CISA Confirms Active Exploitation of Six Microsoft Zero-Days: What You Need to Know About Patch Tuesday

CISA has added six newly discovered Microsoft zero-day vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, confirming active attacks in the wild. In this month’s Patch Tuesday rollout, Microsoft addressed these flaws along with more than 50 additional security issues, urging organizations to patch immediately.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed evidence of active exploitation targeting six newly disclosed Microsoft vulnerabilities. Two of them are rated High (CVSS 8.8) and allow attackers to bypass security protections in Windows and MSHTML.

The actively exploited vulnerabilities include:

• CVE-2026-21510 – Windows Shell Security Feature Bypass

• CVE-2026-21513 – MSHTML Framework Security Feature Bypass

• CVE-2026-21514 – Microsoft Word Untrusted Input Security Decision flaw

• CVE-2026-21519 – Windows Type Confusion vulnerability

• CVE-2026-21525 – NULL Pointer Dereference vulnerability

• CVE-2026-21533 – Remote Desktop Services Elevation of Privilege

Security feature bypass vulnerabilities are particularly concerning as they can be leveraged in phishing campaigns via embedded web content in Office documents.

Experts also advise paying close attention to Azure vulnerabilities released this month. Unlike traditional Windows updates, several cloud fixes require manual configuration changes, script updates, or component upgrades, increasing the risk of operational oversight.

CISA’s KEV catalog tracks vulnerabilities with confirmed real-world exploitation. U.S. federal agencies are mandated to remediate them within strict deadlines, and CISA strongly recommends private organizations follow the same prioritization model.

While Windows and Office desktop patches are relatively straightforward to deploy, the active exploitation of these zero-days significantly increases phishing and post-compromise privilege escalation risks. This month, organizations should also focus on reviewing Azure environments, where remediation may require additional operational effort.