Microsoft’s February 2026 Patch Tuesday addresses 54 vulnerabilities across Windows, Office, Azure services, Exchange Server and developer tools, including six zero-day flaws that the company says were already being exploited in the wild.
The update is smaller in volume than some recent cycles but carries heightened urgency for enterprise defenders because the actively exploited bugs hit core components used broadly in corporate environments. The zero-days span Windows Shell, the MSHTML platform, Microsoft Word, Desktop Window Manager, Remote Access Connection Manager and Remote Desktop Services.
Security researchers warn that several of these flaws allow attackers to bypass Windows security features designed to warn users about risky files or to limit the impact of malicious documents. Others provide elevation of privilege paths that can be chained with phishing or remote code execution exploits to gain SYSTEM-level control on target machines.
Beyond the zero-days, Microsoft’s advisory highlights a heavy concentration of elevation of privilege issues — 25 of the 54 vulnerabilities fall into that category — along with 12 remote code execution bugs, seven spoofing issues, six information disclosure flaws, five security feature bypasses and three denial-of-service vulnerabilities. A number of the most severe CVEs affect enterprise infrastructure such as Exchange Server and Azure services.
For messaging environments, a spoofing vulnerability in Exchange Server underscores that email infrastructure remains a high value target and requires prompt patching. On the cloud side, fixes for Azure Container Instances, Azure Function and Azure Front Door address issues with potential information disclosure, remote code execution and privilege escalation paths in multi-tenant services that underpin many enterprise workloads.
Developer-focused products are also in scope. Several CVEs impact GitHub Copilot and Visual Studio, raising the stakes for teams that use those tools in CI/CD pipelines. A separate bug affecting Microsoft Defender for Linux shows how endpoint and security products themselves can become part of the attack surface if not kept current.
Microsoft’s advisory notes that exploitability ratings for this month’s CVEs range from “Exploitation Detected” and “Exploitation More Likely” to “Exploitation Less Likely” and “Exploitation Unlikely.” For many of the high-risk issues, the company lists no workarounds or mitigations beyond applying the patches, reinforcing that timely deployment is the primary defensive measure.
Organizations running Windows 10 and Windows 11 should review the February security updates via the Microsoft Update Catalog and ensure that systems tied to internet-facing services, identity infrastructure and collaboration tools are prioritised. Given that several of the zero-days are being used in active campaigns, leaving unpatched machines in production environments significantly increases exposure to targeted attacks and opportunistic exploitation alike.
