Microsoft Says Hackers Are Exploiting Critical Zero-Day Bugs Targeting Windows and Office Users

Microsoft has issued security updates to address several serious vulnerabilities in Windows and Office that the company says attackers are exploiting to gain unauthorised access to users’ systems.

The attacks are described as “one-click” exploits, meaning hackers can compromise a device with very limited interaction from the victim. In at least two instances, attackers can exploit the flaws by persuading a user to click a malicious link on a Windows machine. Another vulnerability can be triggered simply by opening a specially crafted Office document.

These flaws are classified as zero-day vulnerabilities — a term used when security gaps are exploited before the software developer has released a fix.

Microsoft noted that technical details outlining how to exploit the vulnerabilities have already been published, potentially raising the likelihood of additional attacks. The company did not specify where those details appeared, and a spokesperson did not immediately provide further comment when contacted. In its advisories, Microsoft credited researchers from Google’s Threat Intelligence Group for contributing to the discovery of the issues.

One of the vulnerabilities, tracked as CVE-2026-21510, was identified in the Windows shell, which controls the operating system’s user interface. Microsoft confirmed that the issue impacts all supported versions of Windows.

The flaw can be triggered when a user clicks a malicious link. Once exploited, it allows attackers to bypass Microsoft’s SmartScreen feature—a built-in safeguard that blocks harmful links and files. By circumventing this protection, hackers can execute malicious code on the victim’s computer.

Security researcher Dustin Childs explained that while user interaction is required, specifically clicking a link that containsa shortcut fileor opening a shortcut file, vulnerabilities that are vulnerable to a single click are relatively rare. He noted that the flaw can be used to install malware on a compromised system remotely.

A spokesperson for Google confirmed that the Windows shell vulnerability is being widely exploited. According to Google, successful attacks enable malware to run silently with elevated privileges, significantly increasing the risk of ransomware deployment, deeper system compromise, or intelligence collection.

Microsoft also addressed another zero-day vulnerability, tracked as CVE-2026-21513, which affects MSHTML — Microsoft’s proprietary browser engine originally used by Internet Explorer. Although Internet Explorer has been discontinued, MSHTML remains embedded in modern versions of Windows to maintain compatibility with older applications.

Microsoft stated that this flaw can also be exploited to bypass Windows security mechanisms, allowing attackers to plant malware on affected devices.

In addition, independent security reporter Brian Krebs reported that Microsoft had patched three additional zero-day vulnerabilities in its software that were being actively exploited in the wild.

Microsoft is urging users and organisations to apply the latest security updates immediately to reduce the risk of compromise from these ongoing attacks.