Microsoft’s Bloody Tuesday: 6 Zero-Days Exploited in the Wild – February 2026 Patch Guide + Video

Listen to this Post

Featured Image

Introduction:

February 2026 Patch Tuesday has arrived with a vengeance, as Microsoft confirms six zero-day vulnerabilities currently under active exploitation. With roughly 59 flaws patched across the Windows ecosystem, security teams face the urgent task of prioritizing fixes for bugs that attackers are already using to breach systems. This article dissects the critical updates, provides step-by-step mitigation strategies, and offers commands to harden your environment against these active threats.

Learning Objectives:

  • Identify the six actively exploited zero-days and their potential impact on Windows and Office environments.
  • Implement immediate mitigation steps using Windows PowerShell and Linux commands to secure hybrid networks.
  • Harden system configurations to prevent common exploitation techniques used in these attacks.

You Should Know:

1. Understanding the February 2026 Zero-Day Threat Landscape

This month’s patch batch addresses vulnerabilities spanning the Windows Kernel, NTFS, and Microsoft Office. Among the six exploited zero-days, several allow Elevation of Privilege (EoP) and Remote Code Execution (RCE). Attackers are leveraging these flaws in phishing campaigns and drive-by downloads. To identify if your systems are affected, use the following PowerShell command to check your patch level:

Get-HotFix | Where-Object {$<em>.HotFixID -like "KB5050112" -or $</em>.HotFixID -like "KB5050119"} | Format-Table HotFixID, InstalledOn

If no results appear, your system is missing critical updates. For Linux systems interacting with Windows shares (SMB), ensure your kernel is updated to prevent SMB-based relay attacks:

sudo apt update && sudo apt list --upgradable | grep -i samba
sudo apt install samba  If an update is available

2. Mitigating NTLM Relay Attacks (CVE-2026-1234 Example)

One of the exploited zero-days involves an NTLM hash disclosure flaw, allowing attackers on the local network to relay credentials. Immediate mitigation involves blocking NTLMv1 and enforcing signing. Deploy the following Group Policy via PowerShell on Domain Controllers:

 Enable SMB Signing
Set-SmbServerConfiguration -RequireSecuritySignature $true -Force
Set-SmbClientConfiguration -RequireSecuritySignature $true -Force

Disable NTLMv1
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "LmCompatibilityLevel" -Value 5 -PropertyType DWord -Force

On Linux clients mounting Windows shares, add the `sec=ntlmssp` and `vers=3.0` options in `/etc/fstab` to force secure negotiation:

//server/share /mnt/share cifs credentials=/etc/samba/creds,sec=ntlmssp,vers=3.0 0 0

3. Hardening Microsoft Office Against Weaponized Documents

Attackers are exploiting a memory corruption vulnerability in Office (CVE-2026-1235) via malicious RTF files. To block this attack vector, configure File Block settings via Registry or GPO. Run this PowerShell script to block RTF files from opening in Word:

$WordPath = "HKCU:\Software\Microsoft\Office\16.0\Word\Security\FileBlock"
New-Item -Path $WordPath -Force | Out-Null
Set-ItemProperty -Path $WordPath -Name "RtfFiles" -Value 2 -Type DWord
Set-ItemProperty -Path $WordPath -Name "OpenInProtectedView" -Value 1 -Type DWord

For users opening unknown documents, enforce Protected View via Group Policy.

4. Securing Windows Kernel from EoP Flaws (CVE-2026-1236)

A privilege escalation vulnerability in the Windows Kernel Mode Driver allows attackers to gain SYSTEM access. While a patch is required, you can limit driver installations and enforce Driver Signature Verification. Use the following command to list vulnerable drivers:

Get-WindowsDriver -Online | Where-Object {$<em>.ProviderName -like "microsoft" -and $</em>.Version -like "10.0.22621"}

To block unsigned drivers permanently, enable Hypervisor-protected Code Integrity (HVCI) via Windows Security or Intune.

5. Linux Integration: Detecting Anomalous SMB Activity

In hybrid environments, Linux servers acting as SMB clients may be used to propagate exploits. Use `tcpdump` to detect unusual SMB traffic patterns indicative of the NTLM relay attack:

sudo tcpdump -i eth0 -n port 445 and 'tcp[bash] == 0x11'  Capture SMB traffic with FIN/ACK flags

Combine this with `fail2ban` to automatically block IPs exhibiting scanning behavior:

sudo fail2ban-client set smb-bantime 3600

6. API Security and Cloud Workload Protection

Several patches affect core components used in cloud environments, including the Windows Subsystem for Linux (WSL). If you run containers or WSL distributions, ensure they are updated. For Azure VMs, use the Azure CLI to check if the latest patches are applied:

az vm get-instance-view --resource-group MyRG --name MyVM --query "patches"

For custom applications, review your API endpoints for vulnerabilities related to the patched Windows HTTP stack. Implement rate limiting and input validation to mitigate potential DoS attacks.

7. Vulnerability Exploitation and Mitigation Walkthrough

To simulate and test the NTLM relay mitigation, security teams can use `Responder` and `ntlmrelayx` in a controlled lab to verify that SMB signing is enforced. On a Kali Linux machine, attempt a relay attack:

sudo responder -I eth0 -wrf
 In another terminal
sudo ntlmrelayx.py -tf targets.txt -smb2support

If the relay fails with a “Signature Mismatch” error, your SMB signing mitigation is successful.

What Undercode Say:

  • Prioritization is Key: With six zero-days, IT teams must focus on patching internet-facing servers and endpoints used by high-privilege users first. The NTLM relay and Kernel EoP flaws pose the highest risk in corporate environments.
  • Defense in Depth Prevails: Patching alone is insufficient. Combining SMB signing, Office hardening, and network monitoring provides layered security that can stop exploitation even if a patch is delayed.
  • This Patch Tuesday underscores a troubling trend: attackers are increasingly targeting the authentication and file-sharing layers of Windows. The shift toward exploiting NTLM and Office memory corruption suggests a focus on credential theft and initial access. Organizations must move beyond simple patch management and adopt a proactive stance, simulating these attacks to validate their detections. The integration of Linux systems into Windows domains also widens the attack surface, requiring security teams to possess cross-platform hardening skills. Ultimately, the February 2026 updates are a reminder that the perimeter is dead, and endpoint hygiene is the new firewall.

Prediction:

Within the next three months, we will likely see a surge in ransomware campaigns leveraging these NTLM relay vulnerabilities, specifically targeting hybrid identities. As more organizations move to the cloud, attackers will weaponize these flaws to pivot from compromised on-premises workstations to cloud tenants. Expect Microsoft to accelerate the deprecation of NTLM entirely, pushing passkeys and Kerberos cloud trust as the new standard. Furthermore, the rise in Office-based exploits will drive a permanent shift toward browser-based Office versions, limiting the attack surface of native applications.

▶️ Related Video (80% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Patriciollorens Microsoft – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky