TL;DR: On February 11, Microsoft patched 6 actively exploited zero-day vulnerabilities, including one (CVE-2026-21510) that lets attackers bypass every Windows security warning with a single click. Two days later, the DHS partial shutdown furloughed 65% of CISA’s cybersecurity workforce, leaving just 889 staff to defend federal networks. Attackers have been exploiting at least one of these flaws since December 2025. Update Windows now. Nobody’s coming to help.

What Microsoft Patched

Microsoft’s February 2026 Patch Tuesday fixed 54 vulnerabilities across 40+ products. Six of them were already being used in real attacks when the patches dropped [1].

The worst of the bunch:

CVE-2026-21510: A Windows Shell flaw that bypasses SmartScreen and every other security prompt Windows throws at you when you download a file from the internet. Click a malicious link, and whatever’s on the other end runs without warning. No consent dialog. No “Are you sure?” prompt. Nothing. CVSS score: 8.8 out of 10. Affects every supported version of Windows [2].

CVE-2026-21513: Same trick, different attack surface. This one exploits the MSHTML framework (yes, Internet Explorer’s engine is still causing problems in 2026) to bypass protections using malicious HTML or .lnk shortcut files. Also scored 8.8. Also publicly disclosed before the patch was ready [2].

CVE-2026-21533: A Remote Desktop Services privilege escalation flaw. CrowdStrike found threat actors using this one to target U.S. and Canadian organizations since at least December 24, 2025. Merry Christmas. An attacker who already has local access can escalate to SYSTEM privileges by modifying a service configuration key [3].

CVE-2026-21519: Desktop Window Manager elevation of privilege. Another SYSTEM-level escalation. CVSS 7.8 [2].

CVE-2026-21514: Microsoft Word security bypass. Open a crafted document, and Office’s OLE mitigations get bypassed. Google Threat Intelligence, Microsoft’s own MSTIC, and the Office security team all reported this one, which tells you how widespread the exploitation was [1].

CVE-2026-21525: Windows Remote Access Connection Manager denial-of-service. Discovered by the 0patch research team in a public malware repository. If your organization uses VPN, this one matters: crashing the RasMan service can cut off endpoints configured with fail-close policies [1].

The Pattern Here Is Ugly

Three of the six zero-days bypass security features. That’s the Mark of the Web mechanism, SmartScreen, Office protections: the guardrails Windows puts between you and malicious files. Attackers aren’t breaking through the wall. They’re making the wall invisible.

Two more give attackers SYSTEM-level access once they’re in. The sixth crashes your VPN.

Chain them together (a security bypass to get in, a privilege escalation to own the box) and you have a complete attack path from “user clicks link” to “attacker controls the machine.”

CrowdStrike put it bluntly: “Microsoft’s public disclosure will almost certainly encourage threat actors possessing exploits to use or monetize them” [3].

Translation: the clock started on February 11. Every unpatched system is now a target.

Then CISA Lost 65% of Its Staff

On February 13 (two days after Microsoft dropped these patches) the DHS partial shutdown kicked in. Senate Democrats blocked the Homeland Security spending bill, demanding ICE reforms including body cameras and warrant requirements for home entry [4].

CISA kept 889 employees out of roughly 2,540. The other 1,453 were sent home [5].

Acting CISA director Madhu Gottumukkala told Congress: “When the government shuts down, cyber threats do not.” He warned the agency would “degrade our capacity to provide timely and actionable guidance to help partners defend their networks” [6].

What CISA stopped doing:

  • Proactive vulnerability scanning of federal networks
  • Security assessments for government agencies
  • Training and stakeholder engagements
  • Work on the CIRCIA cyber incident reporting rule (deadline: May 2026)
  • Development of new detection and response tools

What CISA kept running: the 24/7 operations center, emergency response to “imminent threats,” and bare-minimum shared services.

Gottumukkala’s summary: “We will be on the defensive, reactive, as opposed to being proactive and strategic” [6].

Why the Timing Matters

CISA exists to push patches, issue alerts, scan federal systems for vulnerabilities, and coordinate incident response when things go wrong. That’s exactly what you need when six zero-days drop at once.

Instead, CISA is running on skeleton staff. The vulnerability scanning that would flag unpatched federal systems? Halted. The training that would help agencies prioritize these patches? Cancelled. The threat intelligence that would track exploitation in the wild? Staffed by a fraction of the normal team.

And this isn’t the first hit. CISA has already lost roughly one-third of its workforce since January 2025 through administration efficiency cuts. About 70 CISA employees were transferred to other DHS components. A “handful” were moved to ICE [6].

So before the shutdown, CISA was already running at two-thirds capacity. Now it’s at one-third. A cybersecurity agency that started 2025 with a full roster is now operating with about 35% of its original strength, during the highest-severity patch cycle in months.

Who’s Already Using These

CrowdStrike confirmed that CVE-2026-21533 has been exploited by threat actors targeting U.S. and Canadian organizations since December 24, 2025 [3]. That’s seven weeks of active exploitation before the patch arrived.

Google’s Threat Analysis Group and Microsoft’s own Threat Intelligence Center (MSTIC) reported multiple zero-days, meaning state-level or state-adjacent actors were likely involved. Google TAG typically tracks nation-state espionage campaigns. When they’re reporting Windows zero-days, it’s not script kiddies [1].

The 0patch team found CVE-2026-21525 by analyzing malware samples in a public repository, meaning exploit code was already circulating before Microsoft patched it [1].

With the patches now public but many systems still unpatched, the window for mass exploitation is wide open. Normally, CISA would be aggressively pushing agencies to patch. Right now, most of the people who would do that work are at home.

What You Should Do

Update Windows Right Now

Settings → Windows Update → Check for Updates. Install everything. Restart. These aren’t theoretical vulnerabilities. They’re being used in attacks today.

Update Microsoft Office

CVE-2026-21514 targets Word documents. Open any Office app → File → Account → Update Options → Update Now. If you’re on Microsoft 365, updates should be automatic, but verify.

Don’t Click Unexpected Links

CVE-2026-21510 needs just one click on a malicious link. No warnings will appear. If someone sends you a link or attachment you weren’t expecting (even from a known contact) verify through a different channel before opening it.

Check Your VPN Configuration

If your organization uses Windows Remote Access services, the RasMan denial-of-service flaw (CVE-2026-21525) can crash your VPN. Endpoints with fail-close policies will lose all network access. Talk to your IT team about patching priority.

If you run IT for an organization, don’t wait for CISA guidance. The usual advisory pipeline is compromised by the shutdown. Treat all six CVEs as critical, regardless of Microsoft’s severity ratings. Patch now, test later.

The Bigger Problem

Federal cybersecurity was already stretched thin. The DHS shutdown didn’t create a new vulnerability. It revealed how fragile the system was to begin with.

CISA’s entire budget for fiscal year 2026 sits at around $3 billion. That covers defending the networks of every federal civilian agency, coordinating with state and local governments, protecting critical infrastructure like power grids and water systems, and running the national incident response capability.

When two-thirds of that workforce gets sent home because Congress can’t agree on an immigration spending bill, every organization that depends on CISA for threat intelligence, vulnerability alerts, and incident support is on its own.

Six zero-days are hard enough to handle with full staffing. With a skeleton crew, during a shutdown, after a year of workforce cuts? The math doesn’t work.

Update your systems. Don’t assume anyone else is watching the gates.

References

  1. Help Net Security: Microsoft Patch Tuesday: 6 exploited zero-days fixed in February 2026 (February 11, 2026)
  2. Tenable: Microsoft’s February 2026 Patch Tuesday Addresses 54 CVEs (February 11, 2026)
  3. SecurityWeek: 6 Actively Exploited Zero-Days Patched by Microsoft With February 2026 Updates (February 11, 2026)
  4. The Hill: Senate Democrats Block Homeland Security Spending Bill (February 13, 2026)
  5. Nextgov: CISA to furlough most of its workforce under impending DHS shutdown (February 13, 2026)
  6. The Record: Interim CISA chief: “When the government shuts down, cyber threats do not” (February 2026)