February 2026 Patch Tuesday: 25 Privilege Escalation Bugs & What They Mean For Local Admin On Windows

Microsoft’s February 2026 Patch Tuesday just landed, with security updates for around 60 vulnerabilities across Windows and related products. Depending on whose write-up you read, the numbers vary slightly, but three facts stand out:

• 58–59 vulnerabilities patched in total.
• 6 zero-days already exploited in the wild before the patches shipped.
• Roughly 25 of the fixes are elevation-of-privilege (EoP) bugs – around 40% of the total.

If you spend your days thinking about Windows endpoints, that breakdown should ring a bell. It matches what we saw in January: attackers don’t usually win with one dramatic remote exploit. They win with a foothold on a user device plus a reliable local privilege escalation. In this post we won’t go deep into every CVE. Instead, we’ll look at what this Patch Tuesday tells us about the state of Windows security – and how it relates to removing local admin and using controlled elevation for the few apps that still need extra rights.

February’s zero-days in one paragraph

The six actively exploited zero-days span both Windows and Office components. Highlights include vulnerabilities in the legacy MSHTML browser engine and Windows Desktop Window Manager that can be chained to run attacker code or escalate privileges. Security vendors and Microsoft all make the same core point: if an attacker can get a user to open a malicious file, click a link, or reach a vulnerable Windows component, these bugs can help them move from “one compromised user” to system-level control on that endpoint. But the really interesting story is in the aggregate: 25 separate EoP fixes in a single month. That’s not an anomaly – it’s what Patch Tuesday looks like now.

Why so many privilege escalation fixes?

Modern Windows security has made the classic “one remote exploit and you own the domain” attack much harder. Between improved memory protections, Defender, SmartScreen, and better default hardening, it’s rare that a single bug gives an attacker everything they want. Instead, most real-world intrusions follow a familiar pattern:

1. Get a foothold as the user. Phish credentials, trick someone into opening a malicious document, abuse a browser extension, or exploit a bug in Office or a third-party app.
2. Escalate privileges on the endpoint. Use a local privilege escalation bug – like several fixed this month – to jump from user to local admin or SYSTEM.
3. Disable defenses and move sideways. Once running with high privileges, start disabling EDR, dumping credentials, and pivoting to other systems.

That middle step is exactly where February’s 25 EoP bugs live. They don’t make headlines like a remote worm, but they are incredibly valuable to attackers.

Where local admin fits into this picture

At this point it’s fair to ask: if someone already has a foothold on a user’s device, how much worse is it if that user is also a local admin? From a defender’s point of view, the difference is huge:

• If the user runs as a standard user, an attacker must find and exploit a local EoP bug that is present and unpatched on that endpoint to gain full control.
• If the user is already a local admin, that second step often disappears. Malware and “legitimate” tools inherit admin rights immediately.

That’s why multiple recent industry pieces are once again calling out daily admin use as a major, avoidable risk. Microsoft’s own guidance around Windows 11 Administrator Protection and Intune Endpoint Privilege Management points in the same direction: least privilege on the endpoint is not optional any more.

But “just remove local admin” isn’t that simple

In most environments, people don’t stay local admins because IT likes risk. They stay admins because of a short list of stubborn apps and tasks:

• Legacy Windows apps that break as soon as the user is standard.
• Installers and updaters that silently assume they can write anywhere.
• Power users and developers who need elevated tools, but not all the time.

We’ve written about this tension before in:

• The Double-Edged Sword of Local Admin Rights in Windows Environments
• Five Myths About Removing Local Admin Rights on Windows
• Windows 11 Administrator Protection, Intune EPM, and the Legacy Apps They Still Can’t Fix

February’s Patch Tuesday doesn’t change that reality – but it does raise the stakes. Every month that passes with lots of local admins and lots of EoP fixes is another month where a single successful phish could become a much larger incident than it needs to be.

Three practical actions after February Patch Tuesday

1. Patch quickly – especially user-facing devices. Servers matter, but so do laptops running Outlook, Teams, browsers and line-of-business apps. Those are often the first footholds. Make this month’s security updates part of your normal rollout rhythm.
2. Re-run your local admin inventory. Use Intune, ConfigMgr, your RMM, or scripting to re-check who is in the local Administrators group. Where the only justification is “because of that one app”, tag those devices as candidates for a more controlled approach.
3. Shrink your elevation surface. Bring legacy apps, installers and admin tools into a per-app elevation model instead of leaving users as full admins. The fewer processes that ever run elevated, the fewer opportunities an attacker has to chain an EoP bug into something worse.

Where Elevator for Windows helps

At UNYK, we built Elevator for Windows for exactly this problem: you want users to be standard users, but you still have a handful of Windows apps that behave as if it’s 2003 and everyone is an admin. Elevator lets you:

• Keep users as standard users all day.
• Define a short, explicit list of executables that should run with admin rights.
• Run those apps elevated automatically, without sharing local admin passwords.
• Log every elevation event so you know which apps still depend on admin and where to focus hardening work.

That way, when you read that a new Patch Tuesday fixed another 20+ privilege escalation bugs, you’ve got a clear story:

• Most users don’t have standing admin rights.
• Only a few, known apps ever run elevated.
• If something does land on an endpoint, the blast radius is much smaller.

If you’d like to see how Elevator behaves with two or three of your own “problem” applications, you can start a small pilot: Start Free 30-Day Trial Request Elevator Pricing