Full Report
Microsoft security advisory – March 2026 monthly rollup (AV26-213)
Analysis Summary
# Vulnerability: Microsoft March 2026 Monthly Patch Rollup
## CVE Details
*Note: As this is a high-level summary of a monthly rollup (AV26-213), multiple CVEs are addressed. Users should refer to the MSRC portal for specific identifiers.*
- **CVE ID:** Multiple (See MSRC Release Notes)
- **CVSS Score:** Up to 9.8 (Critical)
- **CWE:** Varies by component (includes RCE, Elevation of Privilege, and Information Disclosure)
## Affected Systems
- **Operating Systems:** Windows 10, 11; Windows Server 2012, 2016, 2019, 2022, 2025.
- **Development Frameworks:** .NET (8.0, 9.0, 10.0), ASP.NET Core (8.0, 9.0, 10.0).
- **Productivity Suites:** Microsoft Office 2016, 2019; Office LTSC 2021/2024; Office for Android/Mac; Microsoft 365.
- **Server Applications:** SharePoint Server 2016, 2019, Subscription Edition; SQL Server 2016–2025; System Center Operations Manager (2019, 2022, 2025).
- **Cloud/Azure Components:** Azure AD SSH Login (Linux), Azure Connected Machine Agent, Azure Automation Hybrid Worker, Azure MCP Server Tools.
## Vulnerability Description
This monthly release addresses a wide array of security flaws across the Microsoft ecosystem. While specific technical details for every individual bug vary, the "Critical" designations within this rollup typically address:
- **Remote Code Execution (RCE):** Flaws in SharePoint and Office components where specifically crafted files or requests could allow an attacker to run arbitrary code.
- **Elevation of Privilege (EoP):** Vulnerabilities in Windows Kernel and Azure Extensions that allow a local user to gain administrative or SYSTEM permissions.
- **Information Disclosure:** Weaknesses in .NET and ASP.NET Core that may lead to the exposure of sensitive memory contents or cryptographic keys.
## Exploitation
- **Status:** Varies by CVE. Refer to the MSRC dashboard for "Exploited" or "More Likely" to be exploited indicators.
- **Complexity:** Ranges from Low to High.
- **Attack Vector:** Primarily Network (Remote) and Local.
## Impact
- **Confidentiality:** High (Risk of data theft and unauthorized access)
- **Integrity:** High (Risk of unauthorized modification of system files)
- **Availability:** High (Risk of system crashes or Denial of Service)
## Remediation
### Patches
Microsoft recommends applying the following updates immediately:
- **Windows Update:** Utilize Windows Update / WSUS to apply cumulative updates for OS components.
- **Microsoft Store:** Updates for Microsoft Authenticator and Windows App Client.
- **Manual Downloads:** Security updates for SQL Server and SharePoint Server via the Microsoft Download Center.
### Workarounds
- Disable unnecessary Azure Extensions if they cannot be patched immediately.
- Use "Protected View" in Microsoft Office to mitigate file-based RCE risks.
- Restrict RPC and SMB traffic to trusted internal networks only.
## Detection
- **Indicators of Compromise:** Monitor for unusual service account activity (specifically Azure AD SSH Login) and unexpected outbound traffic from SharePoint servers.
- **Detection Methods:**
- Use **Microsoft Defender for Endpoint** to identify exploitation attempts of known CVEs.
- Audit Windows Event Logs for Event ID 4624 (Logon) and 4688 (Process Creation) in relation to patched binaries.
## References
- Microsoft Security Update Guide: hxxps[://]msrc[.]microsoft[.]com/update-guide/en-us
- March 2026 Release Notes: hxxps[://]msrc[.]microsoft[.]com/update-guide/releaseNote/2026-Mar
- Canadian Centre for Cyber Security Advisory: hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/microsoft-security-advisory-march-2026-monthly-rollup-av26-213