Yemi Online

Key Takeaway: Microsoft’s March Patch Tuesday addressed 78 vulnerabilities — including one actively exploited zero-day and three Critical-rated Office/Excel flaws. Security teams should treat this as a high-priority patching sprint.Why This Matters

Microsoft’s March 10, 2026 Patch Tuesday dropped 78 security fixes across Windows, Microsoft Office, Azure, SQL Server, and .NET — and one of them is already in the hands of attackers. CVE-2026-21262, the lone zero-day in this cycle, is under active exploitation in the wild. While Microsoft has not named a threat actor, the presence of a zero-day means adversaries had — or still have — an operational window before your organization patched.

Organizations that delay routine patch cycles are playing Russian roulette with their infrastructure. Here is what every security team needs to know right now.

The Headline Vulnerabilities

The Zero-Day: CVE-2026-21262

This is the one demanding immediate attention. Actively exploited, no attributed threat actor yet, affecting a wide range of Windows environments. Patch immediately, no exceptions.

Critical Office and Excel Flaws

• CVE-2026-26144 — Microsoft Excel Information Disclosure: Despite the ‘information disclosure’ label, Microsoft’s Critical rating signals that the data exposed could be highly sensitive — think credentials, internal configurations, or financial data.
• CVE-2026-26113 — Office Remote Code Execution: An attacker exploiting this can execute arbitrary code in the context of the current user. In enterprise environments where users routinely open external documents, this is a high-value entry point.
• CVE-2026-26110 — A second Office RCE Vulnerability: Same risk profile as above. Two critical Office RCEs in one Patch Tuesday is not a coincidence — it is a pattern of sustained attacker interest in Office-based initial access.

The Broader Picture: EoP and Cloud Exposure

As in prior months, Elevation of Privilege (EoP) vulnerabilities dominate the catalog. Notable entries include CVE-2026-26132 in the Windows Kernel, CVE-2026-26128 in the Windows SMB Server, and CVE-2026-26148 in Microsoft Azure AD SSH Login for Linux. Cloud-hosted infrastructure is not spared — CVE-2026-26117 in the Azure Connected Machine Agent and CVE-2026-26118 in Azure MCP Server Tools round out a busy Azure section.

SharePoint Server picks up two RCE vulnerabilities (CVE-2026-26114 and CVE-2026-26106), which is significant given how many organizations expose SharePoint to internal networks as a collaboration hub.

Practitioner Takeaways

• Prioritize CVE-2026-21262 immediately — zero-day, actively exploited.
• Run emergency patching for the three Critical Office/Excel CVEs before end of business this week.
• Review your Azure Connected Machine Agent deployments and apply cloud patches in parallel.
• Assess SharePoint Server exposure — ensure it is not internet-facing and apply RCE patches on an accelerated timeline.
• Use this cycle as a forcing function to review your EoP exposure across Windows Kernel and SMB components.

CISO Lens: Patch Tuesday is not just an IT operations task — it is an executive risk decision. Two Office RCEs, a live zero-day, and multiple EoP vulnerabilities in a single cycle represent compounding risk. Boards are asking harder questions about patching SLAs. Now is the time to tighten them.