Microsoft has confirmed that hackers are actively exploiting multiple critical zero-day vulnerabilities in Windows and Office, urging users to update their systems immediately. As reported by TechCrunch, the company has already released patches for the flaws.
The vulnerabilities are considered “one-click” exploits, meaning attackers can compromise a system with minimal user interaction. Clicking a malicious link or opening a poisoned Office file can be enough to allow malware installation or broader system access.
Zero-day vulnerabilities are flaws that are exploited before a fix is available. Microsoft also warned that technical details showing how to abuse these bugs have already been published, raising the risk of additional attacks.
One click can bypass built-in Windows protections
One of the most serious flaws, tracked as CVE-2026-21510, affects the Windows shell, a core component of the operating system’s interface. The vulnerability impacts all supported versions of Windows and allows attackers to bypass Microsoft’s SmartScreen security feature.
SmartScreen is designed to block malicious links and files, but this bug enables hackers to sidestep that protection entirely. The exploit can allow dangerous files to run after a single click, with protections effectively skipped.
Security expert Dustin Childs said the flaw can be used to remotely plant malware. He noted that while a user still has to click a link or shortcut file, a one-click remote code execution bug is rare and powerful.
A spokesperson for Google said the Windows shell vulnerability is under “widespread, active exploitation.” The broader patch push comes as lawmakers also fought over Mike Johnson’s tariff rules in Washington.
Microsoft also patched another critical flaw, CVE-2026-21513, in its MSHTML browser engine. Although Internet Explorer is no longer widely used, MSHTML remains in Windows for backward compatibility and can still be abused to bypass security protections and deliver malware.
An independent security reporter noted that Microsoft fixed at least three additional zero-day vulnerabilities that were also being actively exploited. In a separate disclosure cycle, Epstein’s co-conspirators’ names were released in an unredacted document after lawmakers objected to withheld information.
Users running Windows or Office are advised to manually check for updates rather than waiting for automatic installation. Installing the latest patches is the only confirmed way to protect systems from these actively exploited vulnerabilities.
Published: Feb 11, 2026 07:30 pm