Author: uMercs Research Team Date: April 1st, 2026
Category: Offensive Security / Vulnerability Intelligence
Introduction
March's Patch Tuesday dropped on the 10th with 79 CVEs addressed across Windows, Office, SQL Server, Azure, and .NET. No zero-days were actively exploited in the wild this month — which is the good news. The bad news is that two were publicly disclosed before patches were available, one of them involves SQL Server privilege escalation, and there's an Excel flaw that could let an attacker silently exfiltrate data through Microsoft Copilot. That last one deserves a closer look.
The Zero-Days
CVE-2026-21262 — SQL Server Elevation of Privilege (CVSS: High)
This one was originally disclosed in a published article about stored procedure packaging permissions — which means it was sitting in plain sight before a patch existed. An authorized attacker on the network can leverage improper access controls in SQL Server to escalate to SQLAdmin privileges. It's not a remote unauthenticated exploit, but in a compromised environment, this is exactly the kind of lateral movement accelerant that turns a foothold into a full domain compromise.
Priority: Patch immediately if SQL Server 2016 or later is in your environment.
CVE-2026-26127 — .NET Denial of Service (CVSS: 7.5)
An out-of-bounds read in .NET allows an unauthenticated network attacker to crash .NET-based services. DoS flaws don't always get the urgency they deserve — until someone uses one to knock out an authentication service or a monitoring stack right before a more serious move. Worth patching promptly in any internet-facing .NET application.
The One That Should Be on Your Radar
CVE-2026-26144 — Microsoft Excel Information Disclosure via Copilot
This is the most operationally interesting vulnerability in this month's batch. An attacker who exploits this flaw can cause Microsoft Copilot in Agent mode to exfiltrate data via unintended network egress — a zero-click information disclosure attack.
Let that sink in: no user interaction required, and the exfil vector is the AI assistant embedded in your productivity suite. As organizations roll out Copilot broadly, the attack surface for AI-assisted data leakage is expanding faster than most security teams have mapped it. This won't be the last vulnerability of this type.
Priority: High — especially for organizations using Microsoft 365 Copilot in production.
The Office RCE Pair
CVE-2026-26110 and CVE-2026-26113 — Microsoft Office Remote Code Execution
Both of these are exploitable through the Preview Pane — meaning a user doesn't need to open a file to trigger execution. Preview Pane RCEs have a history of being leveraged in targeted phishing campaigns because they lower the interaction bar significantly.
If your organization uses Outlook with Preview Pane enabled (most do), this should be at the top of your patching queue.
Breakdown by Category
This month's 79 CVEs break down as follows:
- 46 Elevation of Privilege
- 18 Remote Code Execution
- 10 Information Disclosure
- 4 Denial of Service
- 4 Spoofing
- 2 Security Feature Bypass
The EoP count is high — 46 privilege escalation vulnerabilities in a single month signals that attackers have strong economic incentive to chain local access into higher privileges. If you're running red team exercises, EoP chains should be a primary test case this quarter.
Third-Party Patches Worth Noting
Microsoft wasn't the only one busy this month:
- Google Android — Fixed an actively exploited zero-day in a Qualcomm display component. If mobile devices touch your network, this one's already in the wild.
- Fortinet — Updates for FortiOS, FortiPAM, and FortiProxy. Fortinet vulnerabilities have had a rough year for exploitation velocity; don't let these sit.
- SAP — Two critical fixes in the March release. SAP environments are high-value targets and notoriously slow to patch. Worth escalating internally.
- Cisco — Broad update release across multiple products.
What Your Team Should Be Doing This Week
- Patch SQL Server environments — CVE-2026-21262 is publicly disclosed and a clean privilege escalation path. Treat it as a known exploit risk.
- Disable Preview Pane in Outlook (or patch immediately) — CVE-2026-26110 and CVE-2026-26113 are preview-pane RCEs. The user interaction bar is low.
- Audit Copilot deployments — CVE-2026-26144 is an early indicator of a broader AI-assisted data exfil threat class. Understand what Copilot has access to before attackers do.
- Don't skip the Android and Fortinet patches — Actively exploited Qualcomm zero-day and Fortinet fixes deserve the same urgency as the Microsoft items.
Closing Thought
"No actively exploited zero-days" is a headline that can create false comfort. Two publicly disclosed vulnerabilities and an AI-assisted exfil vector in a single month is not a quiet patch cycle — it's a reminder that the attack surface is expanding faster than the patching cadence. The Copilot vulnerability in particular is worth watching as a category. When the AI becomes the exfil vector, traditional DLP controls are blind to it.
Patch early. Audit your AI stack. And maybe don't let Copilot touch your crown jewels until you're sure what it's doing with them.
Drafted by uMercs Research Team | For internal review only — not for publication without approval Sources: BleepingComputer, Tenable, CrowdStrike, Microsoft MSRC — March 2026
