- Public and Exploitation Detected
- CVE-2026-21510 - To successfully exploit this vulnerability, a user must open a malicious link or shortcut file. This security feature bypass affects all support versions of Windows OS's and although rated "Important" it does have a CVSS of 8.2.
- CVE-2026-21513 - Protection mechanism failure in MSHTML Framework allows an unauthorized attacker to bypass a security feature over a network. You will need to apply the update to remediate this risk.
- CVE-2026-24514 - This security feature bypass affects various flavors of Microsoft Office. It does require an attacker to send a user a malicious Office file and convincing the user to open it. Here is yet another reminder for end user education.
- Exploitation Detected but Not Public
- CVE-2026-21519 - This elevation of privilege vulnerability could give an attacker SYSTEM privileges and affects all supported versions of Windows OS's.
- CVE-2026-21525 - This moderate rated denial of service also affects Windows OS's. You will want to update when you can even though the CVSS score is just 5.4.
- CVE-2026-21533 - Improper privilege management in Remote Desktop could allow an attacker to elevate privileges. Microsoft rates this "Important" so update after testing.
- Not Public but Exploitation Detected
- CVE-2026-21509 - This security feature bypass vulnerability affects Office 2016 and 2019 including LTSC and also MS 365 Apps for Enterprise. Customers running MS 365 Apps and/or Office 2021 or later will be automatically protect via a server-side change and a local restart of the affected applications. If your organization requires a long testing time before applying the update then you may want to click the CVE link above and look at applying a couple of registry key changes to mitigate the issue until you can get the update installed.
Besides these it was a fairly average month. Please view the chart below for more information. I want to invite you to a couple of webinars I'm hosting this month. Both subjects are below. Just click on the title to register. You won't want to miss these.
- AD Certificate Services: A Massive Chunk of Windows Security Functionality Finally Gets the Security Research It Deserves
- Linux Security: Locking Down Admin Access with SSH and Sudo
|
|
So, without further ado, here’s the chart of MS patches that affect Windows platforms in the past month.
|
Patch data provided by: |
|
||||
|
Technology |
Products Affected |
Severity |
Reference |
Workaround/ Exploited / Publicly Disclosed |
Vulnerability Info |
|
Windows |
Windows 10, 11 Server 2012, 2012 R2, 2016, 2019, 2022, 2025 including Server Core Installations |
Important |
CVE-2026-20846 |
Workaround: No Exploited: Yes* Public: Yes** |
Denial of Service |
|
Edge |
Edge (Chromium-based) |
Moderate |
Workaround: No |
Spoofing | |
|
Office |
365 Apps for Enterprise |
Critical |
CVE-2026-21511 |
Workaround: No Exploited: Yes* Public: Yes** |
Elevation of Privilege |
|
SharePoint |
Enterprise Server 2016 |
Important |
Workaround: No Exploited: No Public: No |
Spoofing | |
|
Azure |
AI Language Authoring, ARC, Data Explorer, DevOps Server 2022, Front Door, Functions, HDInsight, |
Critical |
CVE-2026-20960 |
Workaround: No |
Elevation of Privilege Information Disclosure Remote Code Execution Spoofing |
|
Developer Tools |
GitHub Copilot Plugin for JetBrains IDEs |
Important |
Workaround: No |
Remote Code Execution | |
|
.NET |
10.0, 9.0, 8.0 on Windows, Linux and Mac |
Important |
Workaround: No |
Spoofing | |
|
Visual Studio |
2022 version 18.3, 17.14 |
Important |
Workaround: No |
Elevation of Privilege Remote Code Execution Security Feature Bypass |
|
|
SQL Server |
Power BI Report Server |
Important |
Workaround: No Exploited: No Public: No |
Remote Code Execution |
|
|
Exchange |
2016 CU23 |
Important |
Workaround: No Exploited: No Public: No |
Spoofing |
|
|
Apps |
Windows Notepad |
Critical |
Workaround: No Exploited: No Public: No |
Information Disclosure |
|
|
System Center |
MS Defender for Endpoint for Linux |
Important |
Workaround: No Exploited: No Public: No |
Remote Code Execution |
|
Thanks as always for reading and best wishes on security,
Randy Franklin Smith
Ultimate Windows Security is a division of Monterey Technology Group, Inc. ©2006-2026 Monterey Technology Group, All rights reserved. You may forward this email in its entirety but all other rights reserved.
9450 SW Gemini Drive #53822, Beaverton, OR 97008
Note: We do our best to provide quality information and expert commentary but use all information at your own risk.