WASHINGTON, D.C. -  February 16, 2026 - The Cybersecurity and Infrastructure Security Agency (CISA) has issued a mandatory federal directive requiring the remediation of six Microsoft zero-day vulnerabilities by March 3. Linked to active exploitation by nation-state actors including Salt Typhoon, these flaws represent a critical escalation in the 2026 vulnerability landscape.

WASHINGTON, D.C. - February 16, 2026 - The Cybersecurity and Infrastructure Security Agency (CISA) has issued a mandatory federal directive requiring the remediation of six Microsoft zero-day vulnerabilities by March 3. Linked to active exploitation by nation-state actors including Salt Typhoon, these flaws represent a critical escalation in the 2026 vulnerability landscape.

Executive Summary:

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added six Microsoft zero-day vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, confirmed to be actively exploited by nation-state actors. Federal agencies and enterprises must patch affected systems immediately, with a hard remediation deadline of March 3, 2026. These flaws can allow attackers to gain SYSTEM-level access, bypass security prompts, and create unauthorized administrator accounts, putting networks and sensitive data at risk.

Category: Cybersecurity

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added six high-velocity Microsoft vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. The move comes after confirmation that nation-state groups, including the sophisticated Chinese-sponsored actor Salt Typhoon, are weaponizing these flaws to breach government and private-sector supply chains.

Federal agencies have been issued a mandatory remediation deadline of March 3, 2026, signaling that the threat is not theoretical, it is an active crisis.

The "Perfect Storm": 2026 Vulnerability Surge

This latest emergency arrives as the global security landscape hits a breaking point. According to the Forum of Incident Response and Security Teams (FIRST) 2026 forecast, the industry is on track to disclose over 59,000 new vulnerabilities this year, a median estimate that represents a paradigm shift in how companies must manage risk.

    "The number of reported vulnerabilities isn’t just growing; it’s accelerating," says Eireann Leverett, FIRST liaison. "Security teams can no longer afford a reactive approach."

Key Stats: The Growing Attack Surface

- 11% Increase: Predicted growth in CVEs for 2026 vs. 2025.

 - 39 KEV Additions: Microsoft led all vendors in 2025, accounting for 80% of CISA's critical patching priorities.

 - 32% Reality Check: Only 32% of KEV-listed bugs are for "Initial Access." The rest are used for stealing passwords or moving silently through your network.

Breakdown: The 6 Zero-Days You Must Patch Now

These vulnerabilities are often "chained" together. An attacker uses one to get in and another to become a "SYSTEM" administrator.

1. The "Ghost Entry" (CVE-2026-21510)

- What it is: A Windows Shell protection failure.

- The Risk: Attackers trick users into clicking a link or shortcut that silently bypasses Windows SmartScreen.

- Non-Tech Summary: Like a thief who can walk past your home security alarm without it ever making a sound.

2. The Browser Rendering Bypass (CVE-2026-21513)

- What it is: A flaw in the MSHTML (browser) framework.

- The Risk: Allows attackers to bypass security prompts via malicious HTML files.

- Non-Tech Summary: A "silent" web link that downloads malware the moment you view it, even if you don't click "Accept."

3. The Malicious Word Doc (CVE-2026-21514)

- What it is: Microsoft Word OLE bypass.

- The Risk: Bypasses "Enable Content" warnings.

- Non-Tech Summary: You open what looks like a standard invoice, and the virus runs immediately without asking for your permission.

4. The System Hijacker (CVE-2026-21519)

- What it is: Desktop Window Manager (DWM) Elevation of Privilege.

- The Risk: Grants attackers SYSTEM-level control.

-  Non-Tech Summary: Once a hacker has a "foot in the door," this bug gives them the master keys to the entire building.

5. The Remote Access Shutdown (CVE-2026-21525)

- What it is: Remote Access Connection Manager Denial of Service (DoS).

- The Risk: Crashes VPN and remote connectivity.

-  Non-Tech Summary: A "sabotage" bug that can knock your remote employees offline, paralyzing your business.

6. The Remote Desktop Master Key (CVE-2026-21533)

- What it is: Windows Remote Desktop Services (RDS) Privilege Escalation.

- The Risk: Reported by CrowdStrike; allows attackers to add new users to the "Administrator" group.

- Non-Tech Summary: An attacker can create their own "Admin" account on your server, making it nearly impossible to kick them out.

Why "Prioritization" is Your Only Defense

Security teams are overwhelmed. The 2025 Change Healthcare incident, which impacted 192 million people, was a stark reminder that unpatched KEV vulnerabilities lead to operational collapse.

FIRST Strategic Guidance

Stop trying to patch everything.  Use the KEV Catalog as a binary signal.

Priority 1: KEV-listed bugs (Patch within 21 days).

Priority 2: High EPSS scores (Likely to be exploited soon).

Priority 3: Standard cycle (Theoretical risks).

Action Plan: What To Do Today

   
- Inventory: Identify all systems running Windows 10/11, Windows Server, and Microsoft 365.
- Patch: Deploy the February 2026 Cumulative Update immediately.
- Verify: Ensure "SmartScreen" and "Credential Guard" are not just enabled, but verified after patching.
- Monitor: Watch for unauthorized "Admin" account creations, especially on RDS servers.

Understand Your Risk: Click Each CVE

Each Microsoft zero-day listed above links to a single page detailed HackerStorm report that provides:

- Threat intelligence, related news, and vendor advisories

- Technical and business impact analysis

- EPSS scores with contextual ratings tailored for different industries, example environments, and security maturity levels

Next step: Click each CVE link to see how it affects your environment and prioritize patches accordingly. Don’t just patch, patch smart. Check out our review for the advice and guidance from FIRST here.

About This Article

Reading Time: Approximately 10 minutes

Author Information

Timur Mehmet | Founder & Lead Editor

Timur is a veteran Information Security professional with a career spanning over three decades. Since the 1990s, he has led security initiatives across high-stakes sectors, including Finance, Telecommunications, Media, and Energy.

For more information including independent citations and credentials, visit our About page.

Contact: This email address is being protected from spambots. You need JavaScript enabled to view it.

Editorial Standards

This article adheres to Hackerstorm.com's commitment to accuracy, independence, and transparency:

• Fact-Checking: All statistics and claims are verified against primary sources and authoritative reports
• Source Transparency: Original research sources and citations are provided in the References section below
• No Conflicts of Interest: This analysis is independent and not sponsored by any vendor or organization
• Corrections Policy: We correct errors promptly and transparently. Report inaccuracies to This email address is being protected from spambots. You need JavaScript enabled to view it.

Editorial Policy: Ethics, Non-Bias, Fact Checking and Corrections

Learn More: About Hackerstorm.com | FAQs

References:

CISA Known Exploited Vulnerabilities Catalog

FIRST 2026 Vulnerability Forecast - Official Report

Microsoft Security Update Guide - February 2026

CrowdStrike Adversary Intelligence Report: Salt Typhoon

https://www.cisa.gov/news-events/news

https://nvd.nist.gov

https://www.ncsc.gov.uk/section/keep-up-to-date/reports-advisories

https://cert.europa.eu/publications/security-advisories/2024

https://cert.europa.eu/publications/threat-intelligence/cb24-03

https://www.jpcert.or.jp/english/at/2024.html

https://auscert.org.au/bulletins

https://www.csa.gov.sg/alerts-advisories/security-bulletins

This article synthesizes findings from cybersecurity reports, academic research, vendor security advisories, and documented breach incidents to provide a comprehensive overview of the security threat landscape as of January 2026.