Over 60 Software Vendors Release Security Fixes Across Operating Systems, Cloud, and Network Platforms

This week’s global security update wave saw more than 60 software vendors issue important patches to fix vulnerabilities across a wide range of technology stacks. These updates affect major operating systems, cloud services, network infrastructure, productivity software, and enterprise tools. The collective effort underscores the scale and complexity of modern IT environments and the need for ongoing vulnerability management.

Leading the updates, Microsoft rolled out its February 2026 Patch Tuesday security bundle, which includes dozens of fixes for Windows, Office, Azure, and other Microsoft products. The company also addressed six zero-day vulnerabilities that have been actively exploited in the wild.

Microsoft Patch Tuesday: Scope and Risk

Microsoft’s February update fixes approximately 60 vulnerabilities in Windows and related products, including six that were identified as actively exploited by attackers prior to the release. These zero-days affect core components such as Windows Shell, MSHTML, Word, Desktop Window Manager, Remote Access services, and Remote Desktop Services.

Security researchers note that several of these flaws were publicly disclosed before the patch, raising the urgency for enterprises to apply the updates quickly.

“To successfully exploit this vulnerability, an attacker must convince a user to open a malicious link or shortcut file,” Microsoft explained in its advisory for one of the zero-day flaws, referring to CVE-2026-21510.

The six actively exploited zero-days in Microsoft’s February release include:

CVE	Type	Potential Impact
CVE-2026-21510	Security feature bypass	Bypass Windows SmartScreen and Shell prompts
CVE-2026-21513	Security feature bypass	MSHTML bypass, potential code execution
CVE-2026-21514	Security feature bypass	Office OLE mitigations bypass
CVE-2026-21519	Privilege escalation	Desktop Window Manager
CVE-2026-21533	Privilege escalation	Remote Desktop Services
CVE-2026-21525	Denial of Service	Remote Access Connection Manager

This Patch Tuesday also marked the start of a phased rollout of updated Secure Boot certificates, which will replace the originals from 2011 due to expiration later in 2026. Microsoft said this rollout will happen gradually to ensure compatibility and minimize disruption.

Adobe and Other Major Vendors Also Patch

Beyond Microsoft, Adobe released security updates for multiple applications, including Audition, After Effects, InDesign Desktop, Substance 3D apps, Bridge, Lightroom Classic, and its DNG SDK. Adobe said it is not aware of exploitation in the wild for the patched flaws.

SAP also published fixes for two critical vulnerabilities that could have serious impacts on enterprise systems:

• CVE-2026-0488 (CVSS 9.9) — A SQL injection vulnerability in SAP CRM and SAP S/4HANA that allows authenticated attackers to execute arbitrary SQL commands.
• CVE-2026-0509 (CVSS 9.6) — A missing authorization check in SAP NetWeaver Application Server that permits certain background Remote Function Calls without required permissions.

On the hardware side, Intel and Google collaborated on auditing Trust Domain Extensions (TDX) 1.5, uncovering multiple issues that affect confidential computing features. Google said that while the new features bring enhanced functionality, they also increase the complexity of highly privileged components in the trust base, requiring careful review.

Software Patches From Other Vendors

In addition to updates from Microsoft, Adobe, and SAP, a wide range of companies have issued patches for security flaws in recent weeks. These include industry leaders across enterprise and consumer tech:

• Cloud and Infrastructure: AWS, Google Cloud
• Hardware and Chipsets: AMD, Intel, NVIDIA, MediaTek, Qualcomm
• Networking and Security: Cisco, Fortinet, Check Point, F5
• Operating Systems and Platforms: Apple, Linux distributions (AlmaLinux, Ubuntu, Red Hat)
• Application and Dev Tools: GitLab, Spring Framework, Mozilla Firefox
• Endpoint and Enterprise Services: Citrix, Commvault, Splunk, Zoho ManageEngine
• Peripherals and Devices: Samsung, HP, Lenovo, ASUS, Canon, Ricoh
• Industrial and IoT: ABB, Schneider Electric, Rockwell Automation
• Storage and NAS: QNAP, Synology
• User Applications: Zoom, Chrome, Google Android and Pixel |

These updates range from critical patches for remote code execution to fixes for privilege escalation, information disclosure, spoofing, and denial-of-service vulnerabilities.

Enterprise Risk and Mitigation

The volume and variety of patches highlight the broad attack surface that modern enterprises must defend. Vulnerabilities can be found in everything from cloud infrastructure and operating systems to productivity software and industrial control systems.

Actionable steps for enterprise security teams:

• Prioritize critical and actively exploited flaws such as the Microsoft zero-days.
• Implement automated patch management and testing across systems and platforms.
• Monitor for unusual behavior following updates to detect regressions or misconfigurations.
• Review identity and access configurations in cloud services to prevent privilege escalation.
• Leverage threat intelligence feeds to understand exploitation trends.

Timely patching is one of the most effective defenses against both opportunistic attackers and targeted threat actors.

FAQ: Global Software Patch Wave (February 2026)