Windows 11 Critical Patch: 6 Zero-Days Actively Exploited

Hook & Who This Is For (Intro)

Microsoft has recently addressed a series of critical security flaws that leave systems vulnerable to active exploitation. Reports indicate that the February 2026 Patch Tuesday update includes fixes for six zero-day vulnerabilities out of 59 total CVEs ^[11][16]. For many users, this means their devices may currently be at risk from "in the wild" attacks that can bypass traditional security measures ^[11][15].

This analysis is for Windows 11 and Windows 10 users, as well as system administrators responsible for maintaining Windows Server environments ^[11][15][16]. It is particularly relevant for those managing WSUS (Windows Server Update Services) or using hardware that relies on original Secure Boot certificates ^[7][10][14].

This report covers:

• The impact of the six recently patched zero-day vulnerabilities ^[11][16].
• Critical risks associated with CVE-2025-59287 and CVE-2025-9491 ^[10][15].
• The upcoming Secure Boot certificate expiration in June 2026 ^[2][3].
• Prerequisites for the Windows 10 Extended Security Updates (ESU) program ^[4][11].

Users on unsupported versions of Windows who have not enrolled in the ESU program can likely skip the technical details of these patches, as their systems will not receive these specific updates ^[6][11]. If you are using a fully patched, modern system with automatic updates enabled and do not manage server infrastructure, the transition to these new security standards is expected to be seamless ^[7][8][13].

TL;DR / What This Means for You

The February 2026 Patch Tuesday updates address a total of 59 vulnerabilities, including six zero-day flaws that have been publicly disclosed or targeted by threat actors ^[9][12]. These vulnerabilities impact core system components, potentially allowing attackers to gain full control over affected devices ^[6][10].

• Critical Updates Required: Security updates for Microsoft Office, Windows SMB, and Windows Graphics Components should be prioritized, as they address vulnerabilities that can lead to remote code execution or SYSTEM privilege escalation ^[9][10].
• Active Exploitation Confirmed: Research indicates active, in-the-wild exploitation of SolarWinds Web Help Desk (WHD), which has allowed attackers to execute arbitrary commands and establish persistent access ^[1][15].
• Broad Impact: Vulnerabilities like CVE-2025-54910 can potentially be exploited through the Preview Pane in Office, requiring no user interaction for code execution ^[10].
• Recommended Actions: Systems should be patched immediately. For organizations using SolarWinds WHD, it is recommended to rotate credentials for service and admin accounts and investigate for unauthorized remote monitoring and management (RMM) artifacts ^[1].
• Risk Note: While applying these updates significantly reduces exposure, patches do not eliminate all risks. Analysts suggest that attackers may continue to target unhardened SMB configurations or use DLL sideloading techniques to bypass traditional detection ^[1][9].

---

Key Sources (Quick Links)

• Safer Internet Day 2026: Helping students be AI aware | Microsoft Education Blog ^[1]
• Building a safer digital future, together ^[2]
• Microsoft Launches AI QuickStart Programme with Support from IMDA and UOB - S... ^[4]

Background / Basics

To understand the impact of the February 2026 Patch Tuesday release, it is helpful to define how Microsoft manages security vulnerabilities and how these updates reach your system.

What is a Zero-Day Vulnerability?

A zero-day vulnerability is a security flaw in software or hardware that is unknown to the manufacturer or security researchers at the time of its discovery ^[33]. Because the developer has "zero days" to fix the issue before it can be used by attackers, these flaws are particularly dangerous ^[33]. Microsoft officially classifies a flaw as a zero-day if it is either publicly disclosed or actively exploited before an official patch is available ^[24].

Understanding Patch Tuesday

Patch Tuesday is an industry term for the second Tuesday of every month, when Microsoft regularly releases security updates ^[16]. These updates are designed to address various types of risks, including:

• Elevation of Privilege: Allowing an attacker to gain higher access levels (like SYSTEM rights) than they should have ^[10][16].
• Remote Code Execution (RCE): Enabling an attacker to run arbitrary commands on a target machine over a network ^[3][16].
• Security Feature Bypass: Circumventing existing protections, such as SmartScreen or Mark-of-the-Web ^[6][24].

How Updates are Delivered

For Windows 11 users (including versions 24H2 and 25H2), security fixes are delivered through Monthly Cumulative Updates ^[12]. These updates are "all-in-one" packages; installing the latest version automatically applies all previous security patches and reliability improvements ^[12]. There is generally no way to install security fixes separately from other system updates ^[12].

---

The Severity Rating System (CVSS)

Security experts use the Common Vulnerability Scoring System (CVSS) to rank the danger of a flaw on a scale from 0 to 10.

Score Range	Severity	Potential Impact
0.1 – 3.9	Low	Minimal risk, often requiring physical access.
4.0 – 6.9	Medium	Requires specific conditions or user interaction.
7.0 – 8.9	High	Significant risk; may lead to privilege escalation [4][11].
9.0 – 10.0	Critical	Maximum risk; often "wormable" or allows full remote control [3][15].

Active Exploitation vs. Public Disclosure

It is important to distinguish between a flaw that is "known" and one that is "in use":

• Publicly Disclosed: The details of the flaw are available to the public, increasing the likelihood that hackers will develop an exploit ^[8][16].
• Actively Exploited: Security firms have confirmed that attackers are already using the flaw in the wild to target users or organizations ^[15][24].

When six zero-days are confirmed as "actively exploited" simultaneously, it suggests a high level of threat activity targeting Windows components like the Windows Shell, MSHTML, and Remote Desktop Services ^[24][33].

Problem Explanation (What's Going On?)

Microsoft recently released its February 2026 security update to address a total of 59 vulnerabilities ^[14][16]. Among these patches are six zero-day vulnerabilities that have been identified as high-priority risks ^[14][15]. A zero-day typically refers to a flaw that is either publicly disclosed or actively exploited by threat actors before a formal fix is released by the vendor ^[7][16].

The current situation is particularly critical because several of these vulnerabilities allow for Remote Code Execution (RCE) and Elevation of Privilege (EoP) ^[15][16]. Security firms such as Huntress, Eye, and Sophos have already observed active exploitation of specific flaws, such as CVE-2025-59287, in multiple customer environments ^[15]. This activity indicates that attackers are moving quickly to leverage these gaps once they become known to the public ^[15].

---

Symptoms and Impact

The practical impact of these vulnerabilities varies depending on the specific flaw, but the general risks include service disruptions and unauthorized system access ^[16]. Users and administrators may experience the following:

• Service Disruptions: Vulnerabilities involving improper handling of conditions can cause application crashes and service outages, specifically affecting SQL Server and other database environments ^[16].
• Unauthorized Access: Successful exploitation of elevation of privilege flaws allows attackers with low-level access to gain SYSTEM privileges, potentially granting them full control over the affected device ^[16].
• Virtualization Escapes: Certain critical flaws in components like Windows Hyper-V could allow an attacker to escape a guest virtual machine and execute code on the host system ^[16].
• Network-Wide Attacks: Vulnerabilities in Windows SMB or WSUS are particularly dangerous because they can be exploited over a network, sometimes without any user interaction, allowing for the rapid spread of malware ^[15][16].

Affected Systems and Prevalence

The February 2026 update affects a broad range of products, including Windows 11, Windows Server, and Microsoft Office ^[7][16]. Industry reports suggest that these attacks are not necessarily targeted at specific individuals but are instead hitting internet-facing servers across a wide range of industries ^[15].

Vulnerability Type	Confirmed Risks	Potential Impact
Zero-Day (Active)	Exploited in the wild [15]	Immediate system compromise
Remote Code Execution	Unauthenticated access [16]	Remote malware installation
Elevation of Privilege	Gain SYSTEM rights [16]	Full data access/theft
Denial of Service	Application crashes [16]	Business downtime

While many of the patches are meant to prevent future issues, the presence of six zero-days means the threat is already active for unpatched systems ^[14][15]. Analysts suggest that the complexity of some exploits is low, making them relatively straightforward for attackers to utilize once they obtain local or network access ^[16].

Root Causes / Analysis (Why Is This Happening?)

The recent surge in critical exploits, including six zero-day vulnerabilities patched in February 2026, stems from a combination of complex software flaws and sophisticated attacker tradecraft ^[9][16]. Security researchers have identified several primary drivers behind these successful intrusions.

1. Critical Untrusted Deserialization

A primary root cause for initial access in recent campaigns is the exploitation of untrusted data deserialization flaws, specifically CVE-2025-40551 in SolarWinds Web Help Desk (WHD) ^[1][8]. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary operating system commands ^[8][22]. These types of flaws are particularly dangerous because they often provide high-level access to internet-facing deployments without requiring valid credentials ^[6][12].

2. Failure of Previous Security Patches

Analysis indicates that some current vulnerabilities are the result of patch bypasses ^[8]. For example, CVE-2025-26399 is a critical flaw (CVSS 9.8) that bypassed the fixes intended for CVE-2024-28988 and CVE-2024-28986 ^[8][22]. This suggests that attackers are closely monitoring vendor updates to find minor variations in the same code paths that remain unprotected ^[22].

3. Living-off-the-Land (LotL) Techniques

Attackers are increasingly moving away from obvious malware in favor of living-off-the-land techniques ^[12]. By using legitimate administrative tools, they can bypass traditional signature-based detection ^[6]. Observed tactics include:

• Using PowerShell and the Background Intelligent Transfer Service (BITS) for payload delivery ^[3][6].
• Abusing wab.exe to perform DLL sideloading by loading a malicious sspicli.dll file ^[2][6].
• Deploying legitimate Remote Monitoring and Management (RMM) tools, such as Zoho ManageEngine, to maintain interactive control ^[6].

4. Architectural Race Conditions and Resource Issues

Beyond application-level flaws, core Windows components face architectural vulnerabilities ^[14]. CVE-2025-55224 in Windows Hyper-V and various flaws in the Windows Graphics Component involve race conditions and use-after-free conditions ^[14]. These vulnerabilities occur when a system incorrectly initializes resources or handles the timing of memory access, potentially allowing attackers to escape virtualization boundaries ^[14].

---

Confirmed vs. Speculative Analysis

To maintain an accurate security posture, it is important to distinguish between verified forensic evidence and ongoing investigative hypotheses.

Factor	Status	Details
Active Exploitation	Confirmed	Microsoft and CISA confirm CVE-2025-40551 and others are being used in the wild [1][8][12].
Lateral Movement	Confirmed	Intruders have been observed moving from initial footholds to high-value assets like Domain Controllers [6][12].
Specific Entry Point	Unverified	Analysts cannot yet confirm if December 2025 attacks used the newest WHD bugs or older unpatched ones [12][22].
Attacker Identity	Unverified	Reports currently attribute the activity to "unknown miscreants" or "threat actors" without formal attribution [15][22].

Note: Because the attacks in late 2025 occurred on machines vulnerable to both old and new CVEs simultaneously, researchers state they "cannot reliably confirm" the exact vulnerability used for the initial foothold in every case ^[12][22].

---

How to Check if You Are Affected

Identifying a compromise requires looking for specific indicators of post-exploitation activity rather than just checking patch levels ^[1].

1. Audit WHD Binaries: Check the \WebHelpDesk\bin\ folder for suspicious process executions, specifically involving java.exe or tomcat spawning commands like whoami, certutil, or net user ^[1][3].
2. Monitor Scheduled Tasks: Look for unusual tasks designed to run at startup, such as those launching virtual machines (e.g., qemu-system-x86_64.exe) under the SYSTEM account ^[2][6].
3. Inspect DLL Integrity: Search for the presence of sspicli.dll in directories where it does not belong, particularly if associated with wab.exe ^[2][6].
4. Review RMM Artifacts: Check for unauthorized installations of management software like ToolsIQ.exe that were not deployed by your IT department ^[1][2].
5. Scan for NTDS.dit Theft: Search for process command lines involving print.exe attempting to access \windows\ntds\ntds.dit, which indicates an attempt to steal the Active Directory database ^[1].

Evidence & Reality Check

Reports from major security organizations and official documentation confirm a significant increase in vulnerability activity during early 2026. Security analysts note that the February 2026 Patch Tuesday was particularly critical, addressing 59 CVEs ^[3][14]. Among these, industry data confirms the discovery of six zero-day vulnerabilities that were potentially exploited before a fix was available ^[3][16].

This follows an even larger volume of updates in January 2026, where 114 CVEs were patched, including three zero-days ^[3][14]. The Microsoft Security Response Center (MSRC) investigates all reports of vulnerabilities affecting their products and releases these bulletins as part of an ongoing effort to manage system risks ^[2].

Metric	January 2026	February 2026
Total CVEs Patched	114 [3]	59 [14]
Zero-Day Vulnerabilities	3 [14]	6 [16]
Primary Reporting Body	MSRC [2]	MSRC [2]

---

Official documentation highlights that security risks are becoming more complex for both organizations and individual users. The 2026 Global Online Safety Survey indicates that 91% of respondents are worried about harms introduced by emerging technologies like AI ^[9]. Furthermore, security researchers have identified specific flaws in DeepSeek-generated code and are monitoring sophisticated adversaries such as Warp Panda and Labyrinth Chollima ^[13][14].

Beyond software vulnerabilities, hardware-level security updates are also in progress. Industry reports indicate that original Secure Boot certificates are set to expire later this year ^[7][11]. This "generational refresh" is necessary to ensure that future hardware and operating systems can maintain a secure boot process ^[7].

Note: The MSRC maintains a chronological library of security advisories, including the Exploitability Index, to help users prioritize which updates are most urgent for their specific systems ^[2][5].

While the number of vulnerabilities remains high, there is evidence of successful mitigation. In January 2026, a global cybercrime subscription service responsible for millions in fraud losses was successfully disrupted ^[8]. This suggests that while risks are persistent, coordinated industry efforts are actively working to reduce the impact of these threats ^[6][9].

Self-Check / Diagnosis

Because the upcoming Secure Boot certificate expiration is expected to occur in phases throughout 2026 ^[11][14], it is important to verify your system’s current status. While many systems updated via Windows Update may already be protected ^[7][15], older hardware or systems with fragmented NVRAM may require manual verification ^[1][2].

Follow these steps to diagnose your system's readiness:

1. Verify Secure Boot State

The new certificates cannot be applied if Secure Boot is disabled in your BIOS/UEFI settings ^[2].

• Press Windows + R, type msinfo32, and press Enter ^[2].
• Locate Secure Boot State in the System Summary ^[2].
• Confirm it is set to On. If it is "Off" or "Unsupported," the certificate update process may not proceed correctly ^[2][7].

---

2. Check the Active Certificate Database

You can use PowerShell to determine if your PC is currently using the 2023-era certificates for the current boot session ^[1][14].

• Right-click the PowerShell or Terminal app and select Run as Administrator ^[2].
• Enter the following command: ([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023') ^[2][3]
• Result: If the command returns True, your PC is using the new certificate and is generally considered ready for the transition ^[2][14].

---

3. Check for Firmware Integration

This step identifies if the new certificates are "baked into" your hardware's firmware, which is typical for newer PCs built since 2024 ^[3][14].

• In the same Administrator PowerShell window, enter: ([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI dbdefault).bytes) -match 'Windows UEFI CA 2023') ^[3]
• Result: If this returns False, it is normal behavior for older PCs ^[1][3]. It indicates that while you may be protected via the "active" database, a BIOS update from your manufacturer may potentially be needed for full firmware-level support ^[1][14].

---

4. Confirm Operating System Eligibility

Only supported versions of Windows receive these certificate updates automatically through the monthly update process ^[7][15].

• Windows 11: Ensure you are running version 24H2 or 25H2 ^[2].
• Windows 10: Verify that your device is enrolled in the Extended Security Updates (ESU) program ^[2][15].
• Unsupported Versions: Devices running standard Windows 10 (after October 14, 2025) or older versions will not receive these certificates, potentially leading to a degraded security state ^[13][15].

---

5. Review SolarWinds WHD Environment (Enterprise Only)

If your organization utilizes SolarWinds Web Help Desk (WHD), you must check for specific vulnerabilities (CVE-2025-40551, CVE-2025-40536, and CVE-2025-26399) that are currently being exploited alongside system-level weaknesses ^[8][12].

• Check for the presence of unauthorized artifacts such as ToolsIQ.exe ^[9][12].
• Monitor for suspicious java.exe or wrapper.exe processes originating from the \WebHelpDesk\bin\ directory ^[8][12].
• Identify if your server version is older than the WHD 2026.1 release, which includes necessary security mitigations ^[8][9].

Solutions / What to Do

Addressing actively exploited vulnerabilities requires a combination of immediate mitigation and long-term structural updates. Because some flaws currently lack official patches, users and administrators must apply manual configuration changes alongside standard update procedures ^[15].

Short-Term Mitigation and Immediate Actions

For vulnerabilities where a patch is unavailable or deployment is pending, focus on reducing the attack surface. This is particularly critical for the Windows Shortcut binary format flaw (CVE-2025-9491) and SolarWinds Web Help Desk (WHD) instances ^[1][15].

• Restrict .lnk File Functionality: Since no patch was available for the shortcut vulnerability as of late October 2025, experts recommend locking down .lnk functions ^[15]. Disable the automatic resolution of these files in Windows Explorer and block .lnk files originating from untrusted sources or the internet ^[15].
• Secure SolarWinds WHD: Immediately update WHD to address CVE-2025-40551, CVE-2025-40536, and CVE-2025-26399 ^[1]. If patching is delayed, remove public access to administrative paths and increase logging on the Ajax Proxy to detect unauthorized activity ^[1].
• Evict Unauthorized Tools: Inspect systems for unauthorized Remote Monitoring and Management (RMM) tools ^[1]. Specifically, look for and remove artifacts like ToolsIQ.exe if they were added after a potential exploitation event ^[1].
• Rotate Credentials: If a compromise is suspected, rotate all service and administrative account credentials reachable from the affected application ^[1]. Isolate any compromised hosts from the rest of the network to prevent lateral movement ^[1].

---

Long-Term Solutions and System Hardening

Long-term stability relies on moving to supported operating system versions and refreshing the underlying security architecture, such as Secure Boot certificates ^[7][9].

1. Update Windows and Firmware

Ensure all devices are running the latest monthly security updates. For the Windows Server Update Services (WSUS) vulnerability (CVE-2025-59287), apply the unscheduled update issued by Microsoft to resolve the serialization flaw ^[15].

Component	Required Action
Windows 11	Update to version 24H2 or 25H2 to support new Secure Boot certificates [6][14].
Windows 10	Enroll in the Extended Security Updates (ESU) program to receive critical patches [6].
UEFI/BIOS	Check manufacturer (OEM) support pages for firmware updates required to store new certificates [6][12].

2. Refresh Secure Boot Certificates

The original Secure Boot certificates are expected to expire in June 2026 ^[9][14]. Failure to update these can lead to a "degraded security state," preventing the system from loading future boot-level protections or newer operating systems ^[9].

To verify your system's status, follow these steps:

1. Open PowerShell or Terminal as an Administrator ^[6].
2. Run the command: ([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023') ^[6].
3. If the result is True, your PC is using the new 2023 certificate ^[6].
4. If False, ensure Secure Boot is enabled in msinfo32 and apply all pending Windows Updates ^[6].

Warning: If you perform a factory reset of Secure Boot keys in your BIOS to clear space for new certificates, ensure you have your BitLocker recovery key available to avoid being locked out of your drive ^[6].

Risks and Limitations

Manual mitigations, such as disabling file resolutions, may impact workflow efficiency or cause compatibility issues with certain applications ^[9][15]. Furthermore, while these steps significantly minimize risks, no configuration can be described as entirely risk-free ^[2].

If a device does not receive updated certificates before the 2026 deadline, it may continue to function, but it will lose the ability to install new mitigations against discovered boot-level vulnerabilities ^[9]. If you are uncomfortable performing BIOS-level changes or manual registry edits, it is generally safer to consult professional technical support to avoid unintended system instability ^[10].

Risks, Limits, and When to Stop

While keeping Windows 11 updated is a primary defense against active exploits, the process involves technical complexities that can occasionally lead to complications. It is important to understand that no security patch offers a complete guarantee of safety, and some updates require more than just a simple reboot to be effective ^[8][14].

Potential Update Complications

Security updates, particularly those involving the Secure Boot root of trust, can potentially lead to a "degraded security state" if they are not applied correctly ^[13]. If a device fails to receive new certificates before older ones expire, it may become increasingly exposed to boot-level vulnerabilities and could eventually face compatibility issues with newer hardware or firmware ^[13].

Furthermore, users participating in the Windows Insider Program should be aware that preview builds are often not fully localized and may contain features that could be removed or replaced before reaching the general public ^[9]. These builds are intended for testing and may not provide the stability required for critical production environments ^[9].

---

Risks of Incomplete Remediation

Applying a patch is often only the first step in securing a system after a vulnerability has been identified. In cases of active exploitation, such as those involving DLL sideloading or credential theft, simply updating the software may not remove an existing threat actor from the network ^[15].

Scenario	Risk Factor	Recommended Perspective
Outdated OS	Windows 10 and older (without ESU) will not receive new Secure Boot certificates [13].	Upgrading to a supported version is likely necessary for long-term protection [13].
Active Breach	Patching does not automatically evict unauthorized Remote Monitoring and Management (RMM) tools [15].	Incident response and credential rotation are potentially required [15].
AI Integration	91% of users report worries about harms introduced by AI [8].	Technical controls should be paired with digital literacy and critical thinking [1][12].

---

When to Stop and Seek Help

There are specific situations where a standard user or a small IT team should pause and consult with a specialist. Attempting to resolve complex security breaches without the proper tools can sometimes lead to further data loss or system instability.

You should consider stopping if you observe any of the following:

• Evidence of active compromise: If you find unauthorized artifacts such as ToolsIQ.exe or evidence of LSASS memory access, a simple patch is no longer sufficient ^[15].
• Persistent update failures: If Windows Update repeatedly fails to install critical security patches, the system's underlying security architecture may already be compromised or corrupted ^[13].
• High-privilege credential misuse: If there are signs of DCSync activity or unauthorized password requests from a domain controller, the scope of the problem has likely exceeded local PC repair ^[15].
• Hardware-level errors: Errors during firmware or Secure Boot updates can potentially render a device unbootable if handled incorrectly ^[13].

Digital safety is an evolving challenge that requires a holistic approach ^[1]. While tools like the Microsoft Education Security Toolkit provide guidance for institutions, individual users must remain vigilant ^[5][12]. If you are unsure about the status of your system, it is usually more cost-effective to seek an expert assessment than to attempt to fix a deep-seated security failure manually.

FAQ

How many zero-day vulnerabilities were addressed in the latest security update?

Recent reports indicate that the February 2026 Patch Tuesday release addressed six zero-day vulnerabilities ^[2][8][10]. These vulnerabilities were among a total of 59 CVEs patched during that specific update cycle ^[2][10]. In comparison, the January 2026 update addressed 114 CVEs, including three zero-days, showing a continued trend of active exploitation targeting Microsoft Windows systems ^[8][15].

What are the main risks associated with these exploits?

The primary exploitation techniques identified in recent security cycles include elevation of privilege, remote code execution (RCE), and information disclosure ^[15]. Analysis of similar patch cycles shows that elevation of privilege often accounts for nearly 45% of patches, while remote code execution can account for approximately 26% ^[15]. Many critical vulnerabilities currently require some level of user interaction to be successfully exploited ^[15].

Can I still get security updates if I am using Windows 10?

Yes, users can receive critical updates through the Extended Security Updates (ESU) program until October 13, 2026 ^[4][11]. Enrollment is available for eligible devices running version 22H2 ^[11]. There are three primary ways to enroll:

• At no additional cost by syncing PC Settings ^[11].
• By redeeming 1,000 Microsoft Rewards points ^[11].
• Through a one-time purchase of $30 USD (or local currency equivalent) ^[11].

How do I verify if my device has the latest patches installed?

You can check your current update status by navigating to Settings > Update & Security > Windows Update ^[4][9]. For those enrolled in the ESU program, enrollment status and order history are also visible within the Microsoft Store account profile or the device's update settings ^[7][12]. Experts suggest using the Security Update Guide alongside your update history to see exactly which vulnerabilities have been resolved ^[13].

What should I do if my hardware does not support Windows 11?

If a device is ineligible for a Windows 11 upgrade, Microsoft recommends enrolling in the ESU program to maintain protection against viruses and malware until the program ends in late 2026 ^[4][11]. For long-term security, industry analysts suggest exploring Copilot+ PCs or other modern hardware that supports the latest security features and architecture ^[7]. It is important to note that devices remain more vulnerable to exploitation the longer they remain unpatched or unenrolled in extended support ^[4][11].

Is it possible to cancel an ESU subscription or get a refund?

For one-time purchases made through the Microsoft Store, orders could generally be canceled before October 14, 2025 ^[4][9]. After that date, refunds typically follow the standard digital purchase policies for your specific country or region ^[9]. However, if you enrolled in the program at no cost via settings synchronization or by redeeming Microsoft Rewards points, those transactions are generally considered final and are not eligible for returns or exchanges ^[9].

Summary / Key Takeaways

The February 2026 Patch Tuesday serves as a critical reminder of the evolving threat landscape, particularly regarding the rapid exploitation of vulnerabilities before patches are applied.

• Critical Vulnerability Volume: The February 2026 update addressed 59 CVEs, including six zero-day vulnerabilities that were reported to be under active exploitation ^[1][2]. This follows a significant January 2026 update that patched 114 vulnerabilities, including three zero-days ^[1].
• Active Exploitation Targets: Security analysts have identified active exploitation of SolarWinds Web Help Desk (WHD) via CVE-2025-40551, CVE-2025-40536, and CVE-2025-26399 ^[11]. Threat actors are potentially using these flaws to gain initial access and escalate privileges ^[11].
• Advanced Attack Techniques: Observed campaigns have utilized DLL sideloading to abuse wab.exe, allowing attackers to access LSASS memory and steal high-privilege credentials ^[11]. In some instances, this has led to DCSync attacks against domain controllers ^[11].
• Immediate Mitigation Requirements: Recommendations for affected organizations include immediate patching, restricting public access to administrative paths, and rotating all service and admin account credentials ^[11]. Isolating compromised hosts is considered a necessary step in incident response ^[11].
• AI and Emerging Risks: While AI-powered security tools are being integrated to detect malware at machine speed, there is a growing concern regarding AI-driven harms, with roughly 91% of individuals expressing worry about new risks introduced by artificial intelligence ^[5][10].

---

If you’re unsure about the integrity of your system, it’s usually cheaper to ask someone once than to fix a mistake later.

Quellen

^[1] Safer Internet Day 2026: Helping students be AI aware | Microsoft Education Blog

^[2] Building a safer digital future, together

^[3] Updates in two of our core priorities - The Official Microsoft Blog

^[4] Microsoft Launches AI QuickStart Programme with Support from IMDA and UOB - S...

^[5] Microsoft releases urgent Office patch. Russian-state hackers pounce.

^[6] Analysis of active exploitation of SolarWinds Web Help Desk | Microsoft Secur...

^[7] Refreshing the root of trust: industry collaboration on Secure Boot certifica...

^[8] Announcing Windows 11 Insider Preview Build 26220.7755 (Beta Channel)

^[9] Announcing Windows 11 Insider Preview Build 26300.7760 (Dev Channel)

^[10] Security Advisories and Bulletins

^[11] Windows 10 Extended Security Updates | Microsoft Windows

^[12] Microsoft Security Response Center Blog

^[13] 24h2, 25h2 security updates list - Microsoft Q&A

^[14] Windows' original Secure Boot certificates expire in June—here's wh...

^[15] Two Windows vulnerabilities, one a 0-day, are under active exploitation

^[16] September 2025 Patch Tuesday: Updates and Analysis | CrowdStrike

^[17] The Hacker News - Google News

^[18] CybersecurityNews - Google News

^[19] CybersecurityNews - Google News

^[20] CISA: VMware ESXi flaw now exploited in ransomware attacks

^[21] Critical SolarWinds Web Help Desk bug under attack

^[22] Someone

^[23] SolarWinds Web Help Desk Exploited for RCE in Multi-Stage Attacks on Exposed ...

^[24] Microsoft February 2026 Patch Tuesday fixes 6 zero-days, 58 flaws

^[25] Microsoft releases Windows 10 KB5075912 extended security update

^[26] Windows 11 KB5077181 & KB5075941 cumulative updates released

^[27] Microsoft rolls out new Secure Boot certificates before June expiration

^[28] Microsoft dials up the nagging in Windows, calls it security

^[29] CISA Adds Actively Exploited SolarWinds Web Help Desk RCE to KEV Catalog

^[30] Nach Windows-Update: Zero-Day-Lücke erlaubt lokale Rechteausweitung

^[31] Windows Updates: New Boot Certificates, Error Fixes, and New Problems

^[32] Microsoft is refreshing Secure Boot certificates to plug security holes befor...

^[33] Microsofts Patch-Day schlie�t diese aktiv ausgenutzten Schwachstellen

^[34] Microsoft warns Secure Boot certificates will expire soon — what to expect

^[35] PC gaming issues traced to Windows Update, according to NVIDIA

^[36] Yet another Windows update is wreaking havoc on gaming rigs worldwide —...

^[37] Dutch Authorities Confirm Ivanti Zero-Day Exploit Exposed Employee Contact Data

^[38] China-Linked UNC3886 Targets Singapore Telecom Sector in Cyber Espionage Camp...

^[39] Your PC's critical security certificates may be about to expire - how to...

^[40] Microsoft is keeping Secure Boot alive with Windows updates

^[41] 1,000+ Flaws Found, Including Critical IT & ICS Vulnerabilities

^[42] Cisco Meeting Management Vulnerability Allows Remote Attackers to Upload Arbi...

^[43] Windows-Lücke CVE-2026-20805: Kritisches Update gegen aktive Angriffe

^[44] CVE 2026 The Vulnerability Landscape: When Identity Breaks and Legacy Code Bi...

^[45] CERT-Bund warnt: 2.500 VMware ESXi-Server im Internet erreichbar; Angriffe üb...

^[46] Microsoft Patch Tuesday, February 2026 Security Update Review | Qualys

^[47] Debian DSA-6126-1 Linux Kernel Privilege Escalation DoS Issues

^[48] BeyondTrust fixes easy-to-exploit pre-auth RCE vulnerability in remote access...

^[49] CVE-2026-1731 | Arctic Wolf

^[50] Windows Error Reporting Vulnerability Allows Attackers to Elevate Privileges

^[51] CISA Warns of VMware ESXi 0-day Vulnerability Exploited in Ransomware Attacks

^[52] BeyondTrust Remote Support has a critical vulnerability

^[53] Ivanti EPMM exploitation widespread as governments, others targeted

^[54] CVE-2025-22225 in VMware ESXi now used in active ransomware attacks

^[55] February Patch Tuesday: Microsoft drops six zero-days | Computer Weekly

^[56] I tested Windows 11 February 2026 Updates: Everything new, improved, and fixed

^[57] Microsoft Patch Tuesday security updates for February 2026 fix six actively e...

^[58] Microsoft fixes six actively exploited flaws in latest Windows 11 update

^[59] CVE-2026-21509: APT28 Exploits Microsoft Office Zero-day Vulnerability

^[60] Microsoft Security Update Summary (9. Februar 2026)

^[61] Microsoft Patch Tuesday for February 2026 — Snort rules and prominent vulnera...

^[62] CISA confirms exploitation of VMware ESXi flaw by ransomware attackers - Help...

^[63] Microsoft Patch Tuesday February 2026 – 54 Vulnerabilities Fixed, Including 6...

^[64] Microsoft Patch Tuesday – February 2026 - Lansweeper

^[65] Week in review: Notepad++ supply chain attack details and targets, Patch Tues...

^[66] Microsoft Patch Tuesday matches last year’s zero-day high with six actively e...

^[67] Microsoft Beefs Up Runtime Security

^[68] Deep Dive: Inside the Warlock Ransomware Breach of SmarterTools

^[69] A Deep Dive into CVE-2026-25049: n8n Remote Code Execution

^[70] FinancialContent - The 2026 NVIDIA Deep-Dive: Resilience in the Age of AI Rat...

^[71] FinancialContent - BE Q4 Deep Dive: Data Center Demand and On-Site Power Mome...

^[72] OpenClaw Configuration Details: A Complete Guide to openclaw.json & Best ...

^[73] FinancialContent - MWA Q4 Deep Dive: Pricing Actions and Operational Efficien...

^[74] CrowdStrike Plunges 22% in 3 Months: Time to Hold or Fold the Stock?

^[75] FinancialContent - CrowdStrike (CRWD) Stock Trades Up, Here Is Why

^[76] CrowdStrike stock sinks on insider sale plan as ‘software-mageddon’ rout bite...

^[77] CVE-2026-21643: Critical SQL Injection Vulnerability in Fortinet FortiClientEMS

^[78] CrowdStrike (CRWD) Stock Is Up, What You Need To Know

^[79] The CVE system isn’t working – what

^[80] CrowdStrike is the Only Vendor Named as a Customers’ Choice in the 2025 Gartn...

^[81] Windows 11 KB5077181 25H2 out with new features, direct download links for of...

^[82] Known Exploited Vulnerabilities Catalog | CISA

^[83] Microsoft Releases Dev and Beta Builds to Insiders With a Few New Features

^[84] NVD - cve-2026-21265

^[85] NVD - Search and Statistics

^[86] Windows 10 wird unsicher – Zeit für den Wechsel

^[87] Patchday: Windows 10/11 Updates (9. Februar 2026)

^[88] Version 1.0: Microsoft Windows - Kritische Schwachstelle in Windows OLE

^[89] Microsoft veröffentlicht KB5075941 für Windows 11 Version 23H2 – it-blo...

^[90] February 2026 Patch Tuesday forecast: Lots of OOB love this month - Help Net ...

^[91] Researchers delve inside new SolarWinds RCE attack chain | Computer Weekly

^[92] European Governments Breached in Zero-Day Attacks Targeting Ivanti

^[93] New Hacking Campaign Exploits Microsoft Windows WinRAR Vulnerability

^[94] SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

^[95] NES reviews ice storm response as community cleans up from 13-day outages

^[96] Patch Tuesday February 2026: Security Updates & CVE Analysis

^[97] Microsoft Explains Windows 11 Version 26H1 and Only Confuses Us More

^[98] Microsoft patches 112 CVEs on first Patch Tuesday of 2026 | Computer Weekly

^[99] Microsoft February 2026 Security Updates

^[100] Something Happened ⭐

^[101] Zero Day Initiative — The February 2026 Security Update Review

^[102] Common Vulnerability Scoring System - Wikipedia

^[103] Microsoft to Roll Out New Secure Boot Certificates to Keep Old Windows PCs Se...

^[104] Microsoft stacks up 113 CVEs for January Patch Tuesday

^[105] React2Shell exploitation undergoes significant change in threat activity

^[106] Microsoft’s January 2026 Patch Tuesday Addresses 113 CVEs (CVE-2026-20805)

^[107] News brief: Patch critical and high-severity vulnerabilities now | TechTarget

^[108] Microsoft is dropping Windows 11 support for millions of older printers

^[109] Microsoft Releases February 2026 Patch Tuesday Updates

^[110] Microsoft and Adobe Patch Tuesday, January 2026 Security Update Review | Qualys

^[111] Microsoft January 2026 Security Update Breaks Remote Desktop Credential Prompts

^[112] Users Solve Windows 11 Issues With Four Settings Checks

^[113] Windows Won't Shut Down After Update? Here's How to Fix It - Make T...

^[114] Microsoft Patch Tuesday – January 2026 - Lansweeper

^[115] Microsoft Patch Tuesday: January 2026 | Arctic Wolf

^[116] Windows 11 KB5077181 (25H2): nuevas funciones y descarga directa en .MSU — lo...

^[117] Windows 11 February 2026 Patch Tuesday Released: KB5077181 and KB5075941 Now ...

^[118] Why Microsoft’s Windows 11 Print Driver Shake-Up Matters?

^[119] Microsoft Discloses ‘Extraordinarily High’ Number Of Zero-Day Vulnerabilities...

^[120] Fancy Bear Exploits Microsoft Zero-Day to Deploy Backdoors and Email Stealers

^[121] Cybersecurity Weekly Newsletter - Notepad++ hack, Office 0-Day, ESXi 0-day Ra...

^[122] Microsoft Office Zero-Day Vulnerability, CVE-2026-21509, Under Active Exploi...

^[123] Microsoft Office Zero-Day Actively Exploited - Emergency Patches Released

^[124] Largest Multi-Agency Cyber Operation Mounted to Counter Threat Posed by Advan...

^[125] Singapore Takes Down Chinese Hackers Targeting Telco Networks

^[126] CVE-2025-62221 and CVE-2025-54100: Windows Elevation of Privilege and RCE Zer...

^[127] Energy and utilities cyber threats escalate as ransomware and APT activity ri...

^[128] CVE-2026-20805: Microsoft Fixes Actively Exploited Windows Desktop Manager Ze...

^[129] Singapore confirms UNC3886 espionage campaign against telecom sector, prompts...

^[130] 9th February – Threat Intelligence Report - Check Point Research

^[131] Microsoft Office vulnerability (CVE-2026-21509) in active exploitation

^[132] Attackers exploit decade‑old Windows driver flaw to shut down modern EDR defe...

^[133] Microsoft releases Windows 11 KB5077181 with new features and critical fixes

^[134] Microsoft admits Windows 11 issues, pivots team to rebuild user trust

^[135] XFN 1.1 profile

^[136] XFN 1.1 profile

^[137] fonts.googleapis.com

^[138] Known Exploited Vulnerabilities Catalog | CISA

^[139] BleepingComputer (@[email protected]) - Infosec Exchange

^[140] The Hacker News

^[141] The Hacker News | LinkedIn

^[142] The Hacker News

^[143] fonts.googleapis.com

^[144] fonts.googleapis.com

^[145] Thurrott․com

^[146] Registration • The Register

^[147] Known Exploited Vulnerabilities Catalog | CISA

^[148] Help Net Security | LinkedIn

^[149] fonts.googleapis.com

^[150] Largest Multi-Agency Cyber Operation Mounted to Counter Threat Posed by Advan...