Patch Tuesday: Microsoft pushes fixes for SIX zero days – MSHTML under attack again

Microsoft has pushed fixes for six actively exploited vulnerabilities 

Patch Tuesday is not big on CVE volumes (62, including third-party bugs) but in terms of zero days, it’s a fat one at six known-exploited.

If there’s any consolation, it’s that none are remote code execution (RCE) bugs – instead they include three Security Feature Bypass (SFB), two elevation of privilege (EOP), and one denial of service (DOS). 

Here’s the six Microsoft vulnerabilities seen exploited already.

• CVE-2026-21514 – Microsoft Word SFB (CVSS 7.8.)
• CVE-2026-21510 – Windows SmartScreen and Windows Shell SFB (CVSS 8.8)
• CVE-2026-21513 – MSHTML Framework SFB (CVSS 8.8)
• CVE-2026-21519 – Desktop Window Manager EOP (CVSS 7.8)
• CVE-2026-21525 – Windows Remote Access Connection D0S (CVSS 6.2)
• CVE-2026-21533 – Windows Remote Desktop Services EOP (CVSS 7.8)

The exploited vulnerabilities above were reported, in that order, by: 1) Google Threat Intelligence Group and an anonymous researcher – Microsoft also took credit; 2) Ditto; 3) Ditto; 4) Microsoft; 5) 0patch; 6) CrowdStrike. Two of them arguably stand out to The Stack…

MSHTML and Remote Desktop abuse...

First, it’s notable that the legacy MSHTML system is again being targeted – following CVE-2025-33053, CVE-2025-30397, and CVE-2024-38112, to name just three examples of recently exploited MSHTML vulnerabilities. 

(The latter was described by Trend Micro as “a prime example of how unsupported Windows relics are an overlooked attack surface…) 

MSHTML is a bug-riddled browser rendering engine that is also used by Microsoft Office documents. IE mode on the Microsoft Edge browser also still uses it for backwards compatibility with legacy sites.

CVE-2026-21513 requires a user to “open a malicious HTML file or shortcut (.lnk) file [that] manipulates browser and Windows Shell handling, causing the content to be executed by the [OS]. This allows the attacker to bypass security features and potentially achieve code execution” Redmond said.

Serious risk

The Windows Remote Desktop bug CVE-2026-21533, is also notable. As Jack Bicer, Director of Vulnerability Research at Action1 notes, it turns “ limited access into full SYSTEM control, putting entire Windows hosts at risk. “

He added: “Because Remote Desktop is commonly enabled in enterprise and administrative environments, this vulnerability poses a serious risk to domain-joined systems and critical infrastructure.  If immediate patching is not possible, organizations should restrict local user access, closely monitor Remote Desktop activity, and apply the principle of least privilege…”

Segment ya goddamn networks!

In other patch-related security news, CISA today urged operational technology (OT) asset owners to carefully review and act on a report from Poland – which details how an attacker targeted energy plants and a manufacturing company, then deployed damaging “wiper” malware. 

The success of the attacks was due in large part to woeful basic cyber-hygiene. The report by Poland’s CERT Polska agency in late December showed that the attackers targeted FortiGate VPN/Firewalls that were exposed to the public internet, unpatched, and without MFA enabled for the whitelisted users. It also cited widespread use of default passwords. 

CISA today implored energy and other companies with OT in place to:

Remove OT connections to the public internet. OT devices are easy targets.. and are quickly found by searching for open ports on public IP ranges with search engine tools to target victims with OT components 

Secure remote access to OT networks. Upgrade to a private IP network connection to remove OT assets from the public internet and use VPN functionality with a strong password and phishing-resistant MFA. 

Segment IT and OT networks. Segmenting critical systems and introducing a demilitarized zone for passing control data to enterprise logistics reduces the potential impact of cyber threats and reduces the risk of disruptions.

Practice and maintain the ability to operate OT systems manually. The capability for organizations to revert to manual controls to quickly restore operations is vital in the immediate aftermath of an incident. 

CISA added: “Business continuity and disaster recovery plans, fail-safe mechanisms, islanding capabilities, software backups, and standby systems should all be routinely tested to ensure safe manual operations…”