Microsoft Issues Urgent Warning Over Critical Vulnerabilities

Microsoft has identified multiple critical security flaws in its Windows and Office software, which are already being actively exploited by hackers. The company has released urgent updates to address several zero-day vulnerabilities—security gaps that attackers exploit before a fix is widely available.

These attacks typically follow a “one-click” pattern, where a user inadvertently clicks a malicious link, allowing malware to infiltrate their system. In some instances, opening a malicious Office file alone can trigger the exploit. According to Microsoft, at least two vulnerabilities rely on users being tricked into clicking fraudulent links, while another is activated by opening compromised Office documents.

The company has cautioned that detailed information on exploiting these flaws has already surfaced publicly, potentially increasing the risk of attacks. Microsoft has not disclosed exactly where this information was released.

One prominent vulnerability, CVE-2026-21510, affects the Windows shell. This flaw enables hackers to bypass Microsoft’s SmartScreen protection, which typically blocks dangerous links and files. Security expert Dustin Childs explained that, although a user must click a link or shortcut file to trigger the exploit, successful remote code execution in this manner remains rare. Google’s Threat Intelligence team assisted in identifying this vulnerability and confirmed that it is being widely abused. Exploitation can allow malware to run silently, increasing the risk of ransomware or data theft.

Another vulnerability, CVE-2026-21513, exists in MSHTML, the legacy browser engine still used by certain applications despite Internet Explorer’s retirement. This flaw allows attackers to bypass security controls and install malware on affected systems.

Security analyst Brian Krebs reported that Microsoft has patched three additional zero-day vulnerabilities that were also actively exploited. Experts strongly urge users to install updates immediately, as any delay leaves systems increasingly vulnerable.

Summary of Critical Vulnerabilities

Users of Windows and Office are strongly advised to apply all pending updates immediately to mitigate the threat posed by these critical zero-day vulnerabilities.