Microsoft has recently identified multiple critical security vulnerabilities in its Windows and Office software, some of which are already being targeted by hackers. The company has issued urgent security updates to mitigate these so-called ‘zero-day’ flaws—vulnerabilities that can be exploited before a patch is available.
Nature of the Threat
These attacks typically occur as one-click exploits. A user clicking on a malicious link or shortcut file can inadvertently allow malware to enter their system. In certain cases, merely opening a compromised Office document may trigger an attack. Microsoft has confirmed that at least two of the identified flaws lure users into clicking deceptive links, while another is activated via malicious Office files.
Security experts have warned that detailed information about how these vulnerabilities can be exploited has already been circulated publicly, increasing the risk of attacks. However, Microsoft has not disclosed the exact source of this information.
Identified Vulnerabilities
Below is a summary of the main vulnerabilities and their potential impact:
| CVE Number | Location / Application | Type of Vulnerability | Potential Impact |
|---|---|---|---|
| CVE-2026-21510 | Windows Shell | SmartScreen bypass | Remote code execution, malware installation |
| CVE-2026-21513 | MSHTML (legacy browser engine) | Security bypass | Malware intrusion, data theft |
| Other 3 CVEs | Microsoft Office & Windows components | Active exploitation | Risk of ransomware or data exfiltration |
CVE-2026-21510 allows attackers to bypass Windows SmartScreen protection. Security specialist Dustin Childs noted, “The user must click on a link or shortcut file, and while remote code execution is technically possible after a single click, it remains relatively rare.”
CVE-2026-21513 affects the MSHTML engine, used in older applications even after Internet Explorer has been retired. Experts have highlighted that this flaw can be exploited to bypass security measures and deploy malware.
Expert Recommendations
Cybersecurity analyst Brian Krebs emphasised that Microsoft has patched three additional zero-day vulnerabilities that were actively being exploited. Users are urged to install updates immediately, as delays increase exposure to potential attacks.
Precautionary Measures:
Avoid clicking on unknown links or files
Verify the source before opening Office documents
Regularly install all available updates
Microsoft stresses that following these guidelines is essential to maintaining the security and integrity of Windows and Office environments.