Microsoft today released updates to fix more than 50 security holes in it Windows operating systems and other software, including patches for six major “zero-day” vulnerabilities that attackers are already exploiting in the wild.
Zero-day #1 this month is CVE-2026-21510, a security feature bypass vulnerability Windows Shell where a single click on a malicious link can silently bypass Windows protections and launch attacker-controlled content without warning or permission dialogs. CVE-2026-21510 affects all supported versions of Windows.
The zero-day bug CVE-2026-21513 is a security bypass bug MSHTMLa proprietary engine for the default web browser in Windows. CVE-2026-21514 is a pass-through related security flaw Microsoft Word.
CVE-2026-21533 Zero-day vulnerability allows local attackers to elevate their user privileges to the “SYSTEM” level Windows Remote Desktop Utilities. CVE-2026-21519 is a zero-day elevation of privilege flaw Desktop Window Manager (DWM), the main component of Windows that arranges windows on the user’s screen. Microsoft fixed the zero date exception to DWM last month.
The sixth zero-day is CVE-2026-21525, a vulnerability that could cause a denial of service in the environment. Windows Remote Access Connection Managera service responsible for maintaining VPN connections on corporate networks.
Chris Goetl of Ivanti reminds us that Microsoft has released several out-of-band security updates since January’s Patch Tuesday. On January 17, Microsoft pushed a fix that resolved authentication failures when attempting remote desktop or remote applications connections. On January 26, Microsoft closed the zero-day security feature for the vulnerability (CVE-2026-21509) Microsoft Office.
Kev Breen of Focused notes that this month’s Patch Tuesday includes several fixes for the affected remote code execution vulnerability GitHub Copilot and many integrated development environments (IDEs), incl VS code, Visual Studioagain JetBrains products. The relevant CVEs are CVE-2026-21516, CVE-2026-21523, and CVE-2026-21256.
Breen said the AI vulnerabilities covered by Microsoft this month range from rapid injection, or tricking an AI agent into doing something it shouldn’t — such as running malicious code or commands.
“Developers are high-value targets for threat actors, as they often have access to sensitive data such as API keys and secrets that serve as keys to critical infrastructure, including AWS or Azure API keys,” Breen said. “When organizations empower engineers and automation pipelines to use LLMs and agent AI, malicious information can have a significant impact. This does not mean that organizations should stop using AI. It means that engineers must understand the risks, teams must clearly identify which programs and workflows have access to AI agents, and least-privilege policies must be implemented to limit the developer’s privacy radius.”
I SANS Internet Storm Center has a clickable breakdown of this month’s individual fixes from Microsoft, indexed by severity and CVSS score. Enterprise Windows administrators involved in testing patches before releasing them should keep an eye on askwoody.com, which often has wonky updates. Please don’t forget to back up your data if it’s been a while since you’ve done so, and feel free to complain in the comments if you run into problems installing any of these fixes.
