Microsoft’s Patch Tuesday updates this month included fixes for six vulnerabilities that are being exploited in the wild. Overall, the tech company addressed more than 60 CVEs. 

The exploited vulnerabilities in question exist across various products, from Microsoft Word to Windows Shell. Microsoft fixed three previously undisclosed and actively exploited flaws, including two important-severity privilege elevation bugs. As usual, Microsoft did not provide details about how the flaws are being exploited.

One of these (CVE-2026-21533) exists in Windows Remote Desktop Services (Microsoft’s built-in feature allowing users to access remote desktops and applications) and stems from improper privilege management. The flaw, which was discovered by Advanced Research Team/CrowdStrike researchers, could be exploited by an authorized attacker, and could enable them to gain SYSTEM privileges.

The other EoP flaw exists in Desktop Window Manager (CVE-2026-21519), Microsoft’s feature that enables graphical user interface effects like high-resolution support. Exploitation of this flaw, which was found internally, could also allow a threat actor to gain SYSTEM privileges.

“Access of resource using incompatible type ('type confusion') in Desktop Window Manager allows an authorized attacker to elevate privileges locally,” according to Microsoft. 

The final undisclosed exploited bug (CVE-2026-21525) exists in Windows Remote Access Connection Manager, a Windows service that manages VPN and dial-up connections. This flaw is ranked as moderate severity and stems from null pointer dereference, allowing an unauthorized attacker to launch local DoS attacks. 

Microsoft also patched three previously disclosed bugs, including two that rank 8.8 out of 10 on the CVSS scale. These include a protection mechanism failure (CVE-2026-21510) in Windows Shell (Microsoft’s key graphical user interface feature for Windows) that could enable unauthorized attackers to bypass a security feature over a network. 

“An attacker could bypass Windows SmartScreen and Windows Shell security prompts by exploiting improper handling in Windows Shell components, allowing attacker‑controlled content to execute without user warning or consent,” according to Microsoft. Of note, however, an attacker would first need to convince a target to open a malicious link or shortcut file. 

The other 8.8 CVSS bug (CVE-2026-21513) is a security feature bypass in MSHTML Framework, Microsoft’s browser rendering engine. Specifically the flaw allows attackers to bypass prompts when executing a file, said Microsoft.

“An attacker could exploit this vulnerability by convincing a user to open a malicious HTML file or shortcut (.lnk) file delivered through a link, email attachment, or download,” according to Microsoft. “The specially crafted file manipulates browser and Windows Shell handling, causing the content to be executed by the operating system. This allows the attacker to bypass security features and potentially achieve code execution.”

These flaws were both discovered by Microsoft Threat Intelligence Center (MSTIC), Microsoft Security Response Center (MSRC), and Office Product Group Security Team, as well as Google Threat Intelligence Group.

Finally, Microsoft released fixes for a security feature bypass flaw in Microsoft Word (CVE-2026-21514), which stems from “reliance on untrusted inputs in a security decision in Microsoft Office Word.” In order to exploit the flaw, an attacker would need to send a target a malicious Office file and convince them to open it. 

“This update addresses a vulnerability that bypasses OLE mitigations in Microsoft 365 and Microsoft Office which protect users from vulnerable COM/OLE controls,” according to Microsoft. 

These flaws have also been added to CISA’s Known Exploited Vulnerabilities catalog, and government agencies have set deadlines for applying the provided patches. The regularly scheduled update comes a few weeks after Microsoft released an out-of-band emergency patch for a security bypass flaw in several versions of Office (CVE-2026-21509).

  • Recent Posts

  • Recent Comments

    No comments to show.