Users began complaining about access on Monday morning at 0845 UTC, and, just after midday (UTC), Microsoft confirmed: 'We've discovered some users may experience intermittent sign‑in failures, including 'too many requests' errors, or unexpected sign‑outs.'
The Copilot app cannot be removed arbitrarily. Three cumulative conditions apply: Microsoft 365 Copilot must also be installed on the device, the Copilot app must not have been installed by the user themselves, and the app must not have been launched in the past 28 days.
A Common Vulnerability Exposure (CVE) that cannot reach the privilege plane is operationally ineffective - even at a CVSS Score of 10. This should be a core philosophy that is embedded into the fabric of software engineering.
CrowdStrike published an advisory for CVE-2026-40050, a critical unauthenticated path traversal vulnerability affecting its LogScale product. The flaw can allow a remote attacker to read arbitrary files from the server filesystem.
Of the 59 flaws, five are rated Critical, 52 are rated Important, and two are rated Moderate in severity. Twenty-five of the patched vulnerabilities have been classified as privilege escalation, followed by remote code execution (12), spoofing (7), information disclosure (6), security feature bypass (5), denial-of-service (3), and cross-site scripting (1). It's worth noting that the patches are in addition to three security flaws that Microsoft has addressed in its Edge browser since the release of the January 2026 Patch Tuesday update,
This month, over half (55%) of all Patch Tuesday CVEs were privilege escalation bugs, and of those, six were rated exploitation more likely across Windows Graphics Component, Windows Accessibility Infrastructure, Windows Kernel, Windows SMB Server, and Winlogon. We know these bugs are typically used by threat actors as part of post-compromise activity, once they get onto systems through other means (social engineering, exploitation of another vulnerability).
In a service alert spotted by BleepingComputer, Microsoft revealed that the glitch started on February 5 and has been preventing some Exchange Online users from sending and receiving emails. "Some users' legitimate email messages are being marked as phish and quarantined in Exchange Online," Microsoft said in the service alert. "We've determined that the URLs associated with these email messages are incorrectly marked as phish and quarantined in Exchange Online due to ever-evolving criteria aimed at identifying suspicious email messages, as spam and phishing techniques have become more sophisticated in avoiding detection."
A newly disclosed Windows Admin Center flaw carries a CVSS score of 8.8 and could let an authorized user quietly escalate privileges across enterprise environments. The vulnerability affects WAC version 2.6.4 and, if exploited, may grant sweeping administrative control over the very systems it was built to manage. "Improper authentication in Windows Admin Center allows an authorized attacker to elevate privileges over a network," Microsoft said in its advisory.
