CISA Adds 6 Microsoft Zero-Days to KEV Catalog

The Cybersecurity and Infrastructure Security Agency (CISA) has added six Microsoft zero-day vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. All six vulnerabilities were actively exploited in the wild before Microsoft released patches during February 2026 Patch Tuesday.

Critical Vulnerabilities Patched

The six zero-days span multiple Microsoft products. CVE-2026-21510 affects Windows SmartScreen, allowing attackers to execute content without security warnings by bypassing the security feature. CVE-2026-21513 is an Internet Explorer vulnerability enabling security control bypasses and potential code execution. CVE-2026-21514 impacts Microsoft Office Word through reliance on untrusted inputs. CVE-2026-21519 is a Desktop Window Manager type confusion vulnerability allowing privilege escalation, while CVE-2026-21525 affects Windows Remote Access Connection Manager with a null pointer dereference leading to denial of service. CVE-2026-21533 addresses improper privilege management in Windows Remote Desktop.

Response Requirements

Federal Civilian Executive Branch (FCEB) agencies must apply patches for these vulnerabilities by March 3, 2026, under CISA's Binding Operational Directive 22-01. While this requirement applies specifically to federal agencies, security experts recommend all organizations prioritize patching these actively exploited vulnerabilities.

February Patch Tuesday Overview

Microsoft's February 2026 Patch Tuesday addressed 58 total vulnerabilities, including the six actively exploited zero-days. The concentration of zero-day exploits underscores the importance of maintaining timely patch management processes and monitoring CISA's KEV catalog for emerging threats requiring immediate attention.