Six Actively Exploited Microsoft Zero‑Days Land in February Patch Tuesday Microsoft's February 2026 Patch Tuesday shipped fixes for 54–60 vulnerabilities across Windows, Office, Azure, Edge, Exchange, and related components, including six zero‑day flaws confirmed as exploited in the wild and now added to CISA's Known Exploited Vulnerabilities (KEV) catalog. Among them, Windows Shell vulnerability CVE‑2026‑21510 stands out as a high‑severity security feature bypass that allows attackers to evade SmartScreen warnings by luring users into opening weaponized links or shortcut files. Organizations that delay patching face elevated risk of phishing‑enabled compromise on fully up‑to‑date Windows endpoints.^1^3^5
The Threat: A remote attacker can bypass core Windows Shell protections and SmartScreen prompts, turning routine link clicks and shortcut files into stealthy initial access vectors that deliver payloads without expected warnings.^2^5
The Status: Microsoft has released patches for supported Windows versions, CISA has tagged multiple Microsoft vulnerabilities (including CVE‑2026‑21510 and related Office/Windows bugs) as KEV entries, and federal agencies face near‑term remediation deadlines.^3^7^1
Mitigation: Prioritize immediate deployment of February 2026 Patch Tuesday updates, enforce URL and attachment filtering on email and web gateways, and implement hardened application control so only approved binaries and scripts can execute even if SmartScreen is bypassed.^4^1
CRITICAL PATCHES (CVE WATCH)
SAP CRM / SAP S/4HANA – CVE‑2026‑0488 (https://cvedatabase.com/cve/CVE-2026-0488) - CVSS 9.9 Issue: CVE‑2026‑0488 is a code injection / missing authorization flaw in SAP CRM and SAP S/4HANA (Scripting Editor) that lets an authenticated attacker abuse a generic function module call to execute arbitrary SQL, leading to potential full database compromise with high impact on confidentiality, integrity, and availability.^8^10^12 Action: Apply the SAP security note and patched releases referenced in SAP Note 3697099 without delay, strictly limit access to scripting and generic function modules, and monitor for unusual SQL activity or administrative actions originating from application users with scripting privileges.^9^12
Catalyst Game Server Platform – CVE‑2026‑26009 (https://cvedatabase.com/cve/CVE-2026-26009) - CVSS 9.8
Issue: CVE‑2026‑26009 is a critical remote code execution vulnerability in Catalyst where install scripts in server templates run directly on the host OS as root via bash -c without sandboxing, allowing any user with template.create or template.update permissions to inject arbitrary commands and gain full root‑level control over every node in the cluster.^13^15
Action: Upgrade to a build that includes commit 11980aaf3f46315b02777f325ba02c56b110165d, immediately restrict template.create/template.update to a minimal set of trusted administrators, review all existing templates for malicious commands, and implement least‑privilege RBAC around cluster administration.^14^16
Apache Druid – CVE‑2026‑23906 (https://cvedatabase.com/cve/CVE-2026-23906) - CVSS 9.3 Issue: CVE‑2026‑23906 is an authentication bypass in Apache Druid's LDAP integration where, if the LDAP server allows anonymous binds, an attacker can log in using any existing username with an empty password, gaining that user's permissions and potentially full access to the Druid cluster and its data.^17^19^21 Action: Upgrade Apache Druid to version 36.0.0 or later, disable anonymous binds on the backing LDAP server, review all Druid authenticator configurations, and audit access logs for suspicious logins using valid usernames with no or incorrect passwords.^18^17
Microsoft Windows Shell – CVE‑2026‑21510 (https://cvedatabase.com/cve/CVE-2026-21510) - CVSS 8.8
Issue: CVE‑2026‑21510 is a Windows Shell protection mechanism failure that lets an unauthorized remote attacker bypass SmartScreen and other Shell security prompts by persuading users to open crafted links or .lnk files, enabling high‑impact code execution without the usual warnings.^5^1^3
Action: Deploy the February 2026 Windows updates across all affected Windows 10 builds and related platforms, reinforce user awareness training around unsolicited links and shortcut files, and use endpoint protection tools capable of detecting malicious Shell activity even when SmartScreen is bypassed.^1^3
BREACH BRIEFING
Anywhere Real Estate: Anywhere Real Estate disclosed on February 11, 2026, that a compromise of its Oracle E‑Business Suite environment exposed data for 17,429 individuals, including names, addresses, contact details, dates of birth, Social Security numbers, and job information. The incident underscores the continued targeting of ERP platforms and demonstrates how attackers can leverage a single business application breach to access highly sensitive PII at scale.^22
For defenders, this is a reminder to treat ERP and financial systems as crown‑jewel assets: enforce strong segmentation and privileged access controls, require MFA for all admin and remote access paths, and continuously monitor ERP logs for anomalous data access patterns and configuration changes.^22
TRENDS & ANALYSIS
1. KEV‑Driven Prioritization and Zero‑Day Pressure The convergence of six exploited Microsoft zero‑days with fresh CISA KEV additions reinforces KEV as a primary signal for real‑world risk, shifting patching strategy away from theoretical CVSS scores toward actively exploited vulnerabilities. Organizations that align patching SLAs with KEV deadlines and integrate KEV data into their vulnerability dashboards are measurably reducing exposure windows, especially across widely deployed platforms like Windows, Office, and network appliances.^23^25^4
ONE ACTION ITEM
Implement a KEV‑First Patch & Control Playbook This Week
Why: With Microsoft's exploited zero‑days now in CISA's KEV catalog and critical enterprise platforms like SAP, Apache Druid, and Catalyst facing internet‑exploitable flaws, a KEV‑first approach ensures your limited patching capacity closes the doors attackers are actually using, not just the ones that score high on paper.^25^19^4^18
Action:
- Step1
- Step2
(Replace Step1/Step2 in your internal runbook with: 1) ingest the latest KEV and February Patch Tuesday advisories into your vuln management platform and tag affected assets running Windows, Office, SAP CRM/S/4HANA, Apache Druid, and Catalyst; 2) within the week, patch or mitigate KEV‑listed and critical CVEs on internet‑facing and high‑value systems, and document exceptions with explicit temporary controls.)^7^23^4^18
Stay safe and patch often https://www.cvedatabase.com ^26^28^30^32^34^36^38^40^42^44