By Tyler Reguly, Associate Director, Security R&D, Fortra
On first pass, this month looks pretty reasonable – 60 CVEs, including one assigned by the Chrome CNA. When you look a little more closely, you start to realize that there is a lot going on here. February can be a bit of a cold, dull month, but Microsoft has decided to heat things up a bit. The good news, there’s not a lot of CVEs to deal with, the bad news, there’s actually a lot to unpack here.
We can’t ignore the fact that there are 6 actively exploited vulnerabilities included in this month’s patch drop. 10% of this month’s vulnerabilities are listed by Microsoft as exploit detected. That’s a significant portion of them.
There’s some common language in there too, with vulnerabilities impacting Windows Shell (CVE-2026-21510), MSHTML Framework (CVE-2026-21513), and Microsoft Word (CVE-2026-21514) all including the words ‘security feature bypass.’ Similarly, two of these vulnerabilities – CVE-2026-21519 in Desktop Windows Manager and CVE-2026-21533 in Windows Remote Desktop Services – both allowing elevation of privilege to SYSTEM. The odd vulnerability out in this list is the Windows Remote Access Connection Manager vulnerability (CVE-2026-21525) because it is a local denial of service, something that Microsoft often rejects – refusing to assign CVEs and issue patches for these types of vulnerabilities on a regular basis.
The upside to this many actively exploited vulnerabilities? They are easy to resolve with regular Microsoft patches for Windows and Office and none of them require any post patch configuration steps.
If I’m a CSO this month, I’m less concerned about what my desktop and server security teams are patching and more concerned with my cloud ops teams. Sure, there are a lot of actively exploited vulnerabilities, but the normal patching process will resolve those. The 10 Azure CVEs representing 16.6% of the CVEs released this month are what I would be concerned about. While 3 of these (CVE-2026-21532, CVE-2026-24300, and CVE-2026-24302) are all marked as ‘No Customer Action Required,’ I’d still want to ensure that there was no evidence of issues in my cloud (or cloud adjacent) environments. For the other 7 CVEs, however, I’d hope that my team is looking closely at the variety of fixes that need to be performed to upgrade my environment.
It’s rather amusing to me to watch as we migrate everything to the cloud. With on-prem deployments, the vulnerability resolution process is mature – we know what patches look like, how to find unpatched software, and how to roll out the standard patch to multiple systems. With the cloud, we rely on scripts, full app replacements, and manual configuration to resolve a lot of the vulnerabilities. This puts a lot more pressure on the cloud ops team to fix these as well as the development teams that may be utilizing the related SDKs. This shifts the responsibility for maintaining systems away from traditional vulnerability management programs and may present headaches to CSOs trying to inventory and track the usage of these components in their environments.
Related
This entry was posted on February 10, 2026 at 2:45 pm and is filed under Commentary with tags Fortra. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
February Patch Tuesday Commentary From Fortra
By Tyler Reguly, Associate Director, Security R&D, Fortra
On first pass, this month looks pretty reasonable – 60 CVEs, including one assigned by the Chrome CNA. When you look a little more closely, you start to realize that there is a lot going on here. February can be a bit of a cold, dull month, but Microsoft has decided to heat things up a bit. The good news, there’s not a lot of CVEs to deal with, the bad news, there’s actually a lot to unpack here.
We can’t ignore the fact that there are 6 actively exploited vulnerabilities included in this month’s patch drop. 10% of this month’s vulnerabilities are listed by Microsoft as exploit detected. That’s a significant portion of them.
There’s some common language in there too, with vulnerabilities impacting Windows Shell (CVE-2026-21510), MSHTML Framework (CVE-2026-21513), and Microsoft Word (CVE-2026-21514) all including the words ‘security feature bypass.’ Similarly, two of these vulnerabilities – CVE-2026-21519 in Desktop Windows Manager and CVE-2026-21533 in Windows Remote Desktop Services – both allowing elevation of privilege to SYSTEM. The odd vulnerability out in this list is the Windows Remote Access Connection Manager vulnerability (CVE-2026-21525) because it is a local denial of service, something that Microsoft often rejects – refusing to assign CVEs and issue patches for these types of vulnerabilities on a regular basis.
The upside to this many actively exploited vulnerabilities? They are easy to resolve with regular Microsoft patches for Windows and Office and none of them require any post patch configuration steps.
If I’m a CSO this month, I’m less concerned about what my desktop and server security teams are patching and more concerned with my cloud ops teams. Sure, there are a lot of actively exploited vulnerabilities, but the normal patching process will resolve those. The 10 Azure CVEs representing 16.6% of the CVEs released this month are what I would be concerned about. While 3 of these (CVE-2026-21532, CVE-2026-24300, and CVE-2026-24302) are all marked as ‘No Customer Action Required,’ I’d still want to ensure that there was no evidence of issues in my cloud (or cloud adjacent) environments. For the other 7 CVEs, however, I’d hope that my team is looking closely at the variety of fixes that need to be performed to upgrade my environment.
It’s rather amusing to me to watch as we migrate everything to the cloud. With on-prem deployments, the vulnerability resolution process is mature – we know what patches look like, how to find unpatched software, and how to roll out the standard patch to multiple systems. With the cloud, we rely on scripts, full app replacements, and manual configuration to resolve a lot of the vulnerabilities. This puts a lot more pressure on the cloud ops team to fix these as well as the development teams that may be utilizing the related SDKs. This shifts the responsibility for maintaining systems away from traditional vulnerability management programs and may present headaches to CSOs trying to inventory and track the usage of these components in their environments.
Share this:
Like this:
Related
This entry was posted on February 10, 2026 at 2:45 pm and is filed under Commentary with tags Fortra. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.