Microsoft patches zero-day flaws in latest Windows update

Microsoft has issued fixes for 55 security vulnerabilities in its latest monthly release, including six flaws it says have been exploited in the wild.

The release also includes three publicly disclosed vulnerabilities, all of them security feature bypass issues affecting Windows or Office components. Earlier this month, Microsoft shipped patches for three browser vulnerabilities outside the monthly total.

Rapid7's analysis highlights the concentration of exploited issues in core Windows components and services tied to common user workflows, such as opening files, browsing content, and interacting with the desktop environment.

Windows shell

One publicly disclosed zero-day, tracked as CVE-2026-21510, affects Windows Shell. Windows Shell covers the graphical interaction logic provided by explorer.exe and related libraries and application programming interfaces.

Rapid7 said the issue provides "a way to dodge those pesky Smart Screen or other 'are you sure?' prompts." Microsoft's advisory says "an attacker must convince a user to open a malicious link or shortcut file." Rapid7 noted that .lnk shortcut files are likely involved in exploitation, and that .url files may also play a role.

MSHTML engine

A second publicly disclosed zero-day, CVE-2026-21513, affects MSHTML, also known as Trident. The rendering engine remains present in Windows and is used by Office and Explorer components.

Rapid7 described the vulnerability as another security feature bypass that requires user interaction. It said the chain begins after an attacker convinces a user to open "a malicious HTML file or shortcut file."

Word and OLE

The third publicly disclosed zero-day, CVE-2026-21514, concerns Microsoft Office Word. Rapid7 said exploitation involves bypassing Object Linking & Embedding (OLE) mitigations after a user opens a malicious Word document.

The advisory lists remediations for LTSC versions of Office and on-prem Microsoft 365 Apps for Enterprise. Rapid7 noted that it does not mention the standard Microsoft 365 suite.

Rapid7 also flagged an apparent inconsistency in Microsoft's assessment of the attack vector. The advisory rates it as local, even though the described scenario starts with a remote attacker persuading a user to open content. Rapid7's reading of the advisory indicates the Preview Pane is not a vector, meaning the user must explicitly open the file or web page.

DWM elevation

This month's exploited vulnerabilities also include privilege escalation flaws. CVE-2026-21519 affects Windows Desktop Window Manager (DWM). Rapid7 noted this is the second consecutive month in which DWM has been associated with an exploited zero-day.

Rapid7 linked the new elevation-of-privilege issue with last month's exploited DWM information disclosure flaw, CVE-2026-20805. It said the earlier weakness acted like "a treasure map for threat actors" by helping identify an in-memory address. Rapid7 also cautioned against using severity scoring to delay remediation: "As Rapid7 has noted in the past, initial access coupled with local elevation of privilege vulnerabilities is the staple diet of many successful attackers, so the lower CVSS v3 base score of 7.8 seen here versus a broadly equivalent remote code execution is not a sign to delay patching."

Remote desktop services

CVE-2026-21533 is another exploited elevation-of-privilege vulnerability affecting Remote Desktop Services (RDP). Rapid7 said the flaw allows "an unauthorised local user to elevate privileges to SYSTEM."

The issue affects Windows Server products dating back to Server 2012, indicating the vulnerable code path has persisted across multiple generations. Rapid7 suggested the patch could mark the end of "a long-running exploitation story for at least one threat actor."

RasMan DoS

Microsoft also addressed an exploited denial-of-service vulnerability, CVE-2026-21525, in the Windows Remote Access Connection Manager (RasMan). Rapid7 said it is a local issue, but highlighted an unusual detail: the advisory says no privileges are required, meaning a guest account could exploit it.

Rapid7 summarised the likely theme behind the three publicly disclosed bypass flaws affecting Windows Shell, MSHTML, and Word: "Ultimately, although none of the advisories for CVE-2026-21510, CVE-2026-21513, or CVE-2026-21514 explicitly come out and say it, it's likely that exploitation in each case involves tricking Windows into participating in another Mark-of-the-Web laundering scheme using flaws in old components," said Adam Barnett, Lead Software Engineer at Rapid7.

Rapid7 said there were no significant Microsoft product lifecycle changes in this month's release.