Microsoft urgent patch: Hackers exploit critical Windows and Office vulnerabilities

Microsoft has confirmed that hackers are actively exploiting multiple critical 'zero-day' vulnerabilities affecting its widely used Windows operating system and Office productivity suite, prompting an urgent push for patches in the latest monthly update.

In a security advisory issued alongside its February 2026 Patch Tuesday updates, Microsoft disclosed that at least six zero-day vulnerabilities — flaws being attacked before widespread public fixes were available — were being actively abused in the wild. The bugs affect core components of Windows and Office, including the Windows Shell and Office’s document handling routines.

Among the most severe is a Windows Shell security feature bypass (CVE-2026-21510) that can let attackers trick users into opening malicious links or shortcuts that execute code without triggering normal Windows warnings. Other actively exploited flaws include a bypass issue in Microsoft 365 and Office OLE security, and vulnerabilities in Internet Explorer components that could enable remote code execution.

Microsoft’s Patch Tuesday release addresses roughly 60 vulnerabilities overall, with the zero-days drawing urgent attention from IT security professionals because attackers can leverage them with little more than social engineering or user interaction.

Security firms and threat analysts are reinforcing Microsoft’s call for rapid patching. In related reporting, defenders noted that similar Office vulnerabilities have been exploited in coordinated campaigns by advanced persistent threat groups that leverage zero-day bugs soon after they are disclosed or patched, underscoring the speed at which exploit code can emerge.

Past Patch Tuesday cycles show this pattern isn’t new. For example, earlier emergency patches for Office zero-days required out-of-band updates after exploitation was observed shortly after disclosure, highlighting the ongoing challenges of securing widely deployed software against sophisticated attackers.

Frequent zero-day exploitation also mirrors broader industry trends in which major platforms must continually defend against attacks that arise before fixes are widely installed. Similar pressures have been seen across other technology vendors, with both Google and Apple issuing emergency updates after zero-day incidents in recent months.

Cybersecurity experts are urging organisations and end users alike to apply Microsoft’s latest updates immediately, while also reinforcing best practices such as limiting administrator privileges, enabling automatic updates where possible, and educating users about phishing risks — a common vector for zero-day exploitation.