In March 2026, Microsoft rolled out a sweeping security patch that fixes 84 newly discovered bugs in its enterprise software stack. Eight of those problems are tagged Critical while the other 76 carry an Important rating.When you break it down, almost half 46 bugs allow attackers to gain higher privileges.18 of them could let a remote attacker run arbitrary code and 10 threaten data leaks. Four look to trick users four target denial‑of‑servic, and two slip past existing protection mechanisms.Microsoft officially patched two zero‑day flaws that had already been publicly exposed before the update hit the market.CVE‑2026‑26127,a denial‑of‑service flaw in the .NET framework it’s 7.5 CVSS score. CVE‑2026‑21262, an elevation‑of‑privilege vulnerability in SQL Server and it;s cvss scores is 8.8.
Critical Remote Code Execution and Privilege Escalation Exploits
The biggest headline in this cycle is CVE‑2026‑21536 a remote‑code‑execution flaw that hit Microsoft’s Devices Pricing Program.With a CVSS score of 9.8.it sits right where most vendors would spend a lot of time. Microsoft has already rolled out a fix.So users don’t have to do anything thanks in part to the XBOW platform that spotted the issue in the first place.
Outside of that privilege‑escalation bugs make up more than half of the findings this month.Tenable and other specialist points out that once a threat actor slips in often via a social‑engineering.They’ll use these glitches to dig deeper into a compromised network.
One of the most eye‑catching examples is CVE‑2026‑25187 a Winlogon vulnerability uncovered by Google’s Project Zero.It lets a locally authenticated user manipulate link‑resolution workflows and gain full SYSTEM rights all with minimal user interaction.
Azure Cloud Security and Excel Zero Click Vulnerabilities
This update cycle hit cloud infrastructure and Ai‑powered productivity apps the same way it hit everyone else.Microsoft spent the week tightening up Azure and Excel hunting down foundational bugs that could let attackers slip in unseen.
A major find was CVE‑2026‑26118 a server‑side request forgery rated 8.8 and tucked inside the Azure Model Context Protocol server.If a bad actor plants a malicious URL the server can harvest a managed‑identity token and use it to walk into secure cloud resources without ever needing admin rights.
Excel isn’t spared either.CVE‑2026‑26144 exposes an information‑disclosure flaw that can transform a single click into a zero‑click attack.Cybersecurity executive’s warn because the integrated Copilot Agent could quietly send sensitive financial or IP data out of the company’s fences.To keep pace with these threats.The company announced a shift in Windows Autopatch that will start rolling out in May 2026.Hot-patching will come enabled by default and letting IT teams lock down devices and hit compliance milestones twice as fast all without forcing disruptive restarts.
