Back to Intelligence

Microsoft February 2026 Patch Tuesday: Defending Against Six Zero-Day Vulnerabilities

SA
Security Arsenal Team
April 8, 2026
6 min read

Introduction

The February 2026 Patch Tuesday release is a critical event for security operations worldwide. Microsoft has addressed six zero-day vulnerabilities, marking a significant surge in active exploitation attempts against core infrastructure. These are not theoretical risks; reports confirm that threat actors are already leveraging these flaws in the wild to elevate privileges and execute remote code. For defenders, this is not a drill—immediate patching and enhanced detection are mandatory to maintain security posture.

Technical Analysis

This release centers on vulnerabilities within the Windows operating system ecosystem, specifically targeting the Windows Kernel and core server services like SharePoint.

Affected Products and Vulnerabilities

While the specific CVE identifiers for the February 2026 cluster are being tracked by MSRC, the criticality lies in the component types affected:

  • Windows Kernel Elevation of Privilege (EoP): Multiple flaws allow attackers to gain SYSTEM-level privileges. This is often used as a post-exploitation step to bypass user access controls (UAC) or sandboxes.
  • Microsoft SharePoint Server Remote Code Execution (RCE): A critical RCE vulnerability that allows unauthenticated attackers to execute arbitrary code on affected SharePoint servers via a specially crafted network request. This is a high-value target for ransomware operators.
  • Windows Hyper-V Remote Code Execution: A flaw in the hypervisor layer that could allow a guest virtual machine to compromise the host operating system.

Exploitation Mechanics

1. Kernel Privilege Escalation: Attackers utilize memory corruption vulnerabilities in the kernel to manipulate kernel objects. By crafting specific input or leveraging a compromised low-privilege process, they can overwrite function pointers or alter access tokens, effectively granting themselves NT AUTHORITY\SYSTEM rights.

2. SharePoint RCE: The attack vector typically involves sending a malicious HTTP POST request to a vulnerable endpoint (e.g., _layouts/15 or similar API endpoints) on the SharePoint server. If the server fails to properly validate the input, deserialization flaws or buffer overflows allow the attacker to inject shellcode or load a web assembly (aspx) shell, establishing persistence.

Exploitation Status

Status: CONFIRMED ACTIVE EXPLOITATION. Intelligence indicates that exploitation of the SharePoint RCE and Kernel EoP flaws is already occurring. These vulnerabilities are expected to be added to the CISA Known Exploited Vulnerabilities (KEV) Catalog shortly, triggering federal civilian agency deadlines.

Detection & Response

The following detection rules and hunt queries are designed to identify active exploitation attempts against the core components impacted by this update.

SIGMA Rules

YAML
---
title: Potential SharePoint Web Shell Creation via IIS
id: 9a8b7c6d-5e4f-3a2b-1c0d-9e8f7a6b5c4d
status: experimental
description: Detects the creation of suspicious ASPX files in SharePoint directories, often indicative of web shell upload following RCE exploitation.
references:
  - https://attack.mitre.org/techniques/T1505/003/
author: Security Arsenal
date: 2026/02/15
tags:
  - attack.persistence
  - attack.webshell
  - attack.t1505.003
logsource:
  product: windows
  category: file_create
detection:
  selection:
    TargetFilename|contains:
      - '\\inetpub\\wwwroot\\wss\\VirtualDirectories\\'
      - '\\Program Files\\Common Files\\microsoft shared\\Web Server Extensions\\'
    TargetFilename|endswith:
      - '.aspx'
      - '.ashx'
  condition: selection
falsepositives:
  - Legitimate SharePoint administration or custom development deployments
level: high
---
title: Suspicious Process Spawn by w3wp.exe (SharePoint RCE)
id: 1b2c3d4e-5f6a-7b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects w3wp.exe (IIS Worker Process) spawning cmd, powershell, or regsvr32. This is a strong indicator of successful RCE or web shell execution.
references:
  - https://attack.mitre.org/techniques/T1059/
author: Security Arsenal
date: 2026/02/15
tags:
  - attack.execution
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|endswith: '\\w3wp.exe'
  selection_child:
    Image|endswith:
      - '\\cmd.exe'
      - '\\powershell.exe'
      - '\\pwsh.exe'
      - '\\regsvr32.exe'
  condition: all of selection_*
falsepositives:
  - Rare; legitimate administrators usually do not interact with the server this way.
level: critical
---
title: Windows Kernel Exploitation via Suspicious Driver Load
id: 2c3d4e5f-6a7b-8c9d-0e1f-2a3b4c5d6e7f
status: experimental
description: Detects the loading of drivers with suspicious signatures or from temporary paths, often used in kernel EoP exploits.
references:
  - https://attack.mitre.org/techniques/T1068/
author: Security Arsenal
date: 2026/02/15
tags:
  - attack.privilege_escalation
  - attack.t1068
logsource:
  category: driver_load
  product: windows
detection:
  selection:
    Signed: 'false'
    ImageLoaded|contains:
      - '\\Temp\\'
      - '\\AppData\\Local\\Temp\\'
  condition: selection
falsepositives:
  - Legitimate driver testing (rare in production)
level: high

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for suspicious process chains indicative of SharePoint RCE exploitation
DeviceProcessEvents
| where Timestamp >= ago(7d)
| where InitiatingProcessFileName == "w3wp.exe"
| where FileName in ("cmd.exe", "powershell.exe", "pwsh.exe", "cscript.exe", "wscript.exe")
| project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, ProcessCommandLine, InitiatingProcessId
| extend FullContext = strcat("Parent Command Line: ", InitiatingProcessCommandLine, " | Child Command Line: ", ProcessCommandLine)
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for recently modified ASPX/ASHX files in SharePoint directories
-- which could indicate web shell persistence from the Feb 2026 RCE
SELECT FullPath, Mtime, Atime, Size, Mode
FROM glob(globs='/*
*/wwwroot/*
*.aspx', root='/', accessor='auto')
WHERE Mtime > now() - 7d
   OR Atime > now() - 7d

-- Hunt for w3wp.exe spawning suspicious shells
SELECT Parent.Name, Parent.Pid, Name, Pid, CommandLine, StartTime
FROM pslist()
LEFT JOIN SELECT Pid as ParentPid, Name as ParentName FROM pslist() ON ParentPid = Parent.Pid
WHERE ParentName =~ "w3wp"
  AND Name =~ "(cmd|powershell|pwsh)"

Remediation Script (PowerShell)

PowerShell
# Script to verify installation of February 2026 Cumulative Updates
# Run with Administrative Privileges

$ExpectedUpdates = @(
    # Placeholder KBs - Replace with actual February 2026 KB IDs from MSRC
    "KB5035853", # Example Win10/Server 202x
    "KB5035854"  # Example Win11
)

Write-Host "Checking for February 2026 Security Updates..." -ForegroundColor Cyan

$InstalledUpdates = Get-HotFix | Where-Object { $_.InstalledOn -ge (Get-Date "2026-02-10") }

$MissingUpdates = @()
foreach ($KB in $ExpectedUpdates) {
    $Found = $InstalledUpdates | Where-Object { $_.HotFixID -eq $KB }
    if (-not $Found) {
        Write-Host "[MISSING] $KB" -ForegroundColor Red
        $MissingUpdates += $KB
    } else {
        Write-Host "[FOUND] $KB" -ForegroundColor Green
    }
}

if ($MissingUpdates.Count -gt 0) {
    Write-Host "CRITICAL: Missing $($MissingUpdates.Count) critical patches. Initiate patching immediately." -ForegroundColor Red
} else {
    Write-Host "All tracked updates appear to be installed." -ForegroundColor Green
}

Remediation

1. Immediate Patching: Deploy the February 2026 security updates immediately. Priority should be given to:

  • SharePoint Servers: Patch immediately to block the RCE vector.
  • Domain Controllers & Critical Infrastructure: Patch to mitigate Kernel EoP risks.
  • Hyper-V Hosts: Patch to prevent VM escape scenarios.

2. Restrict External Access: If patching is delayed, restrict access to SharePoint servers from untrusted networks. Enforce strict IP whitelisting on the firewall.

3. Vendor Advisory: Review the official Microsoft Security Update Guide for the complete list of CVEs and KB articles.

4. CISA Deadlines: Monitor for additions to the CISA Known Exploited Vulnerabilities Catalog. Federal agencies typically have a set deadline (e.g., 21 days) to patch these identified vulnerabilities.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

vulnerabilitycvepatchzero-daymicrosoftpatch-tuesdaywindows-kernelsharepoint

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action