On February 11, 2026, Microsoft released security updates addressing 59 vulnerabilities in its software ecosystem, including six zero-day vulnerabilities actively exploited in the wild. These flaws include five critical, 52 important, and two moderate severity issues. The vulnerabilities cover a range of attack vectors: 25 privilege escalations, 12 remote code executions, 7 spoofing, 6 information disclosures, 5 security feature bypasses, 3 denial-of-service, and 1 cross-site scripting. The six zero-days include: CVE-2026-21510 and CVE-2026-21513, protection mechanism failures in Windows Shell and MSHTML Framework allowing unauthorized attackers to bypass security features remotely; CVE-2026-21514, a local security bypass in Microsoft Office Word; CVE-2026-21519 and CVE-2026-21533, local privilege escalations in Desktop Window Manager and Windows Remote Desktop requiring prior access; and CVE-2026-21525, a local denial-of-service vulnerability in Windows Remote Access Connection Manager. These vulnerabilities enable attackers to bypass security prompts, elevate privileges to SYSTEM, disable security tools, deploy malware, and potentially achieve full domain compromise. Microsoft and Google Threat Intelligence discovered several of these flaws, which are now publicly known. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added all six zero-days to its Known Exploited Vulnerabilities catalog, requiring federal agencies to patch by March 3, 2026. Additionally, Microsoft is rolling out updated Secure Boot certificates to replace expiring 2011 certificates, critical for maintaining boot-level protections. The company is also enhancing Windows security through the Windows Baseline Security Mode, enforcing runtime integrity safeguards, and User Transparency and Consent frameworks to improve user control over app permissions and security decisions. These updates are part of Microsoft's Secure Future and Windows Resiliency Initiatives, aiming to harden Windows against evolving threats.

European organizations heavily dependent on Microsoft Windows and Office products are at significant risk from these vulnerabilities. The zero-days enable attackers to bypass critical security features remotely and locally escalate privileges, potentially leading to full system compromise. This can result in unauthorized access to sensitive data, disruption of business operations, deployment of ransomware or other malware, and lateral movement within enterprise networks. The exploitation of these flaws could undermine confidentiality, integrity, and availability of IT systems. The update to Secure Boot certificates is crucial for maintaining device security posture; failure to update may expose systems to boot-level attacks and compatibility issues with future software. The broad range of affected components, including core Windows subsystems and widely used applications like Microsoft Office, increases the attack surface. Given the active exploitation and inclusion in CISA’s KEV catalog, the threat is immediate and severe. European critical infrastructure, government agencies, financial institutions, and large enterprises are particularly vulnerable due to their reliance on Microsoft technologies and the potential impact of operational disruption or data breaches.

European organizations should prioritize immediate deployment of Microsoft's February 2026 security updates across all affected systems, focusing on the six actively exploited zero-days. Patch management processes must be accelerated to meet or exceed the urgency demonstrated by CISA’s KEV catalog inclusion. Organizations should verify that Secure Boot certificates are updated before the 2011 certificates expire in June 2026 to maintain boot-level security protections. Implement enhanced endpoint detection and response (EDR) solutions capable of detecting privilege escalation and suspicious activity related to MSHTML, Windows Shell, and Office components. Employ network segmentation and strict access controls to limit lateral movement opportunities for attackers who gain initial access. Enable and enforce Windows Baseline Security Mode and User Transparency and Consent features to reduce attack surface and improve user awareness of security prompts. Conduct targeted threat hunting for indicators of compromise related to these vulnerabilities, especially in high-value assets and critical infrastructure. Educate users about the risks of opening suspicious files, particularly Office and HTML files, which are vectors for some exploits. Finally, maintain up-to-date backups and incident response plans to mitigate potential ransomware or destructive attacks leveraging these vulnerabilities.