"Windows Shell Security Feature Bypass Vulnerability ( CVE-2026-21510): Exploiting this bug, which received an 8.8 CVSS rating, requires an attacker to convince a user to open a malicious link or shortcut file - but we all know that most people will click on just about anything, so that's not difficult to pull off. Once the user opens the malicious link, the attacker can bypass Windows SmartScreen and Windows Shell security prompts to execute code on the victim's system without user warning or consent."
"Of course, then there's also the emergency patches released because the first try didn't plug the security hole - but that's a different story. As always, Microsoft did not provide any additional details about who attacked these six flaws and how widespread exploitation may be. But considering that three of the six are also listed as publicly disclosed - meaning there may already be proof-of-concept exploits floating around the internet - we expect to see more reports (and details) about active exploitation soon."
Attackers exploited six Microsoft vulnerabilities as zero-days prior to February Patch Tuesday fixes, compared with one Windows vulnerability exploited before the January Patch Tuesday fix. Emergency patches have been released in some cases when initial fixes failed to fully resolve issues. Microsoft provided no additional details about the attackers or how widespread exploitation might be. Three of the six flaws are publicly disclosed, indicating possible proof-of-concept exploits already circulating and likely further reports of active exploitation. Notable exploited flaws include CVE-2026-21510, an 8.8 CVSS Windows Shell security bypass enabling code execution via malicious links or shortcuts, and CVE-2026-21513, an 8.8 CVSS Internet Explorer security bypass that could lead to remote code execution.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]