Microsoft has released security updates addressing a total of 58 vulnerabilities across its software ecosystem, including a concerning set of six zero-day flaws already being actively exploited by attackers. The updates, delivered as part of the Patch Tuesday, cover Windows, Office, Azure and other Microsoft products, alongside four vulnerabilities in Chromium-based components.
While the sheer number of patched flaws isn’t unusual, security experts are highlighting the unusually high number of vulnerabilities under active exploitation. Dustin Childs noted the volume under active attack is “extraordinarily high,” with three of the six zero-days already publicly disclosed.
The vulnerabilities range in severity, with five rated as Important and one as Moderate. Despite not all being classified as Critical, the fact that they are being exploited in the wild necessitates swift patching, according to security advisories.
Bypassing Security Features: A Common Thread
Several of the zero-day vulnerabilities center around bypassing security features, often requiring some level of user interaction. One flaw, CVE-2026-21514, affects Microsoft Word and allows attackers to bypass local security features, potentially gaining advanced control settings and enabling code execution. However, Microsoft emphasizes that successful exploitation requires convincing a user to open a malicious Office document.
Similarly, CVE-2026-21510, a security feature bypass flaw, requires a user to click a malicious link or open a crafted shortcut file before an attacker can exploit it. Malwarebytes security researcher Pieter Arntz explained that this allows attackers to suppress security dialogs for untrusted content, making it easier to deliver and execute payloads without raising user suspicion. Childs added that a “one-click bug to gain code execution is a rarity.”
Other zero-day fixes address a denial of service bug in Windows Remote Access Connection Manager, an elevation of privilege vulnerability in Windows Remote Desktop Services, and a flaw in the Desktop Window Manager. A final zero-day impacts Internet Explorer, though its continued presence in Windows remains a recurring security concern, as noted by Childs: “calling IE always results in a vulnerability somehow.” Even in this case, user interaction – clicking a malicious link – is required for exploitation.
Azure and GitHub Copilot Vulnerabilities
Beyond the core Windows vulnerabilities, Microsoft also addressed flaws in Azure and GitHub Copilot. Three critical vulnerabilities were identified in Azure, stemming from a command injection vulnerability triggered by prompt injection. Kevin Breem, senior director for cyber threat research at Immersive Labs, explained that this could allow attackers to embed malicious prompts within developer workflows, potentially bypassing security restrictions and executing code.
This is particularly concerning given developers often have access to sensitive data, such as API keys. Breem cautioned that enabling developers and automation pipelines to use Large Language Models (LLMs) and Agentic AI without proper safeguards could significantly amplify the impact of a successful attack. He stressed the importance of understanding the risks, identifying access to AI Agents, and implementing the principle of least privilege to limit potential damage.
The remaining patched vulnerabilities include a range of issues, such as privilege escalation (25 vulnerabilities), remote code execution (12), spoofing (7), information disclosure (6), security feature bypass (5), denial-of-service (3), and cross-site scripting (1). The prevalence of privilege escalation vulnerabilities continues to be a dominant trend in Microsoft’s security updates.
Microsoft has also begun rolling out updated Secure Boot certificates ahead of the June 2026 expiration of legacy 2011 certificates, a significant infrastructure milestone affecting Windows boot integrity across devices.
