TL;DR
- Microsoft patched 84 vulnerabilities in March 2026 Patch Tuesday, including 2 publicly disclosed zero-days
- The most critical: CVE-2026-21262 (SQL Server privilege escalation, CVSS 8.8) lets attackers become database admins
- Another zero-day CVE-2026-26127 (.NET denial of service, CVSS 7.5) can crash your applications remotely
- 46 privilege escalation bugs total — attackers use these after getting initial access
- Action: Update Windows immediately, especially if you run SQL Server or .NET applications
Related: How AI Attacks Now Steal Your Data in 72 Minutes
What Happened
Get Our Weekly Cybersecurity Digest
Every Thursday: the threats that matter, what they mean for your business, and exactly what to do. Trusted by SMB owners across Australia.
No spam. No tracking. Unsubscribe anytime. Privacy
Microsoft's March 2026 Patch Tuesday fixes 84 security vulnerabilities across Windows, SQL Server, Office, SharePoint, and Azure [1]. Eight are rated Critical severity, 76 are Important, and two were publicly disclosed before patches were available (making them "zero-days" at the time) [2].
The breakdown by vulnerability type:
Free Resource
Get the Free Cybersecurity Checklist
A practical, no-jargon security checklist for Australian businesses. Download free — no spam, unsubscribe anytime.
Send Me the Checklist →- 46 privilege escalation flaws (55% of all CVEs this month)
- 18 remote code execution bugs
- 10 information disclosure vulnerabilities
- 4 spoofing, 4 denial-of-service, 2 security feature bypass flaws [3]
The Two Zero-Days You Need to Care About
CVE-2026-21262: SQL Server Privilege Escalation (CVSS 8.8)
This elevation of privilege vulnerability in Microsoft SQL Server allows an authenticated attacker with low privileges to escalate to database administrator (sysadmin) level [4].
Why it matters: Once an attacker has ANY foothold in your network — a stolen phishing credential, a compromised service account, a vulnerability in another system — they can use this bug to promote themselves to database king. They can read, modify, or delete data, create new accounts, and tamper with database configurations [5].
Real-world impact: SQL Server often holds the crown jewels — customer records, financial data, intellectual property. This bug gives attackers the keys to that kingdom after they've already slipped in the back door.
Exploitation requires: Network access to SQL Server and valid low-privileged credentials. No user interaction needed after initial access [6].
CVE-2026-26127: .NET Denial of Service (CVSS 7.5)
This vulnerability in .NET 9.0 and 10.0 affects Windows, macOS, and Linux systems running the .NET runtime [7]. An attacker can remotely crash .NET applications by sending malicious requests.
Why it matters: If your business applications (web APIs, payment services, internal tools) are built on .NET, this bug can knock them offline. It's a denial-of-service attack that causes targeted .NET processes to crash or become unstable [8].
Real-world impact: Downtime, degraded performance, angry customers, lost revenue during outages. For e-commerce, SaaS, or any line-of-business app, that's real money lost.
The Other Critical Bugs You Should Know
CVE-2026-21536: Remote Code Execution in Microsoft Devices Pricing Program (CVSS 9.8)
This is the highest-severity flaw this month (CVSS 9.8), but Microsoft says it's already fully mitigated and no user action is required [9]. Good news — this one's handled.
CVE-2026-25187: Winlogon Privilege Escalation (CVSS 7.8)
This vulnerability lets a locally authenticated attacker with low privileges escalate to SYSTEM by exploiting a link-following condition in the Winlogon process [10].
Why it's dangerous: No user interaction required, low attack complexity. Once an attacker is on a system (via phishing, malicious download, etc.), they can use this to become SYSTEM — the highest privilege level on Windows [11].
CVE-2026-26144: Excel Information Disclosure via Copilot (CVSS 7.5)
This flaw in Microsoft Excel could allow an attacker to exfiltrate data as part of a zero-click attack through Copilot Agent mode [12].
Why it matters: Excel files often contain financial data, intellectual property, or operational records. In corporate environments using AI-assisted productivity features, this vulnerability increases exposure — automated agents could unintentionally transmit sensitive data outside corporate boundaries [13].
ISO 27001 SMB Starter Pack — $97
Everything you need to start your ISO 27001 journey: gap assessment templates, policy frameworks, and implementation roadmap built for Australian SMBs.
Get the Starter Pack →Why Privilege Escalation Matters for Your Business
Over half of this month's CVEs (55%) are privilege escalation bugs [14]. These aren't typically used for initial access — they're used after an attacker is already inside your network.
The attack chain looks like this:
- Attacker gets in via phishing, stolen credential, or unpatched vulnerability
- Attacker uses privilege escalation bug to gain higher permissions
- Attacker moves laterally, accesses sensitive data, deploys ransomware
Privilege escalation vulnerabilities turn a small breach into a catastrophic one. That's why patching matters even if you think "nobody would target us" — attackers automate this stuff.
Related: 67% of Cyberattacks Now Start With a Stolen Password
What Your Business Should Do Right Now
1. Apply Windows Updates Immediately
For Windows 10/11:
- Open Settings → Windows Update
- Click "Check for updates"
- Install all security updates
- Restart when prompted
For Windows Server:
- Check Windows Server Update Services (WSUS) or your update management tool
- Apply the March 2026 security updates (KB5078740 for Windows Server 2025)
- Restart servers during maintenance windows
2. Prioritise SQL Server and .NET Systems
If you run Microsoft SQL Server or .NET applications:
- Patch SQL Server immediately (CVE-2026-21262)
- Update .NET runtime to the latest patched version (CVE-2026-26127)
- Review SQL Server logs for suspicious activity
- Audit database user permissions — remove unnecessary admin accounts
3. Check Your Microsoft 365/Azure Environment
For Azure deployments:
- Review and patch Azure Model Context Protocol (MCP) server configurations (CVE-2026-26118)
- Check managed identity permissions
- Audit Azure resource access controls
For Microsoft 365:
- Ensure Office applications are updated (CVE-2026-26110, CVE-2026-26113, CVE-2026-26144)
- Review Copilot Agent mode usage in Excel
4. Verify Third-Party Applications
Many business applications depend on SQL Server or .NET. Check with your software vendors:
- "Do you use Microsoft SQL Server? Have you patched for CVE-2026-21262?"
- "Are your .NET components updated for CVE-2026-26127?"
5. Test Your Backups
Before patching critical systems:
- Verify recent backups are complete and intact
- Test restore procedures
- Have a rollback plan ready if patches cause issues
Related: Your Backups Are Actually Working — But Ransomware Gangs Just Changed the Rules
The Bigger Picture: Patching as Business Resilience
Patching isn't just IT hygiene — it's business resilience. Every unpatched vulnerability is an open door attackers can walk through. With AI accelerating the exploitation timeline from weeks to days [15], businesses can't afford to wait.
The reality: Most SMBs don't have dedicated security teams. That's okay. What you need is a systematic approach:
- Monthly patch review (Patch Tuesday is your trigger)
- Prioritise critical and high-severity CVEs
- Test in non-production first, then deploy
- Document what you patched and when
Security isn't about being perfect — it's about raising the bar high enough that automated attacks move on to easier targets.
FAQ
Yes, but focus on different vulnerabilities. If you don't run SQL Server, CVE-2026-21262 doesn't apply to you. But you should still patch for the .NET denial-of-service bug (CVE-2026-26127) if you use any .NET applications, and the Winlogon privilege escalation flaw (CVE-2026-25187) applies to all Windows systems.
For publicly disclosed zero-days like CVE-2026-21262 and CVE-2026-26127, treat them as urgent. Patch within 7 days if the system is internet-facing or holds sensitive data. For internal systems with sensitive data, patch within 30 days. For low-risk systems, follow your normal patch cycle but don't skip them.
Patches can occasionally cause compatibility issues. Test critical updates in a non-production environment first. If you don't have a test environment, back up critical systems before patching and have a rollback plan. Microsoft extensively tests patches, but every environment is unique.
Your vendor may be testing their software against the patches before endorsing them. Ask them: "When will you certify compatibility with March 2026 Patch Tuesday updates?" In the meantime, assess your risk. If the system is internet-facing or holds sensitive data, the risk of NOT patching usually outweighs the risk of compatibility issues.
Check your systems:
- Windows: Run
systeminfoin Command Prompt to see your patch level - SQL Server: Check
SELECT @@VERSIONin SQL Server Management Studio - .NET: Check installed versions in Programs and Features or via PowerShell
If you're not sure, a security assessment can identify vulnerabilities in your environment.
Your business doesn't need to fear every headline — but it does need a systematic approach to security. Patch management, vulnerability assessment, and defense-in-depth strategy keep you resilient. Book a consultation to build a security posture that scales with your business.
References
[1] Microsoft Security Response Center, "Release Note for March 2026 Security Updates," Microsoft, 2026. [Online]. Available: https://msrc.microsoft.com/update-guide/releaseNote/2026-mar
[2] The Hacker News, "Microsoft Patches 84 Flaws in March Patch Tuesday, Including Two Public Zero-Days," The Hacker News, 2026. [Online]. Available: https://thehackernews.com/2026/03/microsoft-patches-84-flaws-in-march.html
[3] Security Boulevard, "March 2026 Patch Tuesday fixes two zero-day vulnerabilities," Security Boulevard, 2026. [Online]. Available: https://securityboulevard.com/2026/03/march-2026-patch-tuesday-fixes-two-zero-day-vulnerabilities-2/
[4] National Vulnerability Database, "CVE-2026-21262," NIST, 2026. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2026-21262
[5] Malwarebytes, "March 2026 Patch Tuesday fixes two zero-day vulnerabilities," Malwarebytes Blog, 2026. [Online]. Available: https://www.malwarebytes.com/blog/news/2026/03/march-2026-patch-tuesday-fixes-two-zero-day-vulnerabilities
[6] Immersive Security, "Analysis of CVE-2026-25187 Winlogon Privilege Escalation," Immersive, 2026. [Online]. Available: https://blog.immersive.app/
[7] Security Boulevard, "March 2026 Patch Tuesday fixes two zero-day vulnerabilities," Security Boulevard, 2026. [Online]. Available: https://securityboulevard.com/2026/03/march-2026-patch-tuesday-fixes-two-zero-day-vulnerabilities-2/
[8] Malwarebytes, "March 2026 Patch Tuesday fixes two zero-day vulnerabilities," Malwarebytes Blog, 2026. [Online]. Available: https://www.malwarebytes.com/blog/news/2026/03/march-2026-patch-tuesday-fixes-two-zero-day-vulnerabilities
[9] The Hacker News, "Microsoft Patches 84 Flaws in March Patch Tuesday, Including Two Public Zero-Days," The Hacker News, 2026. [Online]. Available: https://thehackernews.com/2026/03/microsoft-patches-84-flaws-in-march.html
[10] The Hacker News, "Microsoft Patches 84 Flaws in March Patch Tuesday, Including Two Public Zero-Days," The Hacker News, 2026. [Online]. Available: https://thehackernews.com/2026/03/microsoft-patches-84-flaws-in-march.html
[11] Satnam Narang, "Patch Tuesday Analysis: March 2026," Tenable, 2026. [Online]. Available: https://www.tenable.com/blog/
[12] The Hacker News, "Microsoft Patches 84 Flaws in March Patch Tuesday, Including Two Public Zero-Days," The Hacker News, 2026. [Online]. Available: https://thehackernews.com/2026/03/microsoft-patches-84-flaws-in-march.html
[13] Alex Vovk, "Information Disclosure Vulnerabilities in Corporate Environments," Action1, 2026. [Online]. Available: https://www.action1.com/blog/
[14] Satnam Narang, "Patch Tuesday Analysis: March 2026," Tenable, 2026. [Online]. Available: https://www.tenable.com/blog/
[15] lilMONSTER, "AI Just Shrunk the Vulnerability Exploitation Window from Weeks to Days," lil.business Blog, 2026. [Online]. Available: https://lil.business/blog/ai-vulnerability-window-days-third-party-smb-2026
Work With Us
Ready to strengthen your security posture?
lilMONSTER assesses your risks, builds the tools, and stays with you after the engagement ends. No clipboard-and-leave consulting.
Book a Free Consultation →TL;DR
- Microsoft fixed 84 security problems in their software this month
- Two bugs were especially serious because bad guys knew about them before Microsoft could fix them
- One bug lets attackers become bosses of your database; another can crash your apps
- You should update your Windows computers this week
Related: How AI Attacks Now Steal Your Data in 72 Minutes
What Is Patch Tuesday?
Think of Patch Tuesday like a regular check-up at the doctor, but for your computer. Every second Tuesday of the month, Microsoft releases updates that fix security problems in Windows, Office, and other Microsoft software [1].
It's called "Patch Tuesday" because Microsoft "patches" (fixes) holes that bad guys could use to break into your computer.
What Happened in March 2026
This month, Microsoft fixed 84 security problems [2]. That's a lot! Most of these are like small cracks in a wall — not super dangerous on their own, but bad if left unfixed.
Two of these problems were extra serious because bad guys already knew about them before Microsoft could fix them. These are called "zero-days" — zero days between when bad guys found out and when Microsoft could fix them [3].
The Two Big Bugs to Know About
Bug #1: The Database Boss Maker (CVE-2026-21262)
Imagine your business database is like a filing cabinet with different drawers. Most employees can only open certain drawers. The boss can open ALL the drawers.
This bug lets someone who's only supposed to open one drawer suddenly become the boss and open EVERY drawer [4].
Why it's bad: If a bad guy gets into your system (even just a tiny bit), they can use this bug to give themselves full control over your database. They could read, change, or delete your customer records, financial data, or any important information [5].
Who needs to worry: If your business uses Microsoft SQL Server (a program that stores lots of business data), you need to fix this right away.
Bug #2: The App Crasher (CVE-2026-26127)
Imagine your business has a storefront. This bug is like someone having a remote control that can shut your doors and make customers wait outside [6].
It affects programs built with .NET (a tool many businesses use to build applications). A bad guy could crash your apps from anywhere in the world, making your website or tools stop working [7].
Why it's bad: Downtime = lost money. If your online store or booking system goes down, customers can't buy from you.
Who needs to worry: If your business uses applications built with Microsoft .NET, you should update them.
Other Important Fixes
Microsoft also fixed a bug called CVE-2026-25187 that lets someone with basic access become the boss of the entire Windows computer (SYSTEM account) [8]. Think of it like an intern suddenly getting the CEO's keycard.
There's also CVE-2026-26144, which could leak information from Excel files when using Microsoft's AI helper (Copilot) [9]. If your Excel files have sensitive business info, this matters.
Why Privilege Escalation Is Like Promoting the Wrong Person
Most of the bugs fixed this month (55 out of 84!) are called "privilege escalation" [10]. That's a fancy way of saying "promoting someone to a level they shouldn't have."
Here's how it works:
- Bad guy gets into your system somehow (like finding an open window)
- Bad guy uses a privilege escalation bug (like picking a lock to get from the hallway into the CEO's office)
- Bad guy now has full control and can steal, delete, or ransom your data
This is why patching matters — even if you think "why would bad guys target me?" — they use automated tools to find these open doors everywhere.
What You Should Do This Week
1. Update All Windows Computers
For most Windows users, it's easy:
- Click Start → Settings (the gear icon)
- Go to "Windows Update"
- Click "Check for updates"
- Install all updates and restart when asked
This should take 10-30 minutes, depending on your computer.
2. Check With Your IT Person or Vendor
If you have someone managing your computers, ask them:
- "Did we apply the March 2026 Microsoft security updates?"
- "Do we use SQL Server? If so, is it patched for CVE-2026-21262?"
- "Do we have any .NET applications? Are they updated?"
3. Back Up Important Data Before Updating
Before updating critical systems (like servers or computers that run your business):
- Make sure your backups are recent
- Test that you can restore from backups
- Have a plan in case something goes wrong
It's like backing up your phone before updating iOS — just good practice.
Related: Your Backups Are Actually Working — But Ransomware Gangs Just Changed the Rules
Why This Matters for Your Business
Think of computer security like locking up your shop at night. You wouldn't leave the back door open, right?
Unpatched software is like an open door. Bad guys have automated tools that scan the internet looking for open doors. They don't care who you are — they're just looking for easy targets.
The good news: When you update regularly, you're closing those doors. Most automated attacks will move on to easier targets.
FAQ
Set a reminder for next week. Better late than never. But if your computers hold sensitive data (customer info, financial records, passwords), try to update within 7 days for the serious bugs (the two zero-days).
It's rare, but sometimes updates can cause problems. That's why big businesses test updates first. For a small business, just make sure you have backups before updating. If something breaks, you can restore.
These specific updates are for Microsoft software. If your Mac runs Microsoft Office or uses Microsoft .NET applications, you might still need to update those programs. Check with your IT person.
These updates are for computers. Phones (iPhone, Android) have their own update systems. You should update those too, but that's separate from Patch Tuesday.
Microsoft releases updates every month on Patch Tuesday (second Tuesday). Set a reminder to check updates a few days after Patch Tuesday each month. It's a good habit.
Security doesn't have to be complicated. Update regularly, back up your data, and have a plan. That's the foundation. If you want help building a security approach that fits your business, let's talk.
References
[1] Microsoft, "Windows Update Overview," Microsoft Docs, 2026. [Online]. Available: https://docs.microsoft.com/windows/deployment/update/windows-update-overview
[2] The Hacker News, "Microsoft Patches 84 Flaws in March Patch Tuesday, Including Two Public Zero-Days," The Hacker News, 2026. [Online]. Available: https://thehackernews.com/2026/03/microsoft-patches-84-flaws-in-march.html
[3] Malwarebytes, "What is a Zero-Day Vulnerability?" Malwarebytes Labs, 2026. [Online]. Available: https://www.malwarebytes.com/blog/news/2025/11/what-is-a-zero-day-vulnerability
[4] National Vulnerability Database, "CVE-2026-21262," NIST, 2026. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2026-21262
[5] Malwarebytes, "March 2026 Patch Tuesday fixes two zero-day vulnerabilities," Malwarebytes Blog, 2026. [Online]. Available: https://www.malwarebytes.com/blog/news/2026/03/march-2026-patch-tuesday-fixes-two-zero-day-vulnerabilities
[6] Security Boulevard, "March 2026 Patch Tuesday fixes two zero-day vulnerabilities," Security Boulevard, 2026. [Online]. Available: https://securityboulevard.com/2026/03/march-2026-patch-tuesday-fixes-two-zero-day-vulnerabilities-2/
[7] Malwarebytes, "March 2026 Patch Tuesday fixes two zero-day vulnerabilities," Malwarebytes Blog, 2026. [Online]. Available: https://www.malwarebytes.com/blog/news/2026/03/march-2026-patch-tuesday-fixes-two-zero-day-vulnerabilities
[8] The Hacker News, "Microsoft Patches 84 Flaws in March Patch Tuesday, Including Two Public Zero-Days," The Hacker News, 2026. [Online]. Available: https://thehackernews.com/2026/03/microsoft-patches-84-flaws-in-march.html
[9] The Hacker News, "Microsoft Patches 84 Flaws in March Patch Tuesday, Including Two Public Zero-Days," The Hacker News, 2026. [Online]. Available: https://thehackernews.com/2026/03/microsoft-patches-84-flaws-in-march.html
[10] Satnam Narang, "Patch Tuesday Analysis: March 2026," Tenable, 2026. [Online]. Available: https://www.tenable.com/blog/
