Patch Tuesday February 2026: 6 Microsoft Zero-Days and Critical Flaws to Patch Urgently

The February 2026 Patch Tuesday is one of the most critical of recent months. Microsoft fixed 58 vulnerabilities, including 6 Apple zero-days actively exploited in the wild. At the same time, Apple, Cisco and Ivanti also released urgent fixes for critical flaws. This article rounds up the vulnerabilities to patch first and provides practical commands to check and apply the patches on your systems.

Microsoft Patch Tuesday February 2026: overview

This month's Patch Tuesday fixes 58 vulnerabilities in total, broken down as follows:

• 6 zero-days actively exploited (absolute top priority to patch)
• Several remote code execution (RCE) flaws
• Security feature bypasses
• Privilege escalations

Let's focus on the most critical vulnerabilities that require immediate action.

The Microsoft zero-days to patch first

faille n8n-2026-21509: Microsoft Office zero-day (CVSS 7.8)

This vulnerability affects Microsoft Office and allows arbitrary code execution when a user opens a specially crafted document. With a CVSS score of 7.8, it is rated severe. Exploitation is confirmed in the wild, which means attackers are already actively using it in targeted phishing campaigns.

The attack vector is classic but devastatingly effective: a booby-trapped Office document sent by email or shared via a link. Opening the file is enough to trigger execution of the malicious code, with no further user interaction beyond the initial click.

CVE-2026-21514: security bypass in Word

This flaw makes it possible to bypass the security features built into Microsoft Word. In practice, it neutralizes the protections meant to prevent active content (macros, scripts) in documents from untrusted sources from running.

This vulnerability is particularly dangerous because it disables the safeguards that security teams rely on to protect users. Combined with a malicious document exploiting CVE-2026-21509, it forms a devastating attack vector.

Checking and applying Windows fixes

# Check for available updates via PowerShell
Get-WindowsUpdate -MicrosoftUpdate

# Install all security updates
Install-WindowsUpdate -MicrosoftUpdate -AcceptAll -AutoReboot

# Check the installed patch version
Get-HotFix | Sort-Object -Property InstalledOn -Descending | Select-Object -First 10

# Force an update check from the command line
wuauclt /detectnow /updatenow

For environments managed via WSUS or SCCM, make sure the February 2026 fixes are approved and deployed across your entire fleet:

# Check WSUS status (on the WSUS server)
Get-WsusUpdate -Approval Unapproved -Status FailedOrNeeded |
  Where-Object {$_.Update.Title -match "2026-02"} |
  Approve-WsusUpdate -Action Install -TargetGroupName "Production"

# Compliance report
Get-WsusComputer | ForEach-Object {
    Get-WsusUpdatePerComputer -UpdateScope (New-Object Microsoft.UpdateServices.Administration.UpdateScope) |
    Where-Object {$_.UpdateInstallationState -eq "NotInstalled"}
}

Apple flaw CVE-2026-20700: dyld zero-day on iOS and macOS

Apple released an emergency fix for CVE-2026-20700, a zero-day vulnerability in dyld, the dynamic library loader for iOS and macOS. This flaw allows arbitrary code execution on Apple devices.

The dyld component is fundamental to Apple's architecture: it is responsible for loading all dynamic libraries when applications start. A vulnerability at this level gives the attacker deep control over the system, potentially even before application-level security mechanisms are initialized.

Checking and applying Apple fixes

# Check the current macOS version
sw_vers

# Check for available updates
softwareupdate --list

# Install all available updates
sudo softwareupdate --install --all --restart

# For Macs managed via MDM, check compliance
sudo profiles status -type enrollment

Cisco CVE-2026-20045: RCE on Unified Communications

Cisco patched CVE-2026-20045, a critical remote code execution vulnerability affecting Cisco Unified Communications. This flaw has been added to the CISA KEV catalog (Known Exploited Vulnerabilities), with a remediation deadline of February 11 for US federal agencies.

Being added to the CISA KEV catalog means exploitation is confirmed and active. Cisco Unified Communications products are deployed in thousands of companies for IP telephony and unified communications. A compromise lets the attacker run code with the service's privileges, opening the door to a complete takeover of the communications infrastructure.

Checking your Cisco UCM version

# Check the Cisco Unified Communications Manager version
# Via the UCM server CLI
show version active

# Check installed patches
utils system upgrade list

# Back up the configuration before updating
utils disaster_recovery backup network

# Apply the patch
utils system upgrade initiate

Ivanti Endpoint Manager Mobile: mass exploitation underway

Two critical vulnerabilities affect Ivanti Endpoint Manager Mobile (formerly MobileIron):

• CVE-2026-1281: a vulnerability allowing unauthorized access
• CVE-2026-1340: a complementary flaw that worsens the exploitation

Telemetry data shows 417 exploitation sessions originating from 8 distinct IP addresses between February 1 and 9, 2026. This active, concentrated exploitation points to a coordinated campaign, likely run by an organized group targeting enterprise mobile fleet management solutions.

Ivanti EPMM is used to manage corporate mobile devices (MDM). Compromising it gives the attacker potential access to an organization's entire mobile fleet, including the ability to push malicious configurations, access corporate email and exfiltrate sensitive data.

Remediation steps for Ivanti EPMM

# Check the installed Ivanti EPMM version
# From the admin console or over SSH
cat /opt/ivanti/version.txt

# Check for suspicious connections on the EPMM server
# Look for the 8 IPs identified in the exploitation campaign
sudo netstat -tnp | grep -E ":(443|8443)" | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn

# Analyze the access logs to detect exploitation attempts
sudo grep -E "CVE-2026-1281|CVE-2026-1340" /var/log/ivanti/*.log
sudo grep -i "exploit\|unauthorized\|injection" /var/log/ivanti/access.log | tail -50

# Block suspicious IPs urgently via iptables
# Replace with the IPs identified in your logs
sudo iptables -A INPUT -s SUSPICIOUS_IP -j DROP

n8n CVE-2026-25049: system command execution

n8n, the popular workflow automation platform, is affected by CVE-2026-25049. This vulnerability allows system command execution through malicious workflows. If you run n8n in production, updating is imperative.

The risk is especially high for n8n instances exposed to the Internet or accessible to untrusted users. A workflow crafted by an attacker can run arbitrary commands on the server hosting n8n, leading to a complete compromise.

# Check the installed n8n version
n8n --version

# Update n8n via npm
sudo npm update -g n8n

# If n8n runs in Docker, update the container
docker pull n8nio/n8n:latest
docker stop n8n && docker rm n8n
docker run -d --name n8n -p 5678:5678 \
  -v ~/.n8n:/home/node/.n8n \
  n8nio/n8n:latest

# Make sure the instance is not publicly exposed
ss -tlnp | grep 5678

How to prioritize your patches: the CISA KEV method

Faced with so many vulnerabilities to fix, prioritization is essential. The CISA KEV catalog (Known Exploited Vulnerabilities) has become the benchmark for deciding which flaws to patch first.

The principle is simple: if a CVE appears in the KEV catalog, it means its exploitation is confirmed in the wild. These vulnerabilities take precedence over all others, regardless of their theoretical CVSS score.

Recommended priority order for February 2026

1. Priority 1 (immediate): CVE-2026-20045 (Cisco UCM, in CISA KEV), the 6 Microsoft zero-days, CVE-2026-20700 (Apple dyld)
2. Priority 2 (within 48h): CVE-2026-1281 and CVE-2026-1340 (Ivanti EPMM, mass exploitation underway)
3. Priority 3 (within 7 days): CVE-2026-25049 (n8n), the other 52 Microsoft fixes

# Download the CISA KEV catalog in JSON format for auditing
curl -sL https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json \
  -o /tmp/cisa-kev.json

# Extract the CVEs added in February 2026
python3 -c "
import json
data = json.load(open(\"/tmp/cisa-kev.json\"))
for v in data[\"vulnerabilities\"]:
    if v[\"dateAdded\"].startswith(\"2026-02\"):
        cve = v[\"cveID\"]; vendor = v[\"vendorProject\"]
        product = v[\"product\"]; due = v[\"dueDate\"]
        print(cve, \"|\", vendor, \"|\", product, \"| Deadline:\", due)
"

# Scan your network to identify vulnerable systems (with Nmap)
sudo nmap -sV --script vulners -oN /tmp/scan-vulns.txt 192.168.1.0/24

Automating patch management

Applying patches manually doesn't scale. Here is how to automate the process on your Linux servers, which often host critical services such as n8n, Ivanti or the reverse proxies in front of your applications.

Automatic updates on Debian/Ubuntu

# Install and configure unattended-upgrades
sudo apt install -y unattended-upgrades apt-listchanges

# Enable automatic security updates
sudo dpkg-reconfigure -plow unattended-upgrades

# Check the configuration
cat /etc/apt/apt.conf.d/50unattended-upgrades | grep -E "Allowed-Origins|Automatic-Reboot"

# Force an immediate check
sudo unattended-upgrade --dry-run --debug

Automatic updates on RHEL/CentOS/Rocky

# Install dnf-automatic
sudo dnf install -y dnf-automatic

# Configure it to apply security fixes automatically
sudo sed -i 's/apply_updates = no/apply_updates = yes/' /etc/dnf/automatic.conf
sudo sed -i 's/upgrade_type = default/upgrade_type = security/' /etc/dnf/automatic.conf

# Enable the timer
sudo systemctl enable --now dnf-automatic.timer

# Check the status
sudo systemctl status dnf-automatic.timer

Compliance monitoring

# Quick patch compliance check script
#!/bin/bash
echo "=== Patch check - $(date) ==="
echo ""
echo "--- Last update ---"
stat /var/log/apt/history.log 2>/dev/null | grep Modify || \
  rpm -qa --last | head -1

echo ""
echo "--- Pending security updates ---"
apt list --upgradable 2>/dev/null | grep -i security || \
  dnf updateinfo list security 2>/dev/null

echo ""
echo "--- Reboot required? ---"
[ -f /var/run/reboot-required ] && echo "YES - Reboot required" || echo "No"

Strengthening your overall security posture

Patches fix known vulnerabilities, but a robust security posture requires defense in depth. Take advantage of this update cycle to also check:

• Your TLS certificates: are they up to date and correctly configured? Our guide on Certbot and Let's Encrypt walks you through automating renewals.
• Your firewall: are your UFW rules up to date? Only the strictly necessary ports should be open.
• Your anti-brute-force protection: Fail2ban is an essential first line of defense, but as we explain in our article Fail2ban is not enough, it must be complemented by other measures.
• Your server checklist: review our Linux server security checklist to make sure you don't miss any critical point.

Conclusion

The February 2026 Patch Tuesday is a brutal reminder of the constant race between attackers and defenders. With 6 actively exploited Microsoft zero-days, a critical Apple flaw in a component as fundamental as dyld, a Cisco RCE in the CISA KEV catalog and a mass exploitation campaign against Ivanti EPMM, system administrators have no time to lose.

The priorities are clear: start with the CVEs in the CISA KEV catalog and confirmed zero-days, then expand to the other fixes during the week. Automate what you can with unattended-upgrades or dnf-automatic. And above all, don't just patch: reinforce your defense in depth with a properly configured firewall, active monitoring and least-privilege principles applied consistently.

The next wave of vulnerabilities will arrive next month. Be ready.