Microsoft’s latest security update is littered with zero-day vulnerabilities, actively exploited defects that account for more than 10% of the total CVEs the vendor addressed in this month’s Patch Tuesday update.

The vendor addressed 59 vulnerabilities affecting its various products for business operations and underlying systems, including six defects that were actively exploited prior to Microsoft’s release of its monthly batch of patches. Microsoft said three of the exploited vulnerabilities were publicly known, suggesting attackers already had details about the defects prior to Tuesday’s release.

“The number of bugs under active attack is extraordinarily high,” Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, said in a blog post.

Microsoft’s February security update matched the high it reached last March when it disclosed six actively exploited zero-days.

The highest rated zero-days, a pair of defects with CVSS ratings of 8.8, include CVE-2026-21510 affecting Windows Shell 8.8 and CVE-2026-21513 affecting Internet Explorer. Both vulnerabilities require user interaction and could allow attackers to execute code.

Mike Walters, president and co-founder of Action1, said CVE-2026-21510 is caused by a protection mechanism failure that allows an attacker to bypass Windows protections by tricking a user to click on a single malicious link.

“Functional exploit techniques exist, demonstrating reliable bypass of Windows Shell and SmartScreen security prompts through crafted links or shortcut files. No privileges are required by the attacker, making this vulnerability highly attractive for phishing-based attacks,” Walters said in a blog post.

The remaining zero-days include three defects with CVSS ratings of 7.8: CVE-2026-21514 affecting Microsoft Office Word, CVE-2026-21519 affecting Desktop Window Manager, and CVE-2026-21533 affecting Windows Remote Desktop. CVE-2026-21525, which affects Windows Remote Access Connection Manager, has a CVSS rating of 6.2.

The Cybersecurity and Infrastructure Security Agency added all six of the zero-days to its known exploited vulnerabilities catalog Tuesday.

Three of the vulnerabilities — CVE-2026-21510, CVE-2026-21513 and CVE-2026-21514 — bear strong similarities as security feature bypasses, Satnam Narang, senior staff research engineer at Tenable, said in an email.

These security features protect users from opening malicious files, he said. “Users have grown accustomed to receiving these alerts, so when vulnerabilities can bypass those protection mechanisms, users are more at risk of compromise.”

Microsoft disclosed two critical vulnerabilities with CVSS ratings of 9.8 this month, including CVE-2026-21531 affecting Azure SDK and CVE-2026-24300 affecting Azure Front Door.

The vast majority of defects Microsoft addressed this month fell into the high-severity category, accounting for 43 vulnerabilities total. The vendor described five of those vulnerabilities as more likely to be exploited.

The full list of vulnerabilities addressed this month is available in Microsoft’s Security Response Center.

The post Microsoft Patch Tuesday matches last year’s zero-day high with six actively exploited vulnerabilities appeared first on CyberScoop.

Microsoft’s first security update of 2026 addressed 112 vulnerabilities affecting its products and underlying systems, including one actively exploited zero-day in Desktop Window Manager. 

The company’s latest Patch Tuesday update marks the second consecutive month with no critical vulnerabilities disclosed. The batch of patches also contains more than 110 CVEs for the second January in a row. 

The zero-day vulnerability — CVE-2026-20805 — is an information disclosure defect with a CVSS rating of 5.5 that can be exploited by an unauthorized attacker to expose sensitive information. The Cybersecurity and Infrastructure Security Agency added the defect to its known exploited vulnerabilities catalog Tuesday.

Information disclosure vulnerabilities are sporadically exploited in the wild, but not often, according to Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative. “This shows how memory leaks can be as important as code execution bugs since they make the remote code executions reliable,” he wrote in a blog post.

Jack Bicer, director of vulnerability research at Action1, concurred, added that the memory exposed by exploitation of CVE-2026-20805 can undermine defenses and bolster additional exploits. 

“This vulnerability increases the risk of successful multi-stage attacks,” Bicer said in an email. “Leaked memory details can be combined with other vulnerabilities to achieve privilege escalation or data theft, potentially leading to broader system compromise, regulatory exposure and loss of trust.”

Microsoft did not say how many attacks are linked to the zero-day. Yet, exploitation requires an attacker to have local access on the targeted system, Satnam Narang, senior staff research engineer at Tenable, said in an email.

“While Desktop Window Manager is a frequent flyer on Patch Tuesday with 20 CVEs patched in this library since 2022, this is the first time we’ve seen an information disclosure bug in this component exploited in the wild,” he added. “Attackers have historically used it to climb the ladder of privileges.”

The most severe defects disclosed by Microsoft this month include CVE-2026-20947 and CVE-2026-20963 affecting Microsoft Office SharePoint, CVE-2026-20868 affecting Windows Routing and Remote Access Service, CVE-2026-20952 and CVE-2026-20955 affecting Microsoft Office, and CVE-2026-20944 affecting Microsoft Office Word. 

Microsoft also flagged eight vulnerabilities, each with a CVSS rating of 7.8, as more likely to be exploited this month. 

The full list of vulnerabilities addressed this month is available in Microsoft’s Security Response Center.

The post Microsoft Patch Tuesday addresses 112 defects, including one actively exploited zero-day appeared first on CyberScoop.