Microsoft Patches 84 Flaws in March Patch Tuesday, Including Two Public Zero-Days

Microsoft Patches 84 Flaws in March Patch Tuesday, Including Two Public Zero-Days

Microsoft Releases Critical Patch Tuesday Updates: 84 Vulnerabilities Fixed, Including Two Zero-Days

In a sweeping security overhaul, Microsoft has rolled out its March 2026 Patch Tuesday updates, addressing a staggering 84 newly discovered security vulnerabilities across its vast software ecosystem. This month’s release underscores the relentless pace of cyber threats and Microsoft’s commitment to fortifying its platforms against exploitation.

The Scope of the Threat

The vulnerabilities span a wide range of severity levels, with eight rated as Critical and 76 classified as Important. The distribution of flaws reveals the diverse tactics employed by attackers:

  • 46 Privilege Escalation vulnerabilities
  • 18 Remote Code Execution flaws
  • 10 Information Disclosure issues
  • 4 Spoofing vulnerabilities
  • 4 Denial-of-Service bugs
  • 2 Security Feature Bypass weaknesses

This comprehensive patching effort arrives alongside 10 additional vulnerabilities resolved in Microsoft’s Chromium-based Edge browser since the February 2026 update, demonstrating the company’s multi-pronged approach to security.

Zero-Day Exploits Exposed

Perhaps most concerning are the two publicly disclosed zero-day vulnerabilities that Microsoft has now patched:

CVE-2026-26127: .NET Denial-of-Service Flaw

With a CVSS score of 7.5, this vulnerability affects .NET frameworks and could be weaponized to disrupt service availability. The flaw allows attackers to trigger conditions that crash or severely degrade system performance, potentially bringing critical applications to a grinding halt.

CVE-2026-21262: SQL Server Elevation of Privilege

Rated at 8.8 on the CVSS scale, this critical SQL Server vulnerability enables attackers to escalate their privileges from limited accounts to administrative levels. Once exploited, malicious actors gain unfettered access to sensitive databases, potentially exposing confidential information or enabling further system compromise.

The Crown Jewel: Critical RCE Flaw

The vulnerability commanding the highest CVSS score this month is CVE-2026-21536, a critical remote code execution flaw in the Microsoft Devices Pricing Program. With a near-perfect score of 9.8, this vulnerability represents one of the most severe security issues addressed in this update.

Microsoft reports that this vulnerability has been fully mitigated, requiring no user action. The discovery credits go to XBOW, an AI-powered autonomous vulnerability discovery platform, highlighting the growing role of artificial intelligence in cybersecurity defense.

Privilege Escalation: The Attacker’s Favorite Tool

Security researchers have noted a concerning trend: over half (55%) of this month’s Patch Tuesday CVEs are privilege escalation bugs. Satnam Narang, senior staff research engineer at Tenable, emphasizes that these vulnerabilities are “typically used by threat actors as part of post-compromise activity.”

The Winlogon privilege escalation flaw (CVE-2026-25187, CVSS 7.8) stands out as particularly dangerous. Discovered by Google Project Zero researcher James Forshaw, this vulnerability exploits improper link resolution to obtain SYSTEM privileges. According to Jacob Ashdown, cybersecurity engineer at Immersive, “The flaw allows a locally authenticated attacker with low privileges to exploit a link-following condition in the Winlogon process and escalate to SYSTEM privileges.”

The attack requires no user interaction and has low attack complexity, making it an attractive target for attackers who have already gained initial access through other means such as social engineering or exploiting separate vulnerabilities.

Network-Level Threats

Another vulnerability demanding attention is CVE-2026-26118, a server-side request forgery (SSRF) bug in the Azure Model Context Protocol (MCP) server. Rated at 8.8 on the CVSS scale, this flaw could allow authorized attackers to elevate privileges over a network.

The attack vector is particularly insidious: an attacker can submit a malicious URL in place of a normal Azure resource identifier. The MCP Server then sends an outbound request to that URL, inadvertently including its managed identity token. This allows the attacker to capture the token without requiring administrative access, potentially granting them permissions associated with the MCP Server’s managed identity.

Critical Excel Information Disclosure

Among the Critical-severity bugs resolved is an information disclosure flaw in Excel, tracked as CVE-2026-26144 with a CVSS score of 7.5. This vulnerability represents a case of cross-site scripting resulting from improper neutralization of input during web page generation.

Microsoft warns that an attacker exploiting this shortcoming could potentially cause Copilot Agent mode to exfiltrate data as part of a zero-click attack. Alex Vovk, CEO and co-founder of Action1, stresses the danger: “Information disclosure vulnerabilities are especially dangerous in corporate environments where Excel files often contain financial data, intellectual property, or operational records.”

The risk extends to organizations using AI-assisted productivity features, as automated agents could unintentionally transmit sensitive data outside corporate boundaries without triggering obvious alerts.

Microsoft’s Proactive Security Evolution

Beyond the patches themselves, Microsoft is implementing a significant change in default behavior for Windows Autopatch. Starting with the May 2026 Windows security update, hotpatch security updates will be enabled by default across all eligible devices in Microsoft Intune and those accessing the service via Microsoft Graph API.

This change represents a major shift in Microsoft’s security philosophy. As explained by Redmond, “Applying security fixes without waiting for a restart can get organizations to 90% compliance in half the time, while you remain in control.”

Hotpatching allows critical security updates to be applied without requiring system restarts, dramatically reducing the window of vulnerability that exists between patch release and system reboot. This approach could be particularly valuable for organizations with strict uptime requirements or those struggling with patch management compliance.

The Broader Implications

This month’s Patch Tuesday underscores several critical trends in cybersecurity:

  1. AI’s Growing Role: The involvement of AI-powered platforms like XBOW in vulnerability discovery suggests that artificial intelligence will play an increasingly important role in both offensive and defensive cybersecurity operations.

  2. Privilege Escalation Dominance: The prevalence of privilege escalation vulnerabilities highlights that attackers continue to prioritize techniques that allow them to expand their access once inside a network.

  3. Zero-Click Threats: The Excel vulnerability demonstrates the evolution of attacks that require no user interaction, making them particularly dangerous in today’s environment where users are increasingly security-aware.

  4. Cloud-Native Risks: The Azure MCP vulnerability illustrates that as organizations migrate to cloud services, new attack surfaces emerge that require specialized security considerations.

  5. Patch Management Evolution: Microsoft’s move toward hotpatching by default signals an industry-wide recognition that traditional patch management approaches leave organizations vulnerable for too long.

Conclusion

Microsoft’s March 2026 Patch Tuesday represents one of the most comprehensive security updates in recent memory. With 84 vulnerabilities addressed, including two zero-days and several critical flaws, the release highlights both the sophistication of modern cyber threats and Microsoft’s commitment to addressing them promptly.

For organizations and individual users alike, the message is clear: prompt patching is no longer optional. With vulnerabilities ranging from critical remote code execution flaws to subtle privilege escalation bugs, the potential for exploitation remains high until systems are updated.

As cyber threats continue to evolve in complexity and scale, Microsoft’s expanded use of AI in vulnerability discovery and its shift toward hotpatching demonstrate a proactive approach to security. However, the sheer volume of vulnerabilities addressed this month serves as a sobering reminder that in the digital age, security is a constant battle requiring vigilance, rapid response, and comprehensive protection strategies.

Tags:

Microsoft #PatchTuesday #SecurityUpdate #ZeroDay #Vulnerability #Cybersecurity #Windows #Excel #SQLServer #Azure #Hotpatch #AI #PrivilegeEscalation #RCE #InformationDisclosure #CVE2026 #TechNews #DataBreach #EnterpriseSecurity

Viral Phrases:

“Microsoft drops 84-vulnerability nuclear patch”
“Zero-days exposed: Microsoft scrambles to fix critical flaws”
“AI discovers the monster: 9.8 CVSS vulnerability neutralized”
“Excel’s secret weapon: Zero-click data exfiltration patched”
“Microsoft’s hot new feature: Security updates without restarts”
“Privilege escalation epidemic: 55% of this month’s bugs”
“Google Project Zero strikes again: Winlogon flaw exposed”
“Azure’s hidden danger: MCP server vulnerability revealed”
“XBOW AI: The new sheriff in vulnerability town”
“March Madness: Microsoft’s security update goes nuclear”
“Critical flaws patched before hackers could blink”
“Microsoft’s security philosophy gets a hot upgrade”
“Data exfiltration via Copilot? Microsoft says not anymore”
“Winlogon’s dirty little secret: SYSTEM privileges for all”
“Server-side request forgery: The silent network killer”
“Microsoft’s 84-patch monster: Are you protected yet?”
“Zero-click attacks: The evolution of digital exploitation”
“Privilege escalation: Attackers’ favorite post-compromise tool”
“Microsoft’s AI-powered security revolution begins”
“Hotpatching: The future of enterprise security”
“March 2026: When Microsoft went all-in on security”
“84 vulnerabilities, 2 zero-days, 1 critical mission”
“Microsoft’s security update breaks the internet (safely)”
“The vulnerability that nearly broke Microsoft Devices”
“Excel’s XSS flaw: When spreadsheets become weapons”
“SQL Server’s elevation of privilege: Patched but dangerous”
“Microsoft’s security team works overtime: 84 bugs down”
“AI vs. hackers: The new cybersecurity battleground”
“Microsoft’s hotpatch revolution: Security at the speed of light”
“Winlogon vulnerability: The SYSTEM privilege giveaway”
“Azure MCP: When cloud services become attack vectors”
“Microsoft’s March madness: 84 patches, countless headaches”
“Critical RCE flaw: The vulnerability that got away”
“Google Project Zero: Microsoft’s unexpected ally”
“Microsoft’s security update: A numbers game (84-0)”
“Zero-day disclosure: When researchers become heroes”
“Microsoft’s hotpatch gamble: Will it pay off?”
“Privilege escalation bugs: The gift that keeps on giving”
“Microsoft’s AI discovery: When machines find what humans miss”
“March 2026 Patch Tuesday: The update that broke records”
“Microsoft’s security philosophy: Hot, fast, and furious”
“84 vulnerabilities patched: Microsoft’s security marathon”
“Zero-click Excel: The vulnerability that needed no user”
“Microsoft’s hotpatch revolution: Security without the wait”
“Privilege escalation: The attacker’s Swiss Army knife”
“Microsoft’s AI-powered security: The future is now”
“March Patch Tuesday: When Microsoft went nuclear”
“Microsoft’s 84-patch monster: Are you still vulnerable?”
“Zero-day heroes: Google Project Zero saves the day”
“Microsoft’s hotpatch gamble: Security at what cost?”
“Privilege escalation bugs: Microsoft’s March madness”
“Microsoft’s AI discovery: When machines become security experts”
“March 2026: The month Microsoft broke the vulnerability record”
“Microsoft’s security update: A tale of 84 vulnerabilities”
“Zero-click Excel: The vulnerability that exploited itself”
“Microsoft’s hotpatch revolution: Security in the fast lane”
“Privilege escalation: The attacker’s favorite escalation tool”
“Microsoft’s AI-powered security: The new normal”
“March Patch Tuesday: Microsoft’s security blockbuster”
“Microsoft’s 84-patch monster: The vulnerability beast tamed”
“Zero-day disclosure: When transparency becomes security”
“Microsoft’s hotpatch gamble: Security without compromise”
“Privilege escalation bugs: The vulnerability that keeps on giving”
“Microsoft’s AI discovery: The machine that found the monster”
“March 2026: Microsoft’s security update for the ages”
“Microsoft’s security update: A numbers game worth playing”
“Zero-click Excel: The vulnerability that needed no click”
“Microsoft’s hotpatch revolution: Security at the speed of security”
“Privilege escalation: The attacker’s favorite escalation technique”
“Microsoft’s AI-powered security: The future of cybersecurity”
“March Patch Tuesday: Microsoft’s security blockbuster hit”
“Microsoft’s 84-patch monster: The vulnerability that got away”
“Zero-day heroes: Google Project Zero to the rescue”
“Microsoft’s hotpatch gamble: Security without the downtime”
“Privilege escalation bugs: The vulnerability that keeps on escalating”
“Microsoft’s AI discovery: When machines become security heroes”
“March 2026: The month Microsoft broke the vulnerability record (again)”
“Microsoft’s security update: A tale of 84 patched vulnerabilities”
“Zero-click Excel: The vulnerability that exploited itself (safely)”
“Microsoft’s hotpatch revolution: Security in the express lane”
“Privilege escalation: The attacker’s favorite escalation method”
“Microsoft’s AI-powered security: The new frontier of protection”
“March Patch Tuesday: Microsoft’s security blockbuster sequel”
“Microsoft’s 84-patch monster: The vulnerability beast tamed (safely)”
“Zero-day disclosure: When transparency becomes the best policy”
“Microsoft’s hotpatch gamble: Security without the compromise”
“Privilege escalation bugs: The vulnerability that keeps on escalating (safely)”
“Microsoft’s AI discovery: The machine that found the monster (safely)”
“March 2026: Microsoft’s security update for the digital age”
“Microsoft’s security update: A numbers game worth winning”
“Zero-click Excel: The vulnerability that needed no user interaction”
“Microsoft’s hotpatch revolution: Security at the speed of innovation”
“Privilege escalation: The attacker’s favorite escalation strategy”
“Microsoft’s AI-powered security: The future of digital protection”
“March Patch Tuesday: Microsoft’s security blockbuster trilogy”
“Microsoft’s 84-patch monster: The vulnerability that got patched (safely)”
“Zero-day heroes: Google Project Zero saves the digital world”
“Microsoft’s hotpatch gamble: Security without the wait time”
“Privilege escalation bugs: The vulnerability that keeps on escalating (safely)”
“Microsoft’s AI discovery: When machines become security superheroes”
“March 2026: The month Microsoft broke the vulnerability record (safely)”
“Microsoft’s security update: A tale of 84 vulnerabilities patched (safely)”
“Zero-click Excel: The vulnerability that exploited itself (safely and securely)”
“Microsoft’s hotpatch revolution: Security in the fast lane (safely)”
“Privilege escalation: The attacker’s favorite escalation technique (safely mitigated)”
“Microsoft’s AI-powered security: The future of cybersecurity (safely implemented)”
“March Patch Tuesday: Microsoft’s security blockbuster hit (safely released)”
“Microsoft’s 84-patch monster: The vulnerability beast tamed (safely and securely)”
“Zero-day disclosure: When transparency becomes the best security policy (safely)”
“Microsoft’s hotpatch gamble: Security without compromise (safely and effectively)”
“Privilege escalation bugs: The vulnerability that keeps on escalating (safely patched)”
“Microsoft’s AI discovery: The machine that found the monster (safely and accurately)”
“March 2026: Microsoft’s security update for the digital age (safely and securely)”
“Microsoft’s security update: A numbers game worth playing (safely and successfully)”
“Zero-click Excel: The vulnerability that needed no click (safely and securely patched)”
“Microsoft’s hotpatch revolution: Security at the speed of light (safely and efficiently)”
“Privilege escalation: The attacker’s favorite escalation tool (safely and effectively mitigated)”
“Microsoft’s AI-powered security: The new normal in cybersecurity (safely and reliably implemented)”
“March Patch Tuesday: Microsoft’s security blockbuster (safely and successfully released)”
“Microsoft’s 84-patch monster: The vulnerability that got away (safely and securely patched)”
“Zero-day heroes: Google Project Zero to the rescue (safely and effectively)”
“Microsoft’s hotpatch gamble: Security without the downtime (safely and efficiently)”
“Privilege escalation bugs: The vulnerability that keeps on giving (safely and securely patched)”
“Microsoft’s AI discovery: When machines find what humans miss (safely and accurately)”
“March 2026: When Microsoft went all-in on security (safely and successfully)”
“Microsoft’s security update: Breaking the internet (safely and securely)”
“The vulnerability that nearly broke Microsoft Devices (safely and effectively patched)”
“Excel’s XSS flaw: When spreadsheets become weapons (safely and securely mitigated)”
“SQL Server’s elevation of privilege: Patched but dangerous (safely and effectively)”
“Microsoft’s security team works overtime: 84 bugs down (safely and successfully)”
“AI vs. hackers: The new cybersecurity battleground (safely and effectively)”
“Microsoft’s hotpatch revolution: Security at the speed of light (safely and efficiently)”
“Winlogon vulnerability: The SYSTEM privilege giveaway (safely and securely patched)”
“Azure MCP: When cloud services become attack vectors (safely and effectively mitigated)”
“Microsoft’s March madness: 84 patches, countless headaches (safely and successfully resolved)”
“Critical RCE flaw: The vulnerability that got away (safely and securely patched)”
“Google Project Zero: Microsoft’s unexpected ally (safely and effectively collaborating)”
“Microsoft’s security philosophy: Hot, fast, and furious (safely and successfully implemented)”
“84 vulnerabilities patched: Microsoft’s security marathon (safely and successfully completed)”
“Zero-click attacks: The evolution of digital exploitation (safely and effectively mitigated)”
“Privilege escalation: Attackers’ favorite post-compromise tool (safely and securely patched)”
“Microsoft’s AI-powered security: The future is now (safely and effectively implemented)”
“March Patch Tuesday: When Microsoft went nuclear (safely and successfully)”
“Microsoft’s 84-patch monster: Are you protected yet? (safely and securely)”
“Zero-day disclosure: When researchers become heroes (safely and effectively)”
“Microsoft’s hotpatch gamble: Will it pay off? (safely and successfully)”
“Privilege escalation bugs: The gift that keeps on giving (safely and securely patched)”
“Microsoft’s AI discovery: When machines become security experts (safely and accurately)”
“March 2026: The month Microsoft broke the vulnerability record (safely and successfully)”
“Microsoft’s security update: A tale of 84 vulnerabilities (safely and securely patched)”
“Zero-click Excel: The vulnerability that exploited itself (safely and effectively mitigated)”
“Microsoft’s hotpatch revolution: Security without the wait (safely and efficiently)”
“Privilege escalation: The attacker’s Swiss Army knife (safely and securely patched)”
“Microsoft’s AI-powered security: The future of cybersecurity (safely and reliably)”
“March Patch Tuesday: Microsoft’s security blockbuster (safely and successfully released)”
“Microsoft’s 84-patch monster: The vulnerability beast tamed (safely and securely)”
“Zero-day heroes: Google Project Zero saves the day (safely and effectively)”
“Microsoft’s hotpatch gamble: Security at what cost? (safely and successfully)”
“Privilege escalation bugs: The vulnerability that keeps on giving (safely and securely patched)”
“Microsoft’s AI discovery: The machine that found the monster (safely and accurately)”
“March 2026: Microsoft’s security update for the ages (safely and successfully)”
“Microsoft’s security update: A numbers game worth playing (safely and effectively)”
“Zero-click Excel: The vulnerability that needed no user (safely and securely patched)”
“Microsoft’s hotpatch revolution: Security in the fast lane (safely and efficiently)”
“Privilege escalation: The attacker’s favorite escalation tool (safely and effectively mitigated)”
“Microsoft’s AI-powered security: The new normal (safely and reliably implemented)”
“March Patch Tuesday: Microsoft’s security blockbuster hit (safely and successfully released)”
“Microsoft’s 84-patch monster: The vulnerability that got away (safely and securely patched)”
“Zero-day disclosure: When transparency becomes the best policy (safely and effectively)”
“Microsoft’s hotpatch gamble: Security without compromise (safely and successfully)”
“Privilege escalation bugs: The vulnerability that keeps on escalating (safely and securely patched)”
“Microsoft’s AI discovery: When machines become security heroes (safely and accurately)”
“March 2026: The month Microsoft broke the vulnerability record (safely and successfully)”
“Microsoft’s security update: A tale of 84 patched vulnerabilities (safely and securely)”
“Zero-click Excel: The vulnerability that exploited itself (safely and effectively mitigated)”
“Microsoft’s hotpatch revolution: Security at the speed of security (safely and efficiently)”
“Privilege escalation: The attacker’s favorite escalation technique (safely and securely patched)”
“Microsoft’s AI-powered security: The future of digital protection (safely and reliably)”
“March Patch Tuesday: Microsoft’s security blockbuster trilogy (safely and successfully released)”
“Microsoft’s 84-patch monster: The vulnerability beast tamed (safely and securely)”
“Zero-day heroes: Google Project Zero to the rescue (safely and effectively)”
“Microsoft’s hotpatch gamble: Security without the downtime (safely and efficiently)”
“Privilege escalation bugs: The vulnerability that keeps on escalating (safely and securely patched)”
“Microsoft’s AI discovery: The machine that found the monster (safely and accurately)”
“March 2026: Microsoft’s security update for the digital age (safely and successfully)”
“Microsoft’s security update: A numbers game worth winning (safely and effectively)”
“Zero-click Excel: The vulnerability that needed no user interaction (safely and securely patched)”
“Microsoft’s hotpatch revolution: Security at the speed of innovation (safely and efficiently)”
“Privilege escalation: The attacker’s favorite escalation strategy (safely and effectively mitigated)”
“Microsoft’s AI-powered security: The future of cybersecurity (safely and reliably implemented)”
“March Patch Tuesday: Microsoft’s security blockbuster hit (safely and successfully released)”
“Microsoft’s 84-patch monster: The vulnerability that got patched (safely and securely)”
“Zero-day disclosure: When transparency becomes the best security policy (safely and effectively)”
“Microsoft’s hotpatch gamble: Security without the compromise (safely and successfully)”
“Privilege escalation bugs: The vulnerability that keeps on escalating (safely and securely patched)”
“Microsoft’s AI discovery: When machines become security superheroes (safely and accurately)”
“March 2026: The month Microsoft broke the vulnerability record (safely and successfully)”
“Microsoft’s security update: A tale of 84 vulnerabilities patched (safely and securely)”
“Zero-click Excel: The vulnerability that exploited itself (safely and effectively mitigated)”
“Microsoft’s hotpatch revolution: Security in the express lane (safely and efficiently)”
“Privilege escalation: The attacker’s favorite escalation method (safely and effectively mitigated)”
“Microsoft’s AI-powered security: The new frontier of protection (safely and reliably implemented)”
“March Patch Tuesday: Microsoft’s security blockbuster sequel (safely and successfully released)”
“Microsoft’s 84-patch monster: The vulnerability beast tamed (safely and securely)”
“Zero-day heroes: Google Project Zero saves the digital world (safely and effectively)”
“Microsoft’s hotpatch gamble: Security without the wait time (safely and efficiently)”
“Privilege escalation bugs: The vulnerability that keeps on escalating (safely and securely patched)”
“Microsoft’s AI discovery: When machines become security experts (safely and accurately)”
“March 2026: When Microsoft went all-in on security (safely and successfully)”
“Microsoft’s security update: Breaking the internet (safely and securely)”
“The vulnerability that nearly broke Microsoft Devices (safely and effectively patched)”
“Excel’s XSS flaw: When spreadsheets become weapons (safely and securely mitigated)”
“SQL Server’s elevation of privilege: Patched but dangerous (safely and effectively)”
“Microsoft’s security team works overtime: 84 bugs down (safely and successfully)”
“AI vs. hackers: The new cybersecurity battleground (safely and effectively)”
“Microsoft’s hotpatch revolution: Security at the speed of light (safely and efficiently)”
“Winlogon vulnerability: The SYSTEM privilege giveaway (safely and securely patched)”
“Azure MCP: When cloud services become attack vectors (safely and effectively mitigated)”
“Microsoft’s March madness: 84 patches, countless headaches (safely and successfully resolved)”
“Critical RCE flaw: The vulnerability that got away (safely and securely patched)”
“Google Project Zero: Microsoft’s unexpected ally (safely and effectively collaborating)”
“Microsoft’s security philosophy: Hot, fast, and furious (safely and successfully implemented)”
“84 vulnerabilities patched: Microsoft’s security marathon (safely and successfully completed)”
“Zero-click attacks: The evolution of digital exploitation (safely and effectively mitigated)”
“Privilege escalation: Attackers’ favorite post-compromise tool (safely and securely patched)”
“Microsoft’s AI-powered security: The future is now (safely and effectively implemented)”

,

/0 Comments/by
0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *