Google’s Threat Intelligence Group (TAG) and Microsoft issued an urgent joint warning regarding a high-severity security flaw in the Windows operating system that is currently seeing widespread exploitation by malicious actors. The vulnerability, tracked as CVE-2026-21510, allows attackers to bypass core Windows security prompts and execute malicious code silently on victim machines.
The disclosure comes as part of a massive coordinated security effort involving the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which has added the flaw to its Known Exploited Vulnerabilities (KEV) Catalog. Federal agencies and private-sector organizations are being urged to patch the vulnerability immediately to prevent further compromise.
A Breakdown of the Vulnerability
The flaw resides in the Windows Shell, the foundational component of the Windows user interface responsible for managing files, folders, and shortcuts. According to Google’s researchers, the vulnerability involves a "protection mechanism failure" that allows attackers to manipulate how Windows handles metadata in shortcut (.LNK) files and links.
Under normal circumstances, Windows uses SmartScreen and "Mark of the Web" (MOTW) tags to warn users when they are opening files downloaded from the internet. However, CVE-2026-21510 allows an attacker to "launder" these files, tricking the system into treating a malicious external link as a trusted local file.
"Adversaries are leveraging this weakness to deliver malware at scale," said Jack Bicer, Director of Vulnerability Research at Action1. "Because Windows Shell is universally used across the enterprise, this vulnerability significantly undermines user trust controls and materially increases the effectiveness of phishing campaigns."
The "Silent Click" Execution
What makes this exploit particularly dangerous is the lack of user notification. In a typical phishing attempt, a user might see a warning asking, "Are you sure you want to run this file?" By exploiting this flaw, attackers can bypass these prompts entirely.
Attack Vector: An attacker sends a specially crafted .LNK file or link via email or a malicious website.
The Result: When the user clicks the link, the malicious payload executes with the full privileges of the logged-in user without any pop-ups or security warnings.
The Goal: Security analysts have already observed this flaw being used as an entry point for ransomware and information-stealing malware.
Coordinated Defense: Google and Microsoft Team Up
The discovery of the flaw is the result of collaborative monitoring between Google’s Threat Intelligence Group and several Microsoft security teams, including the Microsoft Threat Intelligence Center (MSTIC). The fact that both tech giants identified the flaw simultaneously suggests that the exploit was surfacing in global telemetry data, indicating that multiple "advanced persistent threat" (APT) groups may be utilizing the same technique.
The February 2026 "Patch Tuesday" release addressed a total of 59 vulnerabilities, but CVE-2026-21510 is considered the most critical due to its "in-the-wild" exploitation. Other related zero-days identified today include:
CVE-2026-21513: A bypass in the MSHTML rendering framework.
CVE-2026-21514: A flaw in Microsoft Word that bypasses security mitigations for embedded components.
Is Your System at Risk?
The vulnerability affects a broad range of Windows versions, including:
Windows 11 (up to version 25H2)
Windows 10 (version 21H2 and later)
Windows Server (2012 through 2025)
For home users, the risk is primarily through phishing. For enterprise environments, the flaw presents a massive risk for "lateral movement," where an attacker who has gained access to one low-privilege computer can use the bypass to spread throughout the network.
Immediate Action Required
Cybersecurity experts are calling on all Windows users to take the following steps today:
Run Windows Update: Go to Settings > Windows Update and click "Check for updates." Ensure you install KB5077179 (for Windows 11) or KB5075912 (for Windows 10).
Exercise Extreme Caution: Avoid clicking on shortcut files (.LNK) or unfamiliar links in emails, even if they appear to come from known contacts.
Enterprise Mitigation: IT administrators are encouraged to disable .LNK file execution via Group Policy or enable Attack Surface Reduction (ASR) rules to block untrusted Office and browser-based protocol launches.
"This is not a 'wait-and-see' situation," warned a CISA spokesperson. "The ease with which this bypass can be executed makes it a prime tool for cybercriminals. Patching today is the only way to ensure your data remains secure."