6 Zero-Days Exploited Right Now: What February's Patch Tuesday Means for Your Business
I spent Tuesday morning doing what I do every second Tuesday of the month: reading Microsoft's patch notes like they're a horror novel. February's edition did not disappoint. Six zero-day vulnerabilities, all actively exploited in the wild, plus over 50 additional patches across the Windows ecosystem. By the time most IT teams finished their morning standup, threat actors had already been using these exploits for weeks.
The same week, Apple quietly pushed a patch for CVE-2026-20700, a zero-day in iOS and macOS that allowed remote code execution through maliciously crafted web content. If you're reading this on an unpatched iPhone, that's not great.
I've been covering cybersecurity developments for a while now, and there's a pattern that repeats every single time. The patches come out. The headlines spike. Most businesses do nothing for days, sometimes weeks. And in that gap between disclosure and action, the real damage happens.
Here's what February's Patch Tuesday actually means for your business, and what you should be doing about it right now.
What Microsoft Actually Patched
The February 2026 Patch Tuesday addressed 63 vulnerabilities in total. Six of those were zero-days already being exploited before Microsoft released fixes. That's not a typo. Six separate vulnerabilities that attackers were already using against real targets before any patch existed.
The critical detail: these weren't theoretical risks. They were active exploits observed in the wild by Microsoft's Threat Intelligence Center and third-party researchers. Two targeted the Windows kernel, one hit the Win32k driver, and three affected higher-level components including Outlook and the MSHTML platform.
The MSHTML vulnerability is particularly nasty. It can be triggered by getting a user to open a specially crafted email or visit a compromised website. No admin privileges required. No unusual user behavior needed. Just normal email usage.
Apple's Quiet Patch and Why It Matters
While everyone was focused on Microsoft, Apple released its own emergency update for CVE-2026-20700. This one targeted WebKit, the browser engine that powers Safari and every other browser on iOS. A remote attacker could execute arbitrary code simply by getting you to visit the wrong webpage.
Apple credited the discovery to Google's Threat Analysis Group, which typically means the exploit was being used by a state-sponsored actor. That's not the kind of adversary most small businesses think about. But the exploit doesn't check your company's revenue before it runs.
Good: Apple's patch was available within days of discovery. Bad: most organizations don't have automatic updates enabled for employee devices, and personal phones accessing corporate email are almost never managed.
The AI Threat Multiplier
Here's where things get genuinely unsettling. A recent survey from the Information Systems Security Association found that 87% of cybersecurity professionals now rank AI-related vulnerabilities as the fastest-growing risk category. That number was 34% just 18 months ago.
This isn't abstract concern. North Korean hacking groups, specifically Lazarus and a cluster tracked as UNC2970, have been caught using AI models like Google's Gemini to conduct reconnaissance on targets, generate phishing content, and research vulnerabilities in critical infrastructure. Mandiant published detailed findings on this in January 2026.
AI isn't creating new categories of attacks. It's making existing attacks faster, cheaper, and harder to detect. A phishing email generated by a large language model doesn't have the typos and awkward phrasing that used to be a reliable tell. It reads like something your CFO would actually write.
Ransomware: The Fastest-Growing Real-World Threat
By every measurable metric, ransomware is the fastest-growing cybersecurity threat of 2026. Chainalysis reported that ransomware payments exceeded $1.1 billion in 2025, and early data suggests 2026 is tracking higher. The average ransom demand for mid-size businesses has climbed to $1.5 million, according to Coveware's Q4 2025 report.
The business model has matured. Ransomware-as-a-service operations like LockBit and BlackCat run like SaaS companies, complete with customer support, affiliate programs, and regular product updates. They're not script kiddies in basements. They're organized criminal enterprises with quarterly revenue targets.
Good: law enforcement has gotten better at disrupting these groups, with the FBI and Europol taking down LockBit's infrastructure in 2024. Bad: the group reconstituted within months and released a new version.
Why Small Businesses Are Still the Softest Targets
There's a persistent myth that cybercriminals only go after big companies. The data says the opposite. Verizon's 2025 Data Breach Investigations Report found that 43% of cyberattacks target small businesses. The reason is simple economics: small businesses have data worth stealing and defenses not worth bypassing.
Most small businesses don't have a dedicated security team. Many don't have a dedicated IT person. Patching happens when someone remembers, not when the vulnerability is disclosed.
The median time to patch a critical vulnerability in a small business is 102 days, according to Ponemon Institute research. For context, February's zero-days were being exploited before the patch was even available. A 102-day patching window is not a gap. It's an open invitation.
The Cost of Doing Nothing
If the technical details don't motivate action, the financial ones might. IBM's 2025 Cost of a Data Breach Report puts the average breach cost at $4.88 million globally, up 10% from the previous year. For small businesses, the number is lower in absolute terms but higher relative to revenue.
The hidden cost is downtime. The average ransomware attack causes 22 days of operational disruption, according to Statista. For a business doing $5 million in annual revenue, that's roughly $300,000 in lost productivity before you even consider the ransom, the forensics, the legal fees, or the customer trust you'll never fully recover.
These are not edge cases. The National Cyber Security Alliance reports that 60% of small businesses close within six months of a significant cyber attack. That statistic has been disputed, but even the conservative estimates put the failure rate above 30%.
What You Should Do This Week
Not this quarter. Not next sprint. This week. Here's the short list.
Patch everything. Windows, macOS, iOS, Android, your firewall firmware, your VPN appliances. If it has an IP address and a vendor, check for updates. Prioritize the six Microsoft zero-days and Apple's CVE-2026-20700. If you're running MSHTML-dependent applications, patch those machines first.
Enable automatic updates wherever possible. Yes, there's a risk of a bad patch causing issues. That risk is orders of magnitude smaller than the risk of running unpatched software for 102 days.
Audit Your Attack Surface
When was the last time someone mapped every device, service, and account that connects to your network? If the answer is "never" or "I'm not sure," that's your first problem.
You can't patch what you don't know exists. Shadow IT, personal devices accessing corporate email, forgotten test servers, third-party integrations with stored credentials. Each one is a potential entry point.
Run a basic asset inventory. Check your Microsoft 365 admin panel for devices you don't recognize. Review who has admin privileges and whether they still need them. This isn't a six-month project. It's an afternoon.
Train Your People (Differently)
The standard annual security awareness training is theater. Employees sit through a 45-minute slideshow, pass a quiz, and forget everything by the following Monday. It checks a compliance box. It doesn't change behavior.
What actually works: short, frequent, contextual training. A 3-minute video about the specific phishing technique that hit a company in your industry last week. A simulated phishing email sent without warning, followed by immediate feedback. Monthly, not annually.
Good: organizations that run monthly phishing simulations see click rates drop from 30% to under 5% within six months, per KnowBe4's benchmarking data. Bad: most organizations still only train annually because that's what their compliance framework requires.
AI-Powered Defense Is Real (But Not Magic)
The same AI capabilities that make attacks more sophisticated are also powering defensive tools. CrowdStrike's Charlotte AI, Microsoft's Security Copilot, and SentinelOne's Purple AI can analyze threats, triage alerts, and suggest responses faster than human analysts alone.
The value isn't replacing your security team. It's making your existing team faster. A security operations center analyst typically investigates 20-25 alerts per shift. AI-assisted triage can increase that to 60-80 by filtering false positives and pre-analyzing indicators of compromise.
But these tools require configuration, tuning, and human oversight. Buying an AI-powered security product and assuming you're protected is like buying a gym membership and assuming you're fit.
The Speed Problem
Cybersecurity moves at the speed of exploits, not quarterly reports. By the time you read about a vulnerability in a trade magazine, threat actors have had it for weeks. twixb's Cybersecurity newsfeed monitors BleepingComputer, Dark Reading, Krebs on Security, and more -- daily. It surfaces the patches, the exploits, and the threat intelligence that matters before they become last week's news.
Whatever your monitoring setup, the principle is non-negotiable: you need to know about zero-days before they hit your systems, not after. Whether that's an RSS reader, a managed security provider's alerts, or a dedicated monitoring tool, the gap between disclosure and your awareness needs to be hours, not days.
The Bigger Picture
February's Patch Tuesday is not an anomaly. It's the new normal. Six zero-days in a single month would have been headline news five years ago. Now it's a Tuesday.
The convergence of AI-powered attacks, state-sponsored hacking groups using commercial AI tools, and a ransomware ecosystem that operates like a Fortune 500 industry means the threat landscape is evolving faster than most organizations' defenses. That gap is widening, not narrowing.
The organizations that survive this era won't be the ones with the biggest security budgets. They'll be the ones that patch fast, monitor constantly, and treat cybersecurity as an operational discipline rather than an annual checkbox. February gave us six reasons to take that seriously. March will give us more.