Back to Blog
    Patch Tuesday

    Microsoft Patch Tuesday March 2026: 86 CVEs, 2 Zero-Days, and a SQL Server Escalation You Cannot Ignore

    ThreatHunter.ai TeamMarch 10, 202610 min read

    March 2026 is a mid-volume cycle with 86 total CVEs, 10 rated Critical, and 2 publicly disclosed zero-days. Neither zero-day has confirmed in-the-wild exploitation as of release, but both warrant accelerated patching given their exposure profile. The heaviest concentration of Critical-rated vulnerabilities sits in Azure-adjacent infrastructure and Office products, which means two separate patching tracks for most enterprise environments.

    SQL Server is carrying a publicly disclosed privilege escalation that has direct implications for lateral movement, and Microsoft Authenticator is leaking information that could undermine MFA workflows. We are flagging five CVEs for priority action this cycle.

    Zero-Day CVEs: Publicly Disclosed

    CVE-2026-21262: SQL Server Privilege Escalation

    ThreatHunter Priority: PATCH NOW — Publicly disclosed / Network exploitable / sysadmin access

    An authenticated attacker with basic SQL Server access can escalate to sysadmin over the network. No physical access required. If SQL Server is reachable from a compromised workstation, this is a one-step ticket to full database control.

    SQL Server privilege escalation is a persistent lateral movement vector. We have seen this class of vulnerability weaponized in ransomware pre-positioning campaigns going back to at least 2019, where threat actors used legitimate SQL access as a pivot to enumerate Active Directory and stage data exfiltration. CVE-2023-21528 and CVE-2022-41120 are recent predecessors in the same product line. The fact that this is publicly disclosed with no patch lag means PoC development is already in motion.

    Identity/AD Impact: YES — sysadmin access from SQL can enable credential harvesting against AD-integrated service accounts

    Affected Versions: SQL Server 2016 SP3, 2017 CU31, 2019 CU32, 2022 CU23, 2025 CU2 and associated GDR releases

    CVE-2026-26127: .NET Out-of-Bounds Read / Denial of Service

    ThreatHunter Priority: HIGH — Publicly disclosed / Unauthenticated / Network exploitable

    An unauthenticated remote attacker can crash a .NET application by sending malformed input that triggers an out-of-bounds read. If your API gateways, web services, or internal tooling runs on .NET 8, 9, or 10, this is a service availability risk with no authentication barrier.

    Out-of-bounds read vulnerabilities in .NET have historically been treated as lower-severity, but the unauthenticated angle changes the math. In environments with .NET-based internal portals or SOC tooling, this becomes a denial-of-service risk that an attacker can use to blind your detection stack before staging a follow-on action. ASP.NET Core 8.0 through 10.0 are all in scope.

    Identity/AD Impact: Indirect — if authentication portals or token issuance services run on affected .NET versions

    Affected Versions: .NET 9.0 and 10.0 on Linux, MacOS, and Windows; ASP.NET Core 8.0, 9.0, 10.0

    Critical-Rated Vulnerabilities by Category

    Azure Infrastructure — 13 CVEs

    ThreatHunter Priority: HIGH — EoP + InfoDisc + Spoofing / Separate patching workflow required

    This is the largest Critical cluster this cycle and the one most likely to be overlooked. Azure Arc Connected Machine Agent, Automation Hybrid Worker, AD SSH Login Extension for Linux, and Windows Admin Center in the Azure Portal are all in scope. These are hybrid-bridge components — they sit at the seam between your on-prem environment and Azure, which makes them high-value targets for privilege escalation and lateral movement across trust boundaries.

    Arc-adjacent vulnerabilities have appeared in every major Patch Tuesday cycle going back to 2022. The AD SSH Login Extension for Linux (CVE-2026-26141) is particularly worth scrutiny because it touches the authentication path for Linux workloads joined to Azure AD. Compromising that layer has been a known vector for cross-platform privilege escalation in hybrid environments.

    Identity/AD Impact: YES — AD SSH Login Extension and Windows Admin Center both touch identity and auth pipelines

    Notable CVEs: CVE-2026-23651, CVE-2026-23660-23662, CVE-2026-26117-26118, CVE-2026-26141

    Also worth noting: the presence of “MCP Server Tools” in the Azure affected component list is new. We are tracking this component actively given the emerging attack surface around AI-adjacent tooling.

    Microsoft Office / 365 Apps / Teams — 11 CVEs

    ThreatHunter Priority: HIGH — RCE + EoP + InfoDisc / Broad enterprise exposure

    Multiple Remote Code Execution CVEs across Excel, Office 2016/2019/LTSC, Teams, and Office for Android. The combination of RCE in Excel and Teams is the combination most likely to be weaponized in phishing campaigns because both are document-delivery surfaces that are trusted by users. We have seen this pairing used in targeted attacks against defense contractors and financial sector organizations.

    Office RCE has been exploited in the wild consistently since at least 2017. The attack pattern is stable: lure document delivered via email or Teams, user opens it, RCE fires, implant is dropped. The 2023 Storm-0978 campaign against European government and defense targets used exactly this model. The addition of Teams as a vector since 2022 has expanded the attack surface considerably.

    Identity/AD Impact: Indirect — post-exploitation credential harvesting is standard follow-on

    Notable CVEs: CVE-2026-21535, CVE-2026-26107-26114

    SharePoint — 4 CVEs

    ThreatHunter Priority: HIGH — RCE + Spoofing / On-prem instances at elevated risk

    SharePoint RCE has a well-documented exploitation history. CVE-2019-0604 and the 2023 ProxyNotShell-era SharePoint chains were actively exploited and used as initial access vectors. If you are running SharePoint on-prem (Enterprise Server 2016, 2019, or Subscription Edition), treat this as high urgency. SharePoint Online customers are patched by Microsoft automatically but should verify.

    Identity/AD Impact: YES — SharePoint is often AD-integrated; spoofing CVEs can be used to harvest tokens or impersonate users

    Notable CVEs: CVE-2026-26105, CVE-2026-26106, CVE-2026-26113, CVE-2026-26114

    Payment Orchestrator Service — 1 CVE

    ThreatHunter Priority: HIGH — EoP / Critical-rated / Niche but significant

    This is the CVE most people will skip and should not. A Critical-rated privilege escalation in the Payment Orchestrator Service means an attacker who lands on a system running this service can escalate. We do not have broad telemetry on deployment patterns for this component, so if you are unsure whether your environment has it, check now. For any POS-adjacent environments, this is worth an explicit audit.

    Notable CVE: CVE-2026-26125

    Windows Platform (All Versions) — 50+ CVEs

    ThreatHunter Priority: HIGH — RCE + EoP + InfoDisc + SFB + Spoofing / Standard cycle urgency

    This is the standard Windows OS patch batch. 50-plus CVEs spanning Windows 10, 11, Server 2012 through 2025, and Windows App Client. No individual CVE in this group is zero-day or critically extraordinary, but the aggregate volume of Elevation of Privilege and Remote Code Execution entries means the attack surface is wide. Prioritize Server 2016 and 2019 environments running internet-exposed workloads.

    Microsoft Authenticator (iOS / Android) — 1 CVE

    ThreatHunter Priority: MEDIUM — InfoDisc / MFA pipeline integrity concern

    An information disclosure vulnerability in the Microsoft Authenticator app. We do not yet have full technical detail on what information is exposed, but any CVE touching the authenticator is a direct threat to MFA integrity. If this leaks token seeds, TOTP codes, or account metadata, the blast radius is significant.

    Push your mobile users to update the app immediately. Until we have more technical detail on CVE-2026-26123, treat any MFA-related authentication anomalies in your auth logs as elevated priority.

    Identity/AD Impact: YES — touches MFA pipeline directly

    Developer Tools (.NET / ASP.NET Core) — 3 CVEs

    ThreatHunter Priority: HIGH — DoS + EoP / Includes publicly disclosed zero-day

    See CVE-2026-26127 detail in the Zero-Day section above. Two additional CVEs round out this category: CVE-2026-26130 and CVE-2026-26131, covering Elevation of Privilege in .NET. If your DevSecOps pipeline, internal APIs, or web services run on .NET 8 through 10, this entire category needs attention.

    System Center Operations Manager — 1 CVE

    ThreatHunter Priority: MEDIUM — EoP / SCOM deployments only

    Elevation of Privilege in SCOM 2019, 2022, and 2025. If SCOM is part of your monitoring stack, patch it. Compromising a monitoring system gives an attacker visibility into your entire environment’s health state and alert thresholds, which is useful for cover-and-maneuver operations.

    ThreatHunter Recommendations This Cycle

    1. Patch SQL Server immediately across all versions in scope. CVE-2026-21262 is publicly disclosed, network-exploitable, and grants sysadmin. Monitor for anomalous sysadmin grant events in SQL Server audit logs during and after the patching window.
    2. Update Microsoft Authenticator on all iOS and Android devices before end of week. Do not wait for your standard mobile MDM cycle. Until we have more technical detail on CVE-2026-26123, treat any MFA-related authentication anomalies in your auth logs as elevated priority.
    3. Run a separate Azure patching review for Arc-connected infrastructure and Hybrid Worker extensions. These do not update through WSUS or SCCM. Verify Arc agent version, AD SSH Login Extension build, and Windows Admin Center in Azure Portal are all current. This is the category most likely to fall through the gap in hybrid environments.
    4. Validate SharePoint patch status for any on-prem deployments. If you are running SharePoint Enterprise 2016 or 2019 with internet-facing access, move this from High to PATCH NOW on your internal tracker. SharePoint Online customers are handled by Microsoft but should verify.
    5. Audit Payment Orchestrator Service deployment footprint. If you run any POS-adjacent, payment processing, or e-commerce infrastructure, confirm whether this service is present in your environment and apply the CVE-2026-26125 patch immediately. Do not assume it is not deployed.

    Questions on this advisory or prioritization guidance for your environment? Contact your ThreatHunter.ai analyst or reach us at support@threathunter.ai.