Microsoft patches six exploited zero-days

Microsoft Windows 10 security update end — Image by Cybernews

Microsoft has released fixes for six new zero-days actively exploited in the wild, alongside more than 50 additional security updates in this month’s Patch Tuesday rollout.

CISA confirms six Microsoft zero-days are under active attack and now listed in its KEV catalog.
Several of the flaws allow Windows and Office security protections to be bypassed, raising phishing and post-compromise concerns.
While the desktop patches are straightforward, security leaders may need to watch Azure fixes more closely this month.

Key Takeaways by nexos.ai, reviewed by Cybernews staff.

The US Cybersecurity and Infrastructure Security Agency (CISA) added the six newly discovered flaws to its Known Exploited Vulnerabilities (KEV) Catalog, noting “evidence of active exploitation” in an alert sent to defenders on Tuesday.

According to CISA, the batch of vulnerabilities – including two Security Feature Bypass flaws rated High, 8.8 on the Common Vulnerability Scoring System (CVSS) – represent common attack vectors for malicious cyber actors and pose significant risks to the federal networks.

CISA is urging both private-sector organizations and government entities to prioritize remediation immediately.

Six zero-days now on CISA’s KEV list

“10% of this month’s vulnerabilities are listed by Microsoft as ‘exploit detected.’ That’s a significant portion,” observed Tyler Reguly, Associate Director of Security R&D at Fortra.Reguly said the upside is that the vulnerabilities “are easy to resolve with regular Microsoft patches for Windows and Office, and none of them require any post-patch configuration steps.”
The six vulnerabilities CISA confirmed are actively exploited include:

CVE-2026-21510 Microsoft Windows Shell Protection Mechanism Failure Vulnerability
CVE-2026-21513 Microsoft MSHTML Framework Security Feature Bypass Vulnerability
CVE-2026-21514 Microsoft Office Word Reliance on Untrusted Inputs in a Security Decision Vulnerability
CVE-2026-21519 Microsoft Windows Type Confusion Vulnerability
CVE-2026-21525 Microsoft Windows NULL Pointer Dereference Vulnerability
CVE-2026-21533 Windows Remote Desktop Services Elevation of Privilege Vulnerability

Security bypass flaws raise phishing concerns

Impacting Windows 10 users, the Windows Shell Security Feature Bypass vulnerability (CVE-2026-21510) allows attackers to remotely sidestep protections meant to automatically block suspicious activity within the system.

Similarly, the MSHTML Framework Security Feature Bypass vulnerability (CVE-2026-21513) also allows malicious actors to remotely bypass built-in safety checks and is often exploited in phishing campaigns via embedded web content in Word or other Office documents.

Rated 7.8 in severity, the Word Security Feature Bypass vulnerability (CVE-2026-21514) – affecting Microsoft 365 Apps for Enterprise – allows threat actors to bypass key safeguards when Word processes untrusted content.

Microsoft 365 logos — Image by GGuy | Shutterstock

Next, the Desktop Window Manager Elevation of Privilege vulnerability (CVE-2026-21519) – also rated 7.8 and impacting Windows 10 users – could allow an attacker already inside the system to escalate privileges locally, a technique often observed in ransomware attacks, although CISA did not identify that as a known factor.

Another CVSS score of 7.8, the Windows Remote Desktop Services Elevation of Privilege vulnerability (CVE-2026-21533) could enable attackers to gain higher-level system privileges following initial access, leading to broader network access.

And finally, at 6.2 Medium risk, the Windows Remote Access Connection Manager Denial of Service vulnerability gives attackers the ability to trigger system crashes or instability and potentially disrupt normal operations, without granting higher-level access.

Don't miss our latest stories on Google News. Add us as your Preferred Source on Google

Cloud patching pressures mount

Reguly said that while the Windows and Office flaws are relatively straightforward to fix, he would be paying closer attention to the 10 Azure CVEs also just released on Tuesday.

“If I’m a CSO this month, I’m less concerned about what my desktop and server security teams are patching and more concerned with my cloud ops teams,” he explained.

Reguly went on to say that "while three of the Azure flaws (CVE-2026-21532, CVE-2026-24300, and CVE-2026-24302) are marked as ‘No Customer Action Required,’ I’d still want to ensure there is no evidence of issues in my cloud (or cloud-adjacent) environments."

Microsoft Azure being hacked by hooded figure — Image by Shutterstock

"For the other 7 Azure CVEs, however, I’d hope that my team is looking closely at the variety of fixes that need to be performed to upgrade my environment," he added.

Unlike traditional Windows and Office patches, which typically deploy automatically, cloud vulnerabilities often require manual configuration changes, script updates, or component upgrades – increasing the risk of oversight.

“With on-prem deployments, the vulnerability resolution process is mature – we know how to identify unpatched systems and roll out standard updates. With the cloud, we rely on scripts, full app replacements, and manual configuration to resolve many vulnerabilities," Reguly said.

This increases pressure on cloud ops and development teams while complicating visibility for CSOs trying to track affected components, he noted.

Unlock more exclusive Cybernews content on YouTube.