Pull to refresh
Logo
Daily Brief
Following Why Ranks Sign Up
Microsoft's ongoing battle against zero-day exploits

Microsoft's ongoing battle against zero-day exploits

Rule Changes

Monthly security patches struggle to keep pace with attackers exploiting Windows vulnerabilities

February 11th, 2026: February 2026 Patches Six Actively Exploited Zero-Days

Overview

Microsoft released its February 2026 Patch Tuesday update, fixing 58 security flaws including six zero-day vulnerabilities that attackers were already exploiting. The most severe allows attackers to bypass Windows SmartScreen protections, tricking users into running malicious software without seeing the usual security warnings. The United States Cybersecurity and Infrastructure Security Agency (CISA) added all six vulnerabilities to its Known Exploited Vulnerabilities catalog, giving federal agencies until March 3, 2026, to patch their systems.

This monthly ritual has repeated since October 2003, when Microsoft introduced the predictable patch schedule in response to the chaos of the Blaster worm era. Yet attackers continue finding and exploiting vulnerabilities before patches arrive. In 2025, Microsoft patched 24 zero-days that were already being exploited in the wild. Security feature bypasses—attacks that defeat Windows' built-in protections—have tripled since 2020, rising from 30 to 90 disclosures annually. The question is no longer whether new zero-days will emerge, but how quickly organizations can deploy patches before attackers weaponize them.

Play on this story Voices Debate Predict

Key Indicators

6
Zero-days patched in February 2026
All six were actively exploited before patches were available
1,139
Total vulnerabilities patched in 2025
Second-largest annual total ever, trailing 2020 by only 111
24
Exploited zero-days in 2025
Of 41 total zero-days patched, 24 were actively exploited in the wild
3x
Increase in security bypass flaws since 2020
Security feature bypass vulnerabilities rose from 30 to 90 annual disclosures

Interactive

Exploring all sides of a story is often best achieved with Play.

Ever wondered what historical figures would say about today's headlines?

Sign up to generate historical perspectives on this story.

Log in Sign Up

People Involved

Satya Nadella
Satya Nadella
Leading company's Secure Future Initiative

Organizations Involved

Microsoft
Microsoft
Corporate research program
Primary maintainer of Windows operating system security

Developer of Windows, which runs on over a billion devices worldwide and remains a primary target for cyberattacks.
Cybersecurity and Infrastructure Security Agency (CISA)
Cybersecurity and Infrastructure Security Agency (CISA)
Federal Agency
Tracking and mandating remediation of exploited vulnerabilities

United States federal agency responsible for cybersecurity and critical infrastructure protection.

Timeline

  1. February 2026 Patches Six Actively Exploited Zero-Days

    Patch

    Microsoft fixes 58 flaws including six zero-days exploited in the wild. Vulnerabilities allow SmartScreen bypass, privilege escalation, and Office security defeats. CISA mandates federal patching by March 3.

  2. Emergency Office Zero-Day Patch Released

    Patch

    Microsoft issues out-of-band emergency patch for CVE-2026-21509, a high-severity security bypass in Microsoft Office under active exploitation.

  3. January 2026 Patches 112 Flaws

    Patch

    Microsoft patches 112 vulnerabilities including multiple zero-days. One Desktop Window Manager flaw is already under active attack.

  4. 2025 Ends with 1,139 Vulnerabilities Patched

    Patch

    Final Patch Tuesday of 2025 fixes 56 flaws including three zero-days. Annual total reaches 1,139 vulnerabilities, a 12% increase over 2024.

  5. 2025 Opens with 150+ Vulnerabilities Patched

    Patch

    Microsoft delivers largest Patch Tuesday of the 2020s with fixes for over 150 vulnerabilities, including eight zero-days.

  6. LNK Stomping Zero-Day Added to KEV

    Vulnerability

    CISA adds CVE-2024-38217 to KEV catalog. The Mark of the Web bypass technique had been exploited for at least six years before discovery.

  7. Microsoft Announces Secure Future Initiative

    Policy

    Microsoft launches its largest cybersecurity engineering effort, committing to security-first engineering practices across all products.

  8. BlueKeep RDP Vulnerability Patched

    Patch

    Microsoft patches CVE-2019-0708, a wormable Remote Desktop vulnerability. NSA issues rare public advisory warning of potential WannaCry-scale attacks.

  9. WannaCry Ransomware Attack Strikes

    Attack

    WannaCry ransomware using EternalBlue infects 200,000 computers across 150 countries. Microsoft releases emergency patches for unsupported Windows XP and Server 2003.

  10. Microsoft Patches EternalBlue Vulnerability

    Patch

    Microsoft releases MS17-010 patching the SMB vulnerability exploited by EternalBlue. The NSA had known about the flaw for five years before disclosure.

  11. Microsoft Introduces Patch Tuesday

    Policy

    Microsoft establishes monthly security update schedule on the second Tuesday of each month, following the 2003 Blaster worm crisis. The move brings predictability to IT security management.

Scenarios

Predict which scenario wins. Contrarian picks score more — points lock in when the scenario resolves.

Log in to predict. Track your picks, climb the leaderboard. Log in Sign Up
1

Zero-Day Volume Continues Rising, Reaching 30+ Exploited Annually by 2027

With exploited zero-days rising from the teens in the early 2020s to 24 in 2025, the trajectory suggests continued growth. As Microsoft's product surface expands with AI features and cloud services, and as vulnerability research matures with AI-assisted discovery, the number of actively exploited zero-days could exceed 30 annually. This would strain enterprise patching capacity and increase the window during which organizations remain vulnerable.

Discussed by: Security Boulevard, Tenable, and vulnerability researchers analyzing multi-year trends
Consensus
2

Secure Future Initiative Reduces Exploited Zero-Days to Single Digits

Microsoft's 34,000-engineer security effort could pay off through improved secure-by-design practices, faster internal vulnerability detection, and elimination of legacy attack surfaces. If Mark of the Web and SmartScreen weaknesses are architecturally resolved rather than repeatedly patched, the steady stream of bypass vulnerabilities could slow significantly. Success would be measured by declining zero-day exploitation, not just total CVEs patched.

Discussed by: Microsoft Security Blog, industry analysts evaluating SFI impact
Consensus
3

Major Wormable Vulnerability Causes WannaCry-Scale Incident

Remote Desktop Services vulnerabilities like CVE-2026-21533 echo the BlueKeep era. If a wormable vulnerability achieves widespread exploitation before patching reaches critical mass, a self-propagating attack could replicate WannaCry's global impact. Federal patching mandates help, but the private sector remains unevenly protected, and legacy systems persist in critical infrastructure.

Discussed by: CISA advisories, NSA public warnings, security researchers comparing current vulnerabilities to BlueKeep and EternalBlue
Consensus
4

Regulatory Mandates Expand Beyond Federal Agencies

CISA's KEV catalog currently binds only federal civilian agencies. If exploited vulnerabilities cause significant private sector damage, pressure could mount for mandatory patching timelines in critical infrastructure sectors like healthcare, finance, and energy. Such requirements would fundamentally change the vulnerability management landscape for enterprises.

Discussed by: CISA policy discussions, cybersecurity policy analysts
Consensus

Historical Context

WannaCry Ransomware Attack (2017)

May 2017

What Happened

The WannaCry ransomware exploited a Windows SMB vulnerability called EternalBlue, infecting over 200,000 computers across 150 countries in a single weekend. The UK's National Health Service saw hospitals disrupted. FedEx, Renault, and Telefonica suffered operational impacts. The vulnerability had been patched two months earlier, but many organizations hadn't updated.

Outcome

Short Term

Microsoft released emergency patches for unsupported Windows XP and Server 2003. Organizations scrambled to patch vulnerable systems. The attack highlighted the danger of delayed patching and legacy system exposure.

Long Term

WannaCry became the standard reference point for wormable vulnerability risk. It demonstrated that a single unpatched flaw could cascade globally within hours, reshaping how organizations prioritize security updates.

Why It's Relevant Today

The February 2026 Remote Desktop Services vulnerability (CVE-2026-21533) raises similar concerns about privilege escalation that could enable network-wide compromise. Security researchers explicitly compare current RDP vulnerabilities to the BlueKeep-WannaCry lineage.

BlueKeep Remote Desktop Vulnerability (2019)

May-November 2019

What Happened

CVE-2019-0708 was a wormable vulnerability in Remote Desktop Services affecting Windows 7 and older systems. Both Microsoft and the NSA issued public warnings comparing it to EternalBlue's potential. Microsoft took the unusual step of patching Windows XP, which it had stopped supporting five years earlier.

Outcome

Short Term

Security researchers raced to develop exploits while defenders pushed emergency patches. Cryptocurrency mining malware using BlueKeep appeared by November 2019, though the feared large-scale worm attack never materialized.

Long Term

BlueKeep established a template for how the security community responds to high-severity wormable vulnerabilities: urgent patching mandates, proof-of-concept embargoes, and public awareness campaigns.

Why It's Relevant Today

February 2026's Remote Desktop privilege escalation flaw (CVE-2026-21533) continues the pattern of RDP as a persistent attack surface. Each new RDP vulnerability triggers BlueKeep comparisons and intensified patching urgency.

Mark of the Web Bypass Epidemic (2022-2024)

2022-2024

What Happened

Attackers discovered multiple ways to bypass Windows' Mark of the Web protection, which warns users before running files downloaded from the internet. Techniques like LNK Stomping stripped security markers from malicious files. Russian threat actors exploited these bypasses in campaigns against Ukraine. By 2024, security feature bypass vulnerabilities had tripled compared to 2020.

Outcome

Short Term

Microsoft patched individual bypass techniques as they emerged. CISA added multiple MotW bypasses to the KEV catalog. Security vendors developed detection rules for bypass attempts.

Long Term

The recurring bypasses revealed that legacy security features designed in the Windows XP era struggle against modern phishing toolkits. Each patch addressed symptoms rather than the underlying architectural weakness.

Why It's Relevant Today

February 2026's CVE-2026-21510 SmartScreen bypass continues this pattern. The vulnerability allows attackers to suppress security warnings on downloaded files, demonstrating that Windows security dialogs remain a vulnerable chokepoint.

Sources

(12)
+6
BleepingComputer Krebs on Security Help Net Security Tenable The Hacker News CISA Security Affairs Dark Reading Malwarebytes Security Boulevard Microsoft Security Blog Wikipedia