Key Takeaway
Microsoft’s March 2026 Patch Tuesday addresses 77 vulnerabilities including critical privilege escalations in SQL Server and remote code execution flaws in Microsoft Office. Notably, a severe RCE vulnerability discovered by an AI agent was patched without requiring user action. Enterprise administrators should prioritize these updates to mitigate high-risk attack vectors.
Microsoft released security updates addressing 77 vulnerabilities across Windows operating systems and related software in its March 2026 Patch Tuesday cycle. Although no zero-day exploits were reported this month, several vulnerabilities require prompt attention from organizations running Windows environments.
Among the patched flaws, two were publicly disclosed in advance. CVE-2026-21262 affects SQL Server 2016 and later versions, allowing an authenticated attacker to elevate privileges to sysadmin remotely over the network. This privilege escalation vulnerability has a CVSS v3 base score of 8.8. Rapid7’s Adam Barnett emphasized the severity given the potential for full administrative control despite requiring initial low-level privileges.
The second publicly known vulnerability, CVE-2026-26127, impacts .NET applications. Exploiting this flaw can lead to denial of service by causing application crashes, with the possibility of further attack vectors during service restarts.
Microsoft Office also received critical patches for remote code execution (RCE) vulnerabilities CVE-2026-26113 and CVE-2026-26110. Both can be triggered simply by previewing a malicious message in the Outlook Preview Pane, posing a significant risk to email users.
Tenable’s Satnam Narang highlighted that over half (55%) of this month’s CVEs are privilege escalation issues. Notably, six of these were marked with an "exploitation more likely" designation. These include:
- CVE-2026-24291: Incorrect permissions in Windows Accessibility Infrastructure allowing SYSTEM privilege escalation (CVSS 7.8).
- CVE-2026-24294: Improper authentication vulnerability in the SMB core component (CVSS 7.8).
- CVE-2026-24289: Memory corruption and race condition flaw in Windows (CVSS 7.8).
- CVE-2026-25187: Winlogon process vulnerability discovered by Google Project Zero (CVSS 7.8).
Additionally, Immersive’s Ben McCarthy drew attention to CVE-2026-21536, a critical RCE flaw within the Microsoft Devices Pricing Program. This vulnerability, rated 9.8 in severity, was discovered by XBOW, an autonomous AI penetration testing agent. Microsoft has already patched this issue without requiring user intervention. McCarthy noted this marks one of the first AI-identified vulnerabilities officially recognized with a Windows CVE, illustrating AI’s emerging role in accelerating vulnerability discovery.
Separately, Microsoft issued an out-of-band update on March 2, 2026, addressing a certificate renewal problem impacting Windows Hello for Business on Windows Server 2022.
In parallel, Adobe fixed 80 vulnerabilities, including critical ones in Acrobat and Adobe Commerce, while Mozilla Firefox version 148.0.2 patched three high-severity CVEs.
Security teams should prioritize deploying these patches, especially those involving remote code execution and privilege escalation with higher CVSS scores. For detailed vendor advisories and full vulnerability lists, administrators can refer to Microsoft’s official update guide and community resources such as the SANS Internet Storm Center and AskWoody.com.
Original Source
Krebs on Security
Related Articles
CVE Pending: Critical Vulnerability in Anthropic's Claude Code Discovered Days After Source Code Leak
Adversa AI discovered a critical vulnerability in Anthropic's Claude Code agentic coding assistant within days of Anthropic accidentally leaking the product's source code. Claude Code operates with elevated system privileges in developer environments, making exploitation potentially severe — including credential theft, CI/CD pipeline manipulation, and lateral movement. Organizations should audit deployments, rotate credentials, and apply patches immediately once Anthropic releases a fix.
CVE-2024-6387: OpenSSH regreSSHion RCE Flaw Exposes Millions of Linux Servers to Unauthenticated Root Access
CVE-2024-6387 (regreSSHion) is a signal handler race condition in OpenSSH sshd versions 8.5p1 through 9.7p1 that allows unauthenticated remote code execution as root. Discovered by Qualys, the flaw affects an estimated 700,000 publicly exposed servers. Administrators should upgrade to OpenSSH 9.8p1 immediately or set LoginGraceTime 0 as a temporary workaround.
Apple Expands DarkSword Exploit Kit Mitigations Across Device Fleet After State-Sponsored and Spyware Vendor Abuse
Apple has expanded mitigations against the DarkSword exploit kit to additional devices after the toolkit was used in operations by state-sponsored threat groups and commercial spyware vendors. The expansion follows Apple's standard model of phased protection rollouts across its device ecosystem. All Apple device owners should apply the latest OS updates immediately, and high-risk individuals should enable Lockdown Mode.
CVE-2026-20093: Critical Cisco IMC Authentication Bypass Carries CVSS 9.8
Cisco has patched CVE-2026-20093, a critical authentication bypass vulnerability in the Cisco Integrated Management Controller (IMC) with a CVSS score of 9.8. An unauthenticated remote attacker can exploit the flaw to bypass authentication and gain elevated privileges over affected hardware management interfaces. Administrators should apply Cisco's patch immediately and restrict IMC network access to isolated management VLANs.