Microsoft has issued urgent security updates for Windows and Office to fix multiple vulnerabilities that hackers are actively exploiting to infiltrate users’ computers. The flaws, known as zero-days, allow attackers to compromise systems before official patches were available, making them highly critical.
The exploits are “one-click” attacks, meaning hackers can gain access or install malware with minimal user action. Two of the vulnerabilities can be triggered by clicking a malicious link on a Windows device, while another is activated when opening a malicious Office file. Microsoft confirmed that these bugs were discovered with input from Google’s Threat Intelligence Group.
One of the most serious flaws, CVE-2026-21510, resides in the Windows shell, which controls the operating system’s user interface. It affects all supported Windows versions and allows attackers to bypass Microsoft SmartScreen protections, potentially planting malware remotely once a user clicks a malicious link. Security experts warn that such one-click code execution bugs are rare and dangerous.
Another significant vulnerability, CVE-2026-21513, is found in Microsoft’s MSHTML engine, used for legacy Internet Explorer support on modern Windows systems. This flaw enables hackers to bypass security safeguards and deploy malware silently. According to independent researchers, additional zero-days were also patched in this update to address ongoing attacks targeting Windows and Office users.
Experts caution that the disclosure of exploit details could increase the risk of attacks, urging users and organizations to apply updates immediately. Successful exploitation of these vulnerabilities can result in ransomware deployment, intelligence theft, or full system compromise, highlighting the importance of keeping systems up to date.