February 2026 monthly report: Microsoft patch tuesday in retrospect
Microsoft shipped fixes for more in-the-wild zero-days in 2024 than in any prior year - and the Windows MSHTML, TCP/IP, and Task Scheduler issues remain pre-prevalent on unpatched estate. A February inventory of the Microsoft CVEs you still need to verify are gone.
A year of records
Microsoft shipped fixes for more in-the-wild zero-days in 2024 than in any prior year on record - by our count, at least 22 CVEs that were in active exploitation at the time of disclosure. The pattern has consequences for defenders well into 2026: every Windows estate we audit still carries some of those CVEs.
This month's digest is a re-inventory of the 2024 Microsoft CVEs that remain the most consequential to verify-as-patched in February 2026.
The 2024 Microsoft CVEs that still matter
| CVE | Product | CVSS | Status |
|---|---|---|---|
| CVE-2024-38063 | Windows TCP/IP IPv6 | 9.8 | CRITICAL |
| CVE-2024-43572 | Microsoft Management Console | 7.8 | HIGH (KEV) |
| CVE-2024-38112 | Windows MSHTML platform | 7.5 | HIGH (KEV) |
| CVE-2024-49039 | Windows Task Scheduler | 8.8 | HIGH (KEV) |
| CVE-2024-21412 | Windows SmartScreen | 8.1 | HIGH (KEV) |
Why each one matters in 2026
CVE-2024-38063 (IPv6 TCP/IP RCE)
Disclosed August 2024. Pre-authentication remote code execution via crafted IPv6 packets - no user interaction. Affects every Windows version with IPv6 enabled (the default). Mitigation guidance: patch or disable IPv6. Pre-patch estate is the worst case for this CVE.
CVE-2024-43572 (Microsoft Management Console)
Disclosed October 2024 with confirmed in-the-wild exploitation. Lures users to open a malicious .msc file. Microsoft removed the ability to open .msc files from untrusted locations as part of the fix.
CVE-2024-38112 (MSHTML / Internet Explorer)
Disclosed July 2024. Used by the Void Banshee APT (Check Point Research) to lure victims via crafted Internet Shortcut (.url) files that open in IE mode even on modern Windows. Mitigation: the patch removes the IE-mode trigger path.
CVE-2024-49039 (Task Scheduler)
Disclosed November 2024. Privilege escalation from low-privilege user to NT AUTHORITY\SYSTEM via Task Scheduler RPC. KEV-listed within a week of disclosure.
CVE-2024-21412 (SmartScreen bypass)
Disclosed February 2024. SmartScreen warning bypass via crafted .url shortcut chains. Used by DarkGate and others to deliver follow-on malware without the Mark-of-the-Web prompt.
The pattern within the pattern: three of the five CVEs in this digest are user-interaction vectors that lure a click on a crafted file. Your endpoint protection telemetry should be alert to .msc, .url, and Internet Shortcut handling - the underlying primitives are not new.
February audit checklist
- Week 1
KEV re-inventory
Run a script against your estate to confirm each of the five CVEs above is patched. CISA KEV provides the canonical list of in-the-wild Microsoft CVEs; aim for 100% remediation of KEV entries on internet-facing hosts.
- Week 2
IPv6 exposure check
For CVE-2024-38063 specifically: confirm internet-facing Windows hosts are patched or have IPv6 disabled on external interfaces. The CVE has no user-interaction requirement.
- Week 3
Endpoint telemetry review
Confirm EDR is alerting on
.mscand Internet Shortcut (.url) execution from untrusted paths. These are the carrier files for the MMC and MSHTML CVEs. - Week 4
Patch-cycle SLA review
2024's Microsoft zero-day cadence demonstrated that monthly cadence is no longer sufficient for KEV-listed CVEs. Review your SLA for KEV-prioritised patching and tighten as needed.
Microsoft's 2024 zero-day count is the highest on record - and 2025 hasn't yet shown any decline. Your patching SLA was probably written when "monthly Patch Tuesday" was the cadence. The threat actor's cadence is now hourly.
- Staatse monthly digest, Feb 2026
Key takeaways
- 2024 was Microsoft's highest year for in-the-wild zero-days. The unpatched estate from that year is still your top exposure in 2026.
- CVE-2024-38063 is the only no-interaction RCE on the list - prioritise patching IPv6-enabled internet-facing Windows hosts first.
- Three of the five CVEs use crafted-file user-interaction lures - EDR detection on .msc and .url files is the second-layer defence.
- Monthly cadence is no longer sufficient for KEV-listed Microsoft CVEs. Tighten the SLA.
Closing
For a focused audit of your Windows estate against the 2024 KEV-listed Microsoft CVEs, our network penetration testing service includes that scope. Get in touch.
References & further reading
- NVDCVE-2024-38063 - Windows TCP/IP Remote Code Execution
- Microsoft MSRCCVE-2024-38063 advisory - Windows TCP/IP IPv6 RCE
- NVDCVE-2024-43572 - Microsoft Management Console RCE
- NVDCVE-2024-38112 - Windows MSHTML platform spoofing
- Check Point ResearchVoid Banshee APT exploiting CVE-2024-38112 in the wild
- NVDCVE-2024-49039 - Windows Task Scheduler privilege escalation
- NVDCVE-2024-21412 - Windows SmartScreen security bypass
- CISAKnown Exploited Vulnerabilities Catalog