Cybersecurity & Privacy

Microsoft March Patch Tuesday: 84 Flaws, Two Zero-Days

alex2404
By
alex2404
Byalex2404
Follow:
Disclosure: This website may contain affiliate links, which means I may earn a commission if you click on the link and make a purchase. I only recommend products or services that I personally use and believe will add value to my readers. Your support is appreciated!

Microsoft shipped fixes for 84 security vulnerabilities on its March Patch Tuesday, including two publicly known zero-days.

Contents

Eight flaws are rated Critical. Seventy-six are rated Important.

Privilege escalation dominates the breakdown — 46 of the 84 vulnerabilities fall into that category. The rest split across remote code execution (18), information disclosure (10), spoofing (4), denial-of-service (4), and security feature bypass (2). An additional 10 vulnerabilities were addressed in the Chromium-based Edge browser since February’s update.

The Two Public Zero-Days

The first, CVE-2026-26127 (CVSS score: 7.5), is a denial-of-service flaw in .NET. The second, CVE-2026-21262 (CVSS score: 8.8), is an elevation of privilege bug in SQL Server.

The highest-scoring vulnerability this month is CVE-2026-21536 (CVSS score: 9.8), a Critical remote code execution flaw in the Microsoft Devices Pricing Program. The company says the issue has been fully mitigated and requires no action from users. AI-powered vulnerability discovery platform XBOW was credited with finding and reporting it.

A Winlogon privilege escalation flaw, CVE-2026-25187 (CVSS score: 7.8), exploits improper link resolution to obtain SYSTEM privileges. Google Project Zero researcher James Forshaw reported the vulnerability. It requires no user interaction and carries low attack complexity, according to cybersecurity engineer Jacob Ashdown of Immersive — making it a straightforward target once an attacker gains a foothold.

More Read

CanisterWorm Hits 47 npm Packages in Trivy Supply Chain Attack
Perseus Android Malware Monitors Notes Apps for Financial Data
Oracle Emergency Patch Fixes Critical RCE Flaw CVE-2026-21992
PolyShell Flaw Enables Unauthenticated RCE on Magento Stores
INTERPOL Seizes 45,000 Malicious IPs in Global Cybercrime Sweep

Satnam Narang, senior staff research engineer at Tenable, noted that six privilege escalation bugs this month were rated “exploitation more likely,” spanning the Windows Graphics Component, Windows Accessibility Infrastructure, Windows Kernel, Windows SMB Server, and Winlogon. “We know these bugs are typically used by threat actors as part of post-compromise activity, once they get onto systems through other means,” he said.

Azure MCP and Excel Flaws Draw Attention

CVE-2026-26118 (CVSS score: 8.8) is a server-side request forgery bug in the Azure Model Context Protocol server. According to the announcement, an attacker who can interact with an MCP-backed agent could submit a malicious URL in place of a normal Azure resource identifier. The MCP server then sends a request to that URL — potentially including its managed identity token — allowing the attacker to capture the token and access any resources the managed identity can reach.

An Excel information disclosure flaw, CVE-2026-26144 (CVSS score: 7.5), involves cross-site scripting through improper input neutralization. Microsoft says an attacker exploiting it could cause Copilot Agent mode to exfiltrate data in a zero-click attack.

Alex Vovk, CEO and co-founder of Action1, warned that organizations using AI-assisted productivity features face heightened exposure, as automated agents could transmit sensitive data outside corporate boundaries without triggering obvious alerts.

Photo by Pixabay

This article is a curated summary based on third-party sources. Source: Read the original article

TAGGED:
Share This Article
Previous Article Best Indoor Hydroponic Garden Systems Tested in 2026
Next Article DART Impact Shifted Asteroid System’s Solar Orbit
Archives