- CVE-2026-21510 — Windows Shell — Security feature bypass (CVSS 8.8); circumvents SmartScreen and Shell warnings via malicious link or shortcut file. Publicly disclosed and actively exploited.
- CVE-2026-21513 — MSHTML Framework — Security feature bypass (CVSS 8.8); the MSHTML rendering engine remains active in Windows, even when IE is not the default browser, including through IE mode in Edge. Publicly disclosed and actively exploited.
- CVE-2026-21519 — Desktop Window Manager — Elevation of privilege (CVSS 7.8); type confusion allowing SYSTEM escalation. Actively exploited.
- CVE-2026-21533 — Windows Remote Desktop Services — Elevation of privilege (CVSS 7.8); improper privilege management allowing SYSTEM escalation. Actively exploited.
- CVE-2026-21525 — Windows Remote Access Connection Manager — Denial of service (CVSS 6.2); null pointer dereference. Actively exploited.
CISA has added all six actively exploited vulnerabilities to the Known Exploited Vulnerabilities catalog with an enforcement deadline of March 3. Additional Windows components receiving updates include the Ancillary Function Driver (afd.sys), HTTP protocol stack (http.sys), Hyper-V, Secure Boot, LDAP, and GDI+ — none critical or actively exploited, but the breadth of changes warrants testing before broad deployment.
With actively exploited vulnerabilities and a CISA deadline of March 3, this is a Patch Now release for Windows; confirmed in-the-wild exploitation across Shell, MSHTML, DWM, Remote Desktop, and Remote Access leaves little room for delay.
Microsoft Office
Microsoft released security updates for Word 2016 (KB5002839), Excel 2016 (KB5002837), and Office 2016 (KB5002713), alongside updates for SharePoint Server 2016, 2019, Subscription Edition, and Office Online Server. These updates apply to MSI-based installations only and don’t apply to Click-to-Run deployments such as Microsoft 365:
Read the full article here
