting Microsoft Word and has a CVSS score of 7.8. Microsoft confirmed this vulnerability is being actively exploited in the wild and had been publicly disclosed.
The vulnerability allows local attackers with no privileges to bypass OLE (Object Linking and Embedding) mitigations in Microsoft 365 and Microsoft Office by convincing users to open malicious Office files. The specially crafted files exploit reliance on untrusted inputs in security decisions, allowing vulnerable COM/OLE controls to execute without proper protection. This bypass can lead to code execution with high impact to confidentiality, integrity, and availability, but the vulnerability requires user interaction. The attack complexity is low, making it readily exploitable through social engineering techniques such as phishing emails with malicious attachments. The Preview Pane is not an attack vector for this vulnerability.
| Severity | CVSS Score | CVE | Description |
| Important | 7.8 | CVE-2026-21514 | Microsoft Word Security Feature Bypass Vulnerability |
CVE-2026-21519 is an Important elevation of privilege vulnerability affecting Desktop Window Manager and has a CVSS score of 7.8. Microsoft confirmed this vulnerability is being actively exploited in the wild but had not been publicly disclosed.
The vulnerability allows local attackers with low privileges to elevate to SYSTEM privileges through a type confusion flaw in Desktop Window Manager. The specially crafted exploit accesses resources using incompatible types, enabling unauthorized privilege escalation. The vulnerability requires no user interaction and has low attack complexity, making it an attractive target for attackers that have already gained initial access to a system. Despite unproven public exploit code, active exploitation has been detected in the wild, indicating threat actors possess working exploits for this zero-day vulnerability.
| Severity | CVSS Score | CVE | Description |
| Important | 7.8 | CVE-2026-21519 | Desktop Window Manager Elevation of Privilege Vulnerability |
CVE-2026-21525 is a Moderate denial of service vulnerability affecting Windows Remote Access Connection Manager and has a CVSS score of 6.2. Microsoft confirmed this vulnerability is being actively exploited in the wild but had not been publicly disclosed.
The vulnerability allows local attackers with no privileges to cause a denial of service through a null pointer dereference in Windows Remote Access Connection Manager. The vulnerability requires no user interaction and has low attack complexity, enabling attackers to disrupt system availability. Despite unproven public exploit code, active exploitation has been detected in the wild, indicating threat actors possess working exploits.
| Severity | CVSS Score | CVE | Description |
| Moderate | 6.2 | CVE-2026-21525 | Windows Remote Access Connection Manager Denial of Service Vulnerability |
CVE-2026-24300 is a Critical elevation of privilege vulnerability affecting Azure Front Door and has a CVSS score of 9.8.
The vulnerability allows remote attackers with no privileges to elevate privileges through improper access control in Azure Front Door. The vulnerability requires no user interaction and has low attack complexity. Microsoft has proactively remediated this vulnerability within the Azure cloud infrastructure without requiring any customer intervention. This CVE is published for transparency as part of Microsoft's commitment to disclosing cloud service vulnerabilities. Azure Arc users are automatically protected with no patches or configuration changes necessary.
CVE-2026-24302 is a Critical elevation of privilege vulnerability affecting Azure Arc and has a CVSS score of 8.6.
The vulnerability allows remote attackers with no privileges to elevate privileges through improper access control in Azure Arc. The vulnerability requires no user interaction, has low attack complexity, and features a changed scope with potential for high confidentiality impact. As a cloud service vulnerability, Microsoft has already deployed fixes across the Azure platform, eliminating the risk without requiring customer action. This CVE is published for transparency as part of Microsoft's commitment to disclosing cloud service vulnerabilities. Azure Arc users are automatically protected with no patches or configuration changes necessary.
CVE-2026-21532 is a Critical information disclosure vulnerability affecting Azure Function and has a CVSS score of 8.2.
The vulnerability allows remote attackers with no privileges to access sensitive information through exposure of sensitive information to unauthorized actors in Azure Function. The vulnerability requires no user interaction, has low attack complexity, and could result in high confidentiality impact and low integrity impact. Microsoft resolved this vulnerability through backend infrastructure updates that were applied transparently to all Azure Function customers. No user action, patching, or configuration modification is needed. This CVE is published for transparency as part of Microsoft's commitment to disclosing cloud service vulnerabilities. Azure Function users are automatically protected with no patches or configuration changes necessary.
| Severity | CVSS Score | CVE | Description |
| Critical | 9.8 | CVE-2026-24300 | Azure Front Door Elevation of Privilege Vulnerability |
| Critical | 8.6 | CVE-2026-24302 | Azure Arc Elevation of Privilege Vulnerability |
| Critical | 8.2 | CVE-2026-21532 | Azure Function Information Disclosure Vulnerability |
CVE-2026-21522 is a Critical elevation of privilege vulnerability affecting Microsoft ACI Confidential Containers and has a CVSS score of 6.7. This vulnerability has not been publicly disclosed, and there is no evidence of exploitation in the wild.
A command injection flaw in Azure Compute Gallery could allow local attackers with high privileges to execute arbitrary commands within the affected ACI container's context. The vulnerability requires no user interaction and has low attack complexity. In confidential container scenarios, successful exploitation could enable attackers to access sensitive secrets or data protected by the attested environment, and run code with the same privileges as the compromised container. While proof-of-concept exploit code exists, Microsoft assesses exploitation as less likely. An official fix is available for customers to deploy.
CVE-2026-23655 is a Critical information disclosure vulnerability affecting Microsoft ACI Confidential Containers with a CVSS score of 6.5. This vulnerability had not been publicly disclosed, and there is no evidence of exploitation in the wild.
Cleartext storage of sensitive information in Azure Compute Gallery could allow remote attackers with low privileges to disclose secret tokens and keys over a network. The vulnerability requires no user interaction and has low attack complexity, potentially resulting in high confidentiality impact. Despite the lack of public exploit code, the exposure of authentication credentials and cryptographic keys poses significant risk to confidential container environments. Microsoft assesses exploitation as less likely, and an official fix is available for customers to deploy.
| Severity | CVSS Score | CVE | Description |
| Critical | 6.7 | CVE-2026-21522 | Microsoft ACI Confidential Containers Elevation of Privilege Vulnerability |
| Critical | 6.5 | CVE-2026-23655 | Microsoft ACI Confidential Containers Information Disclosure Vulnerability |
For a visual overview of the systems impacted by this month’s vulnerabilities, you can use our Patch Tuesday dashboard. This can be found in the CrowdStrike Falcon® platform within the Exposure Management > Vulnerability Management > Dashboards page. The preset dashboards show the most recent three months of Patch Tuesday vulnerabilities.
As we have learned with other notable vulnerabilities, such as Log4j, not every highly exploitable vulnerability can be easily patched. As is the case for the ProxyNotShell vulnerabilities, it’s critically important to develop a response plan for how to defend your environments when no patching protocol exists.
Regular review of your patching strategy should still be a part of your program, but you should also look more holistically at your organization's methods for cybersecurity and improve your overall security posture.
The CrowdStrike Falcon platform regularly collects and analyzes trillions of endpoint events every day from millions of sensors deployed across 176 countries. Watch this demo to see the Falcon platform in action.
Learn more about how CrowdStrike Falcon® Exposure Management can help you quickly and easily discover and prioritize vulnerabilities and other types of exposures here.
The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article.
For more information on which products are in Microsoft’s Extended Security Updates program, refer to the vendor guidance here.
Learn how Falcon Exposure Management can help you discover and manage vulnerabilities and other exposures in your environments.
Make prioritization painless and efficient. Watch how Falcon Exposure Management enables IT staff to improve visibility with custom filters and team dashboards.
Find out how CrowdStrike Falcon® Next-Gen Identity Security products can stop workforce identity threats faster.
Test CrowdStrike next-gen antivirus for yourself with a free trial of CrowdStrike® Falcon Prevent™.
