Microsoft has released emergency security updates for Windows and Microsoft Office after confirming that several previously unknown vulnerabilities were being actively exploited by hackers.
The company said the flaws are zero-day vulnerabilities, meaning attackers were abusing them before fixes were available. Some of the exploits require only a single click, allowing attackers to compromise a system with minimal user interaction.
At least two of the patched vulnerabilities can be triggered when a user clicks a malicious link on a Windows system. At the same time, another can be exploited by opening a specially crafted Office file. Microsoft warned that such attacks could allow malware to be installed or unauthorised access to affected devices.
Details on how to exploit the bugs have already been published, the company said, increasing the likelihood of further attacks. Microsoft did not specify where the exploit information appeared.
Windows Shell flaw bypassed SmartScreen.
One of the most serious vulnerabilities, tracked as CVE-2026-21510, was found in the Windows Shell, which underpins the operating system’s user interface. The flaw affects all supported versions of Windows.
By abusing the bug, attackers could bypass Microsoft SmartScreen, a protection mechanism designed to block malicious links and files. Security researchers say this could allow malware to be installed remotely after a victim clicks a link or shortcut file.
Dustin Childs, a security researcher, described the issue as particularly dangerous, noting that “a one-click bug to gain code execution is a rarity.”
Widespread exploitation confirmed
Google Threat Intelligence Group, which contributed to the discovery of the vulnerabilities, confirmed that the Windows Shell flaw was under widespread active exploitation.
A Google spokesperson said successful attacks enabled the silent execution of malware with elevated privileges, creating a high risk of ransomware deployment, long-term system compromise or data theft.
The legacy browser component was also affected
Microsoft also addressed another Windows zero-day, CVE-2026-21513, found in MSHTML, the browser engine originally used by Internet Explorer. Although Internet Explorer has been discontinued, MSHTML remains embedded in modern Windows versions to support older applications.
The company said the flaw could be used to bypass Windows security protections and install malware.
Additional zero-days patched
According to independent security journalist Brian Krebs, Microsoft fixed at least three additional zero-day vulnerabilities that were also being actively exploited in the wild.
Users urged to update immediately
Microsoft is urging individuals and organisations to apply the latest security updates as soon as possible, warning that the active exploitation of these flaws makes unpatched systems especially vulnerable.
The incident highlights the continued threat of zero-day attacks and the importance of timely patching, even on fully supported, up-to-date systems.
