Three high severity holes in Microsoft’s Office suite headline the 78 issues listed in the March Patch Tuesday releases, which, grateful CSOs will notice, contain no surprise zero day vulnerabilities.
Still, Jack Bicer, director of vulnerability research at Action1, says these Office-related flaws should be treated “with urgency.”
“Productivity tools remain one of the most common entry points for attackers,” he explained, “and vulnerabilities that can be triggered through routine document handling continue to expand the attack surface inside corporate networks.”
One of the most notable of the three issues, he said, is the Excel Information Disclosure Vulnerability (CVE-2026-26144). This flaw stems from improper neutralization of input during web page generation, also known as cross-site scripting. The vulnerability allows an attacker to trigger unintended outbound network communication that could leak sensitive information.
The attack requires network access, Microsoft says, but no user interaction or privileges. An attacker could deliver specially crafted content that, when Excel processes it, would initiate data exfiltration without triggering alerts. That’s dangerous, because Excel files often contain sensitive corporate data.
“A particularly concerning aspect is the potential interaction with Copilot Agent mode,” Bicer said in an email, “where automated processes could transmit sensitive data without direct user involvement. Even without confirmed exploitation in the wild, the possibility of silent data exfiltration from spreadsheets containing financial, operational, or intellectual property data represents a meaningful risk to organizations that rely heavily on Excel driven workflows.”
As of today, the hole hasn’t been exploited.
Action1 says that if patch deployment must be delayed, organizations should restrict outbound network traffic from Office applications and monitor unusual network requests generated by Excel processes. Disabling or limiting AI-driven automation features such as Copilot Agent mode may reduce exposure.
The second Office hole Bicer drew attention to is a remote code execution vulnerability (CVE 2026-26113) caused by Office improperly handling memory pointers. This will allow an attacker to manipulate how the application accesses memory. Successful exploitation could allow the attacker to run code on the affected system with the same privileges as the current user. Admins should note that the Preview Pane can serve as an attack vector, so exploitation may occur simply by viewing a malicious file.
This bug carries a CVSS score of 8.4. As of today, there are no known public exploits or proofs-of-concept.
There’s also a separate Office remote code execution vulnerability (CVE-2026-26110) that introduces risk through a type confusion flaw that results from improper handling of incompatible data types in memory. Like the previous vulnerability, Bicer said, exploitation can occur through document previewing, and could allow attackers to run malicious code with the privileges of the logged-in user. “These vulnerabilities highlight how everyday document handling activities can quickly become pathways for system compromise,” he said.
“From a business perspective, vulnerabilities that enable code execution or data disclosure through widely used productivity software present significant operational risk,” Bicer added. “Office documents are routinely exchanged across email, collaboration platforms, and shared repositories, making them a common delivery mechanism for phishing campaigns and targeted attacks. If exploited, these vulnerabilities could allow attackers to deploy malware, steal sensitive information, establish persistent access, or move laterally through corporate networks. The Preview Pane attack vector is particularly concerning because it reduces the need for user interaction and increases the likelihood of accidental exposure.”
Bicer said for this Patch Tuesday, strategic focus should include rapid patch deployment for Office environments, monitoring for unusual outbound network activity originating from Office applications, and limiting automated data sharing features tied to AI-assisted workflows such as Copilot Agent mode. CISOs should also reinforce controls that reduce document-based attack risk, including disabling Preview Pane where feasible, strengthening email attachment filtering, and increasing endpoint monitoring for abnormal Office process behavior.
“Taking these steps will reduce the likelihood that routine document interactions become an entry point for attackers seeking to compromise enterprise systems or extract sensitive data,” he said.
Azure issues
Tyler Reguly, associate director for security R&D at Fortra, said CSOs should pay close attention to nine Azure vulnerabilities: CVE-2026-23651 and 26124 in Azure Compute Gallery; CVE-2026-23660 in Azure Portal Windows Admin Center; CVE-2026-23661, 23662, and 23664 in Azure IoT Explorer, CVE-2026-23665 in Azure Linux Virtual Machines, CVE-2026-26141 in Azure Arc; CVE-2026-26118, an elevation of privilege vulnerability in Azure Model Context Protocol (MCP) tools, and CVE-2026-26148 in Azure Entra ID.
The Entra ID login hole affects Azure Linux virtual machines and is rated of High severity, with a CVSS score of 8.1. It could allow an unauthorized attacker to elevate privileges locally. Azure users need to update the Azure SSH login extension through their Linux distribution’s package manager to install the latest version of the aadsshlogin package. Systems with the extension already installed have packages.microsoft.com configured automatically, so no additional setup is required.
“The cloud ecosystem doesn’t really handle patching well,” Reguly said. “It’s a relatively immature process, and the way that Microsoft handles these products really demonstrates that. The CVE impacting Azure Linux Virtual Machines (CVE-2026-23665) or the multiple CVEs impacting Azure IoT Explorer require pretty non-standard patching mechanisms, and those may require a little additional effort from IT teams. CSOs should ensure that they have solid asset inventories around the deployment of cloud related systems and tools, so that admins know where these things exist and when they need to be fixed. This is the best way to empower your sysadmins and security teams on a quiet month like this,” Reguly said.
Chris Goettl, VP of product management at Ivanti, noted that an elevation of privilege vulnerability in SQL Server (CVE-2026-21262), with a CVSS score of 8.8, is on the list, however, it has already been publicly disclosed. An attacker who successfully exploited this vulnerability could gain SQL sysadmin privileges. The vulnerability affects SQL Server 2016 and later editions.
Satnam Narang, senior staff research engineer at Tenable, commented on the fix for Azure Model Context Protocol (MCP) tools. “This bug is a server-side request forgery,” he said in an email, “so an attacker could exploit it by sending a request to a vulnerable Azure MCP Server. But exploitation requires that the server accept user-provided parameters.
“MCP servers have become extremely popular for connecting large language models and agentic AI applications,” he noted, “and with the rise of tools like OpenClaw and other agents, it has become even more critical to secure these tools from cybercriminals.”
Good news for admins
Nick Carroll, cyber incident response manager at Nightwing, spotted what he said is “some incredibly good news. For years, defenders and SOC analysts have relied on Microsoft’s System Monitor (Sysmon) to gain high-fidelity telemetry into process creation, network connections, and file modifications. But because it lived in the external Sysinternals suite, deploying it required manual downloads, custom scripts, and constant maintenance.
As of the Windows 11 March feature update (KB5079473), Sysmon is natively integrated directly into Windows 11 as an optional built-in feature. Admins no longer need to package it dynamically. It can be simply enabled programmatically via PowerShell. “Coupled with Microsoft’s simultaneous announcement that Windows Intune will enable hotpatching by default in May 2026, this drastically lowers the barrier to entry for deep endpoint visibility and represents a massive operational win for network defenders,” he said.
SAP, Google, and other high severity bugs
Separately, SAP issued fixes for two critical vulnerabilities, one of which carries a CVSS score of 9.8. That’s SAP Security Note #3698553, which patches a code injection vulnerability in SAP Quotation Management Insurance application (FS-QUO). According to researchers at Onapsis, the application uses an outdated artifact of Apache Log4j 1.2.17 that is vulnerable to CVE-2019-17571. It allows an unprivileged attacker to execute arbitrary code remotely on the server, causing high impact on confidentiality, integrity, and availability of the application.
The other SAP Security Note, #3714585, tagged with a CVSS score of 9.1, patches an insecure deserialization vulnerability in SAP NetWeaver Enterprise Portal Administration. Due to missing or insufficient validation during the deserialization of uploaded content, a privileged user is able to upload untrusted or malicious content. Only the fact that an attacker requires high privileges for a successful exploit prevents the vulnerability from being tagged with a CVSS score of 10.
Other vendors also addressed some high severity issues.
Apple released security updates for memory corruption in the Dynamic Link Editor used in iPadOS, macOS, tvOS, watchOS and visionsOS.
Google released security updates for Chrome and the Chromium browser that patch several high severity issues.
Ivanti flagged two serious bugs in its Endpoint Manager that could let attackers steal credentials or read sensitive data.
WordPress issued a security update to close a vulnerability that exposes a critical weakness in the WPvivid Backup and Migration plugin. It carries a CVSS score of 9.8.