March Patch Tuesday visits 15 product families

Key Takeaways

• Microsoft released 84 patches across 15 product families, including 8 Critical and 76 Important vulnerabilities.
• Two vulnerabilities have been publicly disclosed, but none are currently known to be exploited in the wild.
• Six CVEs are judged by Microsoft as more likely to be exploited within the next 30 days.
• Elevation of Privilege issues constitute the majority of the vulnerabilities patched this month.
• Notable critical vulnerabilities affect Microsoft Office, Excel, and SharePoint, potentially allowing remote code execution or zero-click information disclosure.

Affected Systems

• Windows (Client and Server versions 2012-2025)
• Microsoft Azure
• Microsoft 365
• Microsoft Office
• Microsoft Excel
• Microsoft SharePoint
• SQL Server
• .NET and ASP.NET
• Microsoft Authenticator
• PowerShell
• System Center Operations Manager (SCOM)
• Microsoft Devices Pricing Program
• Payment Orchestrator Service
• Microsoft Semantic Kernel
• Chromium/Microsoft Edge
• Adobe Reader

Vulnerabilities (CVEs)

• CVE-2026-21536 (CVSS 9.8) - Microsoft Devices Pricing Program Remote Code Execution Vulnerability
• CVE-2026-26030 (CVSS 9.9) - Microsoft Semantic Kernel InMemoryVectorStore filter functionality vulnerable
• CVE-2026-26110 (CVSS 8.4) - Microsoft Office Remote Code Execution Vulnerability
• CVE-2026-26113 (CVSS 8.4) - Microsoft Office Remote Code Execution Vulnerability
• CVE-2026-26144 - Microsoft Excel Information Disclosure Vulnerability
• CVE-2026-23660 - Windows Admin Center in Azure Portal Elevation of Privilege Vulnerability
• CVE-2026-26123 - Microsoft Authenticator Information Disclosure Vulnerability
• CVE-2026-24288 - Windows Mobile Broadband Driver Remote Code Execution Vulnerability
• CVE-2026-21262 (CVSS 8.8) - SQL Server Elevation of Privilege Vulnerability
• CVE-2026-20967 (CVSS 8.8) - System Center Operations Manager (SCOM) Elevation of Privilege Vulnerability
• CVE-2026-23654 (CVSS 8.8) - GitHub: Zero Shot SCFoundation Remote Code Execution Vulnerability
• CVE-2026-23669 (CVSS 8.8) - Windows Print Spooler Remote Code Execution Vulnerability
• CVE-2026-24283 (CVSS 8.8) - Multiple UNC Provider Kernel Driver Elevation of Privilege Vulnerability
• CVE-2026-25172 (CVSS 8.8) - Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
• CVE-2026-25177 (CVSS 8.8) - Active Directory Domain Services Elevation of Privilege Vulnerability
• CVE-2026-25188 (CVSS 8.8) - Windows Telephony Service Elevation of Privilege Vulnerability
• CVE-2026-26106 (CVSS 8.8) - Microsoft SharePoint Server Remote Code Execution Vulnerability
• CVE-2026-26111 (CVSS 8.8) - Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
• CVE-2026-26114 (CVSS 8.8) - Microsoft SharePoint Server Remote Code Execution Vulnerability
• CVE-2026-26115 (CVSS 8.8) - SQL Server Elevation of Privilege Vulnerability
• CVE-2026-26116 (CVSS 8.8) - SQL Server Elevation of Privilege Vulnerability
• CVE-2026-26118 (CVSS 8.8) - Azure MCP Server Tools Elevation of Privilege Vulnerability
• CVE-2026-26125 (CVSS 8.6) - Payment Orchestrator Service Elevation of Privilege Vulnerability
• CVE-2026-26109 (CVSS 8.4) - Microsoft Excel Remote Code Execution Vulnerability
• CVE-2026-26105 (CVSS 8.1) - Microsoft SharePoint Server Spoofing Vulnerability
• CVE-2026-26148 (CVSS 8.1) - Microsoft Azure AD SSH Login extension for Linux Elevation of Privilege Vulnerability
• CVE-2026-25173 (CVSS 8.0) - Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
• CVE-2026-23668 - Windows Graphics Component Elevation of Privilege Vulnerability
• CVE-2026-24289 - Windows Kernel Elevation of Privilege Vulnerability
• CVE-2026-24291 - Windows Accessibility Infrastructure (ATBroker.exe) Elevation of Privilege Vulnerability
• CVE-2026-24294 - Windows SMB Server Elevation of Privilege Vulnerability
• CVE-2026-25187 - Winlogon Elevation of Privilege Vulnerability
• CVE-2026-26132 - Windows Kernel Elevation of Privilege Vulnerability

Attack Chain

The article details vulnerability disclosures rather than a specific attack chain. Threat actors could exploit the highlighted Remote Code Execution (RCE) vulnerabilities (such as CVE-2026-26110 in Office) via malicious files or preview panes to gain initial access. Following access, attackers might leverage Elevation of Privilege (EoP) flaws (like CVE-2026-23660 in Windows Admin Center) to escalate their rights. Finally, information disclosure vulnerabilities could be used to exfiltrate sensitive data, potentially utilizing features like Copilot Agent mode for zero-click data theft.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No
• Platforms: Sophos Intercept X, Sophos XGS Firewall

Sophos provides direct IPS detection signatures for several vulnerabilities, including CVE-2026-24289, CVE-2026-24291, CVE-2026-25187, and CVE-2026-26132.

Detection Engineering Assessment

EDR Visibility: Medium — EDR can detect post-exploitation behaviors such as unexpected child processes from Office applications or unusual network connections, but may not catch the initial memory corruption or logic flaws without specific signatures. Network Visibility: Medium — Network appliances have signatures for specific CVE exploits, but encrypted traffic or zero-click local exploits may bypass network detection. Detection Difficulty: Moderate — Detecting the exploitation of these vulnerabilities relies heavily on up-to-date IPS signatures and monitoring for anomalous post-exploitation activity, as the initial exploits can be subtle.

Required Log Sources

• Windows Event Logs
• Network IDS/IPS Logs
• Endpoint EDR Logs

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for unexpected child processes spawning from Microsoft Office applications (Word, Excel) which may indicate exploitation of CVE-2026-26110 or CVE-2026-26113.	Process creation events (Event ID 4688 or Sysmon Event ID 1)	Execution	Low
Monitor for unusual network egress traffic originating from Copilot Agent mode, potentially indicating zero-click information disclosure via CVE-2026-26144.	Network connection logs (Sysmon Event ID 3 or firewall logs)	Exfiltration	Medium

Control Gaps

• Lack of timely patching for critical vulnerabilities
• Insufficient network segmentation for vulnerable services like SQL Server or SharePoint

Key Behavioral Indicators

• Unexpected process ancestry from Office apps
• Anomalous network connections from Copilot Agent

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Apply Microsoft's March Patch Tuesday updates to all affected systems, prioritizing Critical vulnerabilities and those likely to be exploited within 30 days.
• Update Adobe Reader to the latest patched versions to address the disclosed Use After Free and signature verification vulnerabilities.

Infrastructure Hardening

• Avoid using InMemoryVectorStore for production scenarios in Microsoft Semantic Kernel as a mitigation for CVE-2026-26030.
• Ensure IPS/IDS signatures are updated on firewalls and endpoint protection platforms to detect known exploit attempts.

User Protection

• Educate users on the risks of opening untrusted Office documents or interacting with suspicious sign-in deep links (CVE-2026-26123).

Security Awareness

• Train administrators on the specific update procedures for Azure VM extensions like the Windows Admin Center to ensure all components are patched.

MITRE ATT&CK Mapping

• T1190 - Exploit Public-Facing Application
• T1203 - Exploitation for Client Execution
• T1068 - Exploitation for Privilege Escalation

Additional IOCs

• Other:
  • Exp/2624289-A - Sophos Intercept X/Endpoint IPS signature for CVE-2026-24289
  • Exp/2624291-A - Sophos Intercept X/Endpoint IPS signature for CVE-2026-24291
  • Exp/2625187-A - Sophos Intercept X/Endpoint IPS signature for CVE-2026-25187
  • Exp/2626132-A - Sophos Intercept X/Endpoint IPS signature for CVE-2026-26132