Critical CISA KEV Feb 2026: Microsoft Zero-Days + BeyondTrust RCE

Executive Summary

In early February 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) rapidly expanded its Known Exploited Vulnerabilities (KEV) catalog.

High-impact entries were added in the first half of the month.

Most additions came from Microsoft’s February 10 Patch Tuesday release.

Microsoft fixed 59 CVEs, including six actively exploited zero-days.

CISA added the six Microsoft zero-days to KEV on February 10.

CVE-2026-1731 (BeyondTrust pre-authentication RCE) was added on February 13.

Four additional entries—including CVE-2024-43468 and CVE-2025-15556—were added on February 12.

The Microsoft zero-days target security bypasses in Windows Shell, MSHTML, and Word.

They also include elevation of privilege in Desktop Window Manager and Remote Desktop Services.

Federal Civilian Executive Branch agencies must remediate per BOD 22-01.

Deadlines are tight—many already passed or imminent (e.g., March 3 for Microsoft batch).

These confirm active in-the-wild exploitation by ransomware groups and others.

Immediate action is required to prevent compromise.

What Happened

Microsoft released its February 2026 security updates on February 10.

The release addressed 59 vulnerabilities across Windows, Office, Exchange, and related products.

Six of them were zero-days confirmed exploited in the wild.

Three had been publicly disclosed before the patches were available.

CISA added all six Microsoft zero-days to the KEV catalog on the same day (February 10):

• CVE-2026-21510 (CVSS 8.8, Important): Windows Shell protection mechanism failure. Bypasses SmartScreen and Shell warnings via malicious links or .LNK shortcuts, enabling silent execution over a network (requires user interaction).
• CVE-2026-21513 (CVSS 8.8, Important): MSHTML security feature bypass. Exploits legacy IE HTML remnants to evade file prompts, often via HTML or shortcut phishing vectors.
• CVE-2026-21514 (CVSS 7.8, Important): Microsoft Word security feature bypass. Circumvents OLE mitigations in crafted documents (preview pane unaffected).
• CVE-2026-21519 (CVSS 7.8, Important): Desktop Window Manager elevation of privilege. Allows local attackers to gain SYSTEM rights.
• CVE-2026-21533 (CVSS ~7.8, Important): Remote Desktop Services elevation of privilege. Enables local SYSTEM escalation.
• One additional exploited flaw in related components.

On February 13, CISA added CVE-2026-1731 (CVSS 9.9, Critical): Pre-authentication OS command injection in BeyondTrust Remote Support (≤25.3.1) and Privileged Remote Access (≤24.3.4).

Exploitation started shortly after the February 6 disclosure.

Proof-of-concepts appeared quickly; BeyondTrust patched cloud instances early and released fixes for on-premises deployments.

On February 12, CISA added four more entries.

These included CVE-2024-43468 (Microsoft Configuration Manager SQL injection, unauthenticated command execution).

Also added: CVE-2025-15556 (Notepad++ insecure download/update mechanism, supply-chain compromise risk).

The rapid KEV additions reflect confirmed active campaigns following disclosure.

Why It Matters

KEV catalog entries confirm vulnerabilities are being exploited in real-world attacks.

This moves them from theoretical risk to active, high-priority threats.

Attackers include ransomware operators, initial access brokers, and nation-state actors.

The Microsoft bypass trio (Shell, MSHTML, Word) lowers the bar for initial access.

A single user click on a phishing link or attachment can bypass SmartScreen and other warnings.

This enables silent malware delivery in most enterprise Windows environments.

Privilege escalation flaws (DWM, RDS) allow attackers to go from user to SYSTEM rights.

Attackers can then disable defenses, install ransomware, or move laterally across the domain.

CVE-2026-1731 in BeyondTrust is particularly dangerous.

It allows unauthenticated remote code execution on exposed remote access servers.

Organizations using these tools for privileged support are at high risk of full compromise.

Federal remediation deadlines are very short—some already expired.

Delays increase the likelihood of successful breaches in ongoing campaigns.

Trends show abuse of legacy components, fast exploit development, and supply-chain risks.

KEV drives prioritization and helps break attack chains before escalation.

Recommended Actions

Patch immediately: Apply all Microsoft February 2026 security updates.

Use Windows Update, WSUS, or direct KB installation methods.

Update BeyondTrust Remote Support and Privileged Remote Access to the latest patched versions.

Scan your environment for vulnerable assets using vulnerability management tools.

Apply network segmentation to limit exposure of critical systems.

Disable legacy MSHTML components if they are not required.

Restrict or firewall internet-facing remote access services.

Monitor for indicators of compromise.

Look for anomalous .LNK or shortcut file behavior in Windows environments.

Watch for unexpected Shell or MSHTML process spawning.

Check BeyondTrust logs for unusual command execution attempts.

Tune SIEM rules and alerts to detect these patterns early.

Federal agencies: Meet all KEV remediation deadlines.

Document compensating controls if full patching is delayed (per BOD 22-01).

Treat these vulnerabilities as critical due to confirmed active exploitation.