Hackers Exploit Six Zero-Day Windows Flaws in Coordinated Attacks

IT administrators have learned to fear a certain type of Tuesday, and February 11 was one of those days. This time, Microsoft’s monthly security drop, which is typically a routine exercise in patching, cataloging, and closing tickets, came with teeth. There are a total of 59 vulnerabilities. In the wild, six of them are already being actively exploited. Three of those were security feature bypass flaws, which sounds bureaucratic until you understand what it really means: attackers have discovered ways to get around the built-in safeguards that home users and businesses depend on without raising an alert.

CVE-2026-21510 is the one that has received the most attention and most likely merits it. It resides in the Windows Shell, which powers the interface that the majority of people use on a daily basis. With just one click on a malicious shortcut or link, an attacker can circumvent SmartScreen, Microsoft’s built-in system for flagging dubious links and files, and run code on the victim’s computer.

One-click remote code execution bugs, according to security researcher Dustin Childs, who has been documenting Patch Tuesdays for years at the Zero Day Initiative, are “a rarity.” According to a Google representative, the vulnerability is under “widespread, active exploitation,” with successful attacks leading to the silent installation of malware at high privilege levels. Translation: This is already being used by intelligence gatherers, state actors, and ransomware gangs.

The Windows Shell bug is made worse by the fact that, at the time of patching, Microsoft acknowledged that the technical details of how to exploit it were already available to the public. Microsoft did not respond to requests for additional information, nor did it specify where or by whom. The implication is fairly clear. The time between “researched by a few nation-state groups” and “being sold on criminal marketplaces” usually closes in a matter of days once exploitation instructions are made public. This is how vulnerabilities are disclosed in the modern era. It’s getting faster and it’s ugly.

There are two more zero-days involving parts that ought to have been retired years ago. The rendering engine that drove the long-dead Internet Explorer, MSHTML, is the target of CVE-2026-21513. Because legacy apps rely on MSHTML for backward compatibility—a polite way of saying that nobody wants to be the engineer who breaks a hospital’s 2009 scheduling software—MSHTML is still present in modern Windows. Attackers are aware of this. For the better part of ten years, they have been mining MSHTML for exploits. The fact that this engine still appears in zero-day attacks in 2026 is a silent critique of how difficult it is to remove outdated code once it has become ingrained in the system. Microsoft made an attempt. The bugs never stop.

Meanwhile, Office’s OLE security controls are the target of CVE-2026-21514. Opening a malicious Word document can allow arbitrary code execution and get around Microsoft 365’s security measures. On January 26, Microsoft had to release an emergency out-of-band patch for CVE-2026-21509, a close cousin of this one, after similar exploitation activity was discovered. The pattern is evident to anyone who has been keeping an eye on Office-based phishing campaigns during the previous two years. Coordinated threat actors, who are frequently driven by financial gain, take advantage of these vulnerabilities as soon as they are discovered, sometimes even in a matter of hours.

Reading the response forums this week has given security researchers the impression that something structural has changed. The story of a “disgruntled hacker” who released a second Windows Defender zero-day exploit just hours after Microsoft patched the first one can be found in Reddit’s r/msp thread. According to the hacker, Microsoft closed the case without taking any action after he initially reported the vulnerabilities in a responsible manner. He then made the exploits public. He supposedly has more. In addition to raising unsettling concerns about how Microsoft’s security triage process is holding up under the pressure of a much larger codebase and, as several commenters noted, waves of internal layoffs, it’s not the kind of headline that any vendor wants. Correlation does not imply causation. However, there are fewer people maintaining it now than there were two years ago, and the software isn’t getting any easier.

It’s worth stopping to consider how well-coordinated the attacks are. This was not a single group discovering a single bug. According to threat intelligence reports from Google’s team as well as Microsoft’s own advisories, several actors are chaining these vulnerabilities together in campaigns that target enterprise networks in North America, Europe, and Asia. The combination is especially risky. The payload gets past the first defenses thanks to a SmartScreen bypass. The code is executed due to an Office OLE workaround or an MSHTML vulnerability. Two of the six exploited elevation-of-privilege bugs grant the attacker administrator rights. When you combine them, you have a single campaign that includes the entire kill chain from phishing emails to domain compromise. This playbook has long been used by advanced persistent threat groups. The speed at which the public exploit code is catching up to them is novel.

It’s difficult to ignore the shift in the emergency patching cadence. An out-of-band update was released in January. Patch Tuesday in February was essentially a fire drill. These days, security teams half-jokingly discuss Patch Wednesday, which is the rush to test fixes against production environments before they break something crucial. The advice is straightforward and well-known for users and small businesses without dedicated IT staff: turn on automatic updates, minimize administrator privileges whenever feasible, and handle unexpected links or Office attachments with the suspicion they’ve always merited. Whether Microsoft’s security posture is keeping up with the ecosystem attacking it is the bigger question for everyone else. The response seems awkward this month. It must improve by next month.