Experts say this is the second-largest Microsoft Patch Tuesday ever based on CVE count.
The post Microsoft Patches Exploited SharePoint Zero-Day and 160 Other Vulnerabilities appeared first on SecurityWeek.
Critical ColdFusion vulnerabilities are the most at risk of being exploited in attacks, according to the software giant.
The post Adobe Patches 55 Vulnerabilities Across 11 Products appeared first on SecurityWeek.
Microsoft is publishing 167 vulnerabilities on April 2026 Patch Tuesday. Microsoft is aware of exploitation in the wild for one of today’s vulnerabilities, and public disclosure for one other. Microsoft evaluates 19 of the vulnerabilities published today as more likely to see future exploitation. So far this month, Microsoft has provided patches to address 80 browser vulnerabilities, which are not included in the Patch Tuesday count above.
Regular Patch Tuesday watchers will know that these vulnerability totals are significantly higher than usual, especially the browser numbers. Late last week, Microsoft published patches to resolve more than 60 browser vulnerabilities in a single day, which is a new record in that very specific category.
It might be tempting to imagine that this sudden spike was tied to the buzz around the announcement a week ago today of Project Glasswing, but this is not the case. Edge is based on the Chromium engine, and the Chromium maintainers acknowledge a wide range of researchers for the vulnerabilities which Microsoft republished last Friday. This reflects a significant industry-wide uptick in the volume of vulnerability reports over the past few weeks. A safe conclusion is that this increase in volume is driven by ever-expanding AI capabilities. We should expect to see further increases in vulnerability reporting volume as the impact of AI models extend further, both in terms of capability and availability.
When everything is changing rapidly, it can be tempting to look to familiar things for comfort. SharePoint admins should start by addressing CVE-2026-32201, an exploited-in-the-wild spoofing vulnerability. The advisory doesn’t offer much detail, but does mention CWE-20: Improper Input Validation and low impact to confidentiality and integrity, with no impact to availability. Of course, the greatest attacker impact is typically achieved by chaining together multiple vulnerabilities that by themselves might not seem so bad.
Ever-increasing novel AI capabilities in offensive cybersecurity now appear to provide real competition for all but the most elite human researchers; if it was ever valid to suppose that a vulnerability with a CVSS v3 base score of 6.5 was unlikely to cause much pain, it’s certainly not a safe defensive assumption in 2026. Patches are available for all supported versions of SharePoint, including SharePoint 2016, which moves beyond extended support on July 14, 2026.
Microsoft Defender receives a patch today for CVE-2026-33825, a local privilege escalation vulnerability for which Microsoft is aware of public disclosure. Successful exploitation leads to SYSTEM privileges, so this is certainly worth patching sooner rather than later. Microsoft points out that no action should be required to install this update, since the Microsoft Defender Antimalware Platform automatically updates by default. A further silver lining is that systems that have disabled Microsoft Defender are not in an exploitable state. Hopefully, any such system is running a suitable third-party replacement for Defender’s capabilities.
The Windows Internet Key Exchange (IKE) Services Extensions is the site of CVE-2026-33824, a critical unauthenticated remote code execution vulnerability. Exploitation requires an attacker to send specially crafted packets to a Windows machine with IKE v2 enabled, which could enable remote code execution. Vulnerabilities leading to unauthenticated RCE against modern Windows assets are relatively rare, or we’d see more wormable vulnerabilities self-propagating across the internet. However, since IKE provides secure tunnel negotiation services, for instance for VPNs, it is necessarily exposed to untrusted networks and reachable in a pre-authorization context. It’s hard to imagine this turning into a rampaging internet-wide worm, but there’s plenty of scope for initial access abuse, so this IKE vulnerability is still yikes.
The advisory does contain a section with potential mitigations for anyone unable to patch immediately, which center on least-privilege restriction of relevant UDP traffic. This same portion of the advisory also furnishes a helpful link to the definition of the word “mitigations” in the MSDN glossary. All versions of Windows back as far as Server 2016 and Windows 10 1607 LTSC receive patches.
The advisory credits both the WARP and MORSE (Microsoft Offensive Research & Security Engineering) teams at Microsoft. MORSE appears in Acknowledgements over the past few years, but today marks the first explicit mention of WARP in a Microsoft security advisory Acknowledgements section; we can speculate that WARP is an internal designator for the Microsoft Windows Enterprise Security Team.
In Microsoft lifecycle news, extended support ends April 14, 2026 for a wide range of Microsoft product legacy enterprise tools, including Dynamics C5 2016, Dynamics NAV 2016, App-V 5.0 and App-V 5.1, UE-V 2.1, and BitLocker Administration and Monitoring 2.5 SP1. Microsoft .NET 9 STS (Standard Term Support, as distinct from Long Term Support) was originally scheduled to move past the end of support in May 2026, but late last year, Microsoft granted a six-month extension, so that .NET 9 STS now reaches end of support on November 10, 2026.
CVE | Title | Exploitation status | Publicly disclosed? | CVSS v3 base score |
|---|---|---|---|---|
| CVE-2026-32171 | Azure Logic Apps Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 8.8 |
| CVE-2026-32168 | Azure Monitor Agent Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-32192 | Azure Monitor Agent Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-32184 | Microsoft High Performance Compute (HPC) Pack Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
CVE | Title | Exploitation status | Publicly disclosed? | CVSS v3 base score |
|---|---|---|---|---|
| CVE-2026-32203 | .NET and Visual Studio Denial of Service Vulnerability | Exploitation Less Likely | No | 7.5 |
| CVE-2026-26171 | .NET Denial of Service Vulnerability | Exploitation Less Likely | No | 7.5 |
| CVE-2026-32226 | .NET Framework Denial of Service Vulnerability | Exploitation Less Likely | No | 5.9 |
| CVE-2026-23666 | .NET Framework Denial of Service Vulnerability | Exploitation Less Likely | No | 7.5 |
| CVE-2026-32178 | .NET Spoofing Vulnerability | Exploitation Less Likely | No | 7.5 |
| CVE-2026-33116 | .NET, .NET Framework, and Visual Studio Denial of Service Vulnerability | Exploitation Less Likely | No | 7.5 |
| CVE-2026-23653 | GitHub Copilot and Visual Studio Code Information Disclosure Vulnerability | Exploitation Less Likely | No | 5.7 |
| CVE-2026-32631 | GitHub: CVE-2026-32631 'git clone' from manipulated repositories can leak NTLM hashes | Exploitation Less Likely | No | 7.4 |
| CVE-2026-21637 | HackerOne: CVE-2026-21637 TLS PSK/ALPN Callback Exceptions Bypass Error Handlers | N/A | No | 7.5 |
| CVE-2026-26143 | Microsoft PowerShell Security Feature Bypass Vulnerability | Exploitation Less Likely | No | 7.8 |
CVE | Title | Exploitation status | Publicly disclosed? | CVSS v3 base score |
|---|---|---|---|---|
| CVE-2026-32072 | Active Directory Spoofing Vulnerability | Exploitation Less Likely | No | 6.2 |
| CVE-2026-32181 | Connected User Experiences and Telemetry Service Denial of Service Vulnerability | Exploitation Less Likely | No | 5.5 |
| CVE-2026-27924 | Desktop Window Manager Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-32154 | Desktop Window Manager Elevation of Privilege Vulnerability | Exploitation More Likely | No | 7.8 |
| CVE-2026-27923 | Desktop Window Manager Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-32155 | Desktop Window Manager Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-32091 | Microsoft Brokering File System Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 8.4 |
| CVE-2026-26152 | Microsoft Cryptographic Services Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.0 |
| CVE-2026-26155 | Microsoft Local Security Authority Subsystem Service Information Disclosure Vulnerability | Exploitation Less Likely | No | 6.5 |
| CVE-2026-27914 | Microsoft Management Console Elevation of Privilege Vulnerability | Exploitation More Likely | No | 7.8 |
| CVE-2026-25250 | MITRE: CVE-2026-25250 Secure Boot disable Eazy Fix | Exploitation Less Likely | No | 6.0 |
| CVE-2026-32081 | Package Catalog Information Disclosure Vulnerability | Exploitation Unlikely | No | 5.5 |
| CVE-2026-26170 | PowerShell Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-26183 | Remote Access Management service/API (RPC server) Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-32157 | Remote Desktop Client Remote Code Execution Vulnerability | Exploitation Less Likely | No | 8.8 |
| CVE-2026-26160 | Remote Desktop Licensing Service Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-26159 | Remote Desktop Licensing Service Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-26151 | Remote Desktop Spoofing Vulnerability | Exploitation More Likely | No | 7.1 |
| CVE-2026-32085 | Remote Procedure Call Information Disclosure Vulnerability | Exploitation Unlikely | No | 5.5 |
| CVE-2026-0390 | UEFI Secure Boot Security Feature Bypass Vulnerability | Exploitation More Likely | No | 6.7 |
| CVE-2026-32212 | Universal Plug and Play (upnp.dll) Information Disclosure Vulnerability | Exploitation Less Likely | No | 5.5 |
| CVE-2026-32214 | Universal Plug and Play (upnp.dll) Information Disclosure Vulnerability | Exploitation Less Likely | No | 5.5 |
| CVE-2026-32079 | Web Account Manager Information Disclosure Vulnerability | Exploitation Unlikely | No | 5.5 |
| CVE-2026-33104 | Win32k Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.0 |
| CVE-2026-33826 | Windows Active Directory Remote Code Execution Vulnerability | Exploitation More Likely | No | 8.0 |
| CVE-2026-26178 | Windows Advanced Rasterization Platform Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 8.8 |
| CVE-2026-32073 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.0 |
| CVE-2026-26168 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-26173 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.0 |
| CVE-2026-26177 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.0 |
| CVE-2026-26182 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.0 |
| CVE-2026-27922 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.0 |
| CVE-2026-33099 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.0 |
| CVE-2026-33100 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.0 |
| CVE-2026-32088 | Windows Biometric Service Security Feature Bypass Vulnerability | Exploitation Less Likely | No | 6.1 |
| CVE-2026-27913 | Windows BitLocker Security Feature Bypass Vulnerability | Exploitation More Likely | No | 7.7 |
| CVE-2026-26175 | Windows Boot Manager Security Feature Bypass Vulnerability | Exploitation Less Likely | No | 4.6 |
| CVE-2026-26176 | Windows Client Side Caching driver (csc.sys) Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-27926 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.0 |
| CVE-2026-32162 | Windows COM Elevation of Privilege Vulnerability | Exploitation More Likely | No | 8.4 |
| CVE-2026-20806 | Windows COM Server Information Disclosure Vulnerability | Exploitation Unlikely | No | 5.5 |
| CVE-2026-32070 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | Exploitation More Likely | No | 7.0 |
| CVE-2026-33098 | Windows Container Isolation FS Filter Driver Elevation of Privilege Vulnerability | Exploitation Unlikely | No | 7.8 |
| CVE-2026-26153 | Windows Encrypted File System (EFS) Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-32087 | Windows Function Discovery Service (fdwsd.dll) Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.0 |
| CVE-2026-32093 | Windows Function Discovery Service (fdwsd.dll) Elevation of Privilege Vulnerability | Exploitation More Likely | No | 7.0 |
| CVE-2026-32086 | Windows Function Discovery Service (fdwsd.dll) Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.0 |
| CVE-2026-32150 | Windows Function Discovery Service (fdwsd.dll) Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.0 |
| CVE-2026-27931 | Windows GDI Information Disclosure Vulnerability | Exploitation Less Likely | No | 5.5 |
| CVE-2026-27930 | Windows GDI Information Disclosure Vulnerability | Exploitation Less Likely | No | 5.5 |
| CVE-2026-27906 | Windows Hello Security Feature Bypass Vulnerability | Exploitation More Likely | No | 4.4 |
| CVE-2026-26156 | Windows Hyper-V Remote Code Execution Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-32149 | Windows Hyper-V Remote Code Execution Vulnerability | Exploitation Less Likely | No | 7.3 |
| CVE-2026-27910 | Windows Installer Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-33824 | Windows Internet Key Exchange (IKE) Service Extensions Remote Code Execution Vulnerability | Exploitation Less Likely | No | 9.8 |
| CVE-2026-27912 | Windows Kerberos Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 8.0 |
| CVE-2026-26180 | Windows Kernel Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-26163 | Windows Kernel Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-32215 | Windows Kernel Information Disclosure Vulnerability | Exploitation Less Likely | No | 5.5 |
| CVE-2026-32217 | Windows Kernel Information Disclosure Vulnerability | Exploitation Less Likely | No | 5.5 |
| CVE-2026-32218 | Windows Kernel Information Disclosure Vulnerability | Exploitation Less Likely | No | 5.5 |
| CVE-2026-26169 | Windows Kernel Memory Information Disclosure Vulnerability | Exploitation More Likely | No | 6.1 |
| CVE-2026-32071 | Windows Local Security Authority Subsystem Service (LSASS) Denial of Service Vulnerability | Exploitation Less Likely | No | 7.5 |
| CVE-2026-27929 | Windows LUA File Virtualization Filter Driver Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.0 |
| CVE-2026-20930 | Windows Management Services Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-26162 | Windows OLE Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-32084 | Windows Print Spooler Information Disclosure Vulnerability | Exploitation Unlikely | No | 5.5 |
| CVE-2026-27927 | Windows Projected File System Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-26184 | Windows Projected File System Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-32069 | Windows Projected File System Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-32074 | Windows Projected File System Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-32078 | Windows Projected File System Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-26167 | Windows Push Notifications Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 8.8 |
| CVE-2026-32158 | Windows Push Notifications Elevation of Privilege Vulnerability | Exploitation Unlikely | No | 7.8 |
| CVE-2026-32159 | Windows Push Notifications Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-32160 | Windows Push Notifications Elevation of Privilege Vulnerability | Exploitation Unlikely | No | 7.8 |
| CVE-2026-26172 | Windows Push Notifications Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-20928 | Windows Recovery Environment Security Feature Bypass Vulnerability | Exploitation Less Likely | No | 4.6 |
| CVE-2026-27909 | Windows Search Service Elevation of Privilege Vulnerability | Exploitation More Likely | No | 7.8 |
| CVE-2026-26161 | Windows Sensor Data Service Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-26174 | Windows Server Update Service (WSUS) Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.0 |
| CVE-2026-26154 | Windows Server Update Service (WSUS) Tampering Vulnerability | Exploitation Less Likely | No | 7.5 |
| CVE-2026-27918 | Windows Shell Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-32151 | Windows Shell Information Disclosure Vulnerability | Exploitation Less Likely | No | 6.5 |
| CVE-2026-32225 | Windows Shell Security Feature Bypass Vulnerability | Exploitation More Likely | No | 8.8 |
| CVE-2026-32202 | Windows Shell Spoofing Vulnerability | Exploitation More Likely | No | 4.3 |
| CVE-2026-32082 | Windows Simple Search and Discovery Protocol (SSDP) Service Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.0 |
| CVE-2026-32083 | Windows Simple Search and Discovery Protocol (SSDP) Service Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.0 |
| CVE-2026-32068 | Windows Simple Search and Discovery Protocol (SSDP) Service Elevation of Privilege Vulnerability | Exploitation Unlikely | No | 7.0 |
| CVE-2026-32183 | Windows Snipping Tool Remote Code Execution Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-33829 | Windows Snipping Tool Spoofing Vulnerability | Exploitation Unlikely | No | 4.3 |
| CVE-2026-32089 | Windows Speech Brokered Api Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-32090 | Windows Speech Brokered Api Elevation of Privilege Vulnerability | Exploitation Unlikely | No | 7.8 |
| CVE-2026-32153 | Windows Speech Runtime Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-33827 | Windows TCP/IP Remote Code Execution Vulnerability | Exploitation Less Likely | No | 8.1 |
| CVE-2026-27908 | Windows TDI Translation Driver (tdx.sys) Elevation of Privilege Vulnerability | Exploitation More Likely | No | 7.0 |
| CVE-2026-27921 | Windows TDI Translation Driver (tdx.sys) Elevation of Privilege Vulnerability | Exploitation More Likely | No | 7.0 |
| CVE-2026-27915 | Windows UPnP Device Host Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-27919 | Windows UPnP Device Host Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-32075 | Windows UPnP Device Host Elevation of Privilege Vulnerability | Exploitation More Likely | No | 7.0 |
| CVE-2026-27916 | Windows UPnP Device Host Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-27920 | Windows UPnP Device Host Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-32077 | Windows UPnP Device Host Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-27925 | Windows UPnP Device Host Information Disclosure Vulnerability | Exploitation Less Likely | No | 6.5 |
| CVE-2026-32156 | Windows UPnP Device Host Remote Code Execution Vulnerability | Exploitation Less Likely | No | 7.4 |
| CVE-2026-32165 | Windows User Interface Core Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-27911 | Windows User Interface Core Elevation of Privilege Vulnerability | Exploitation Unlikely | No | 7.8 |
| CVE-2026-32163 | Windows User Interface Core Elevation of Privilege Vulnerability | Exploitation Unlikely | No | 7.8 |
| CVE-2026-32164 | Windows User Interface Core Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-23670 | Windows Virtualization-Based Security (VBS) Security Feature Bypass Vulnerability | Exploitation Less Likely | No | 5.7 |
| CVE-2026-27917 | Windows WFP NDIS Lightweight Filter Driver (wfplwfs.sys) Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.0 |
CVE | Title | Exploitation status | Publicly disclosed? | CVSS v3 base score |
|---|---|---|---|---|
| CVE-2026-33103 | Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability | Exploitation Unlikely | No | 5.5 |
| CVE-2026-26149 | Microsoft Power Apps Security Feature Bypass | Exploitation Less Likely | No | 9.0 |
CVE | Title | Exploitation status | Publicly disclosed? | CVSS v3 base score |
|---|---|---|---|---|
| CVE-2026-32188 | Microsoft Excel Information Disclosure Vulnerability | Exploitation Less Likely | No | 7.1 |
| CVE-2026-32189 | Microsoft Excel Remote Code Execution Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-32197 | Microsoft Excel Remote Code Execution Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-32198 | Microsoft Excel Remote Code Execution Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-32199 | Microsoft Excel Remote Code Execution Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-32190 | Microsoft Office Remote Code Execution Vulnerability | Exploitation Less Likely | No | 8.4 |
| CVE-2026-32200 | Microsoft PowerPoint Remote Code Execution Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-20945 | Microsoft SharePoint Server Spoofing Vulnerability | Exploitation Less Likely | No | 4.6 |
| CVE-2026-32201 | Microsoft SharePoint Server Spoofing Vulnerability | Exploitation Detected | No | 6.5 |
| CVE-2026-33822 | Microsoft Word Information Disclosure Vulnerability | Exploitation Less Likely | No | 6.1 |
| CVE-2026-33095 | Microsoft Word Remote Code Execution Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-23657 | Microsoft Word Remote Code Execution Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-33114 | Microsoft Word Remote Code Execution Vulnerability | Exploitation Less Likely | No | 8.4 |
| CVE-2026-33115 | Microsoft Word Remote Code Execution Vulnerability | Exploitation Less Likely | No | 8.4 |
CVE | Title | Exploitation status | Publicly disclosed? | CVSS v3 base score |
|---|---|---|---|---|
| CVE-2026-40386 | n/a | No | 4.0 | |
| CVE-2026-40385 | n/a | No | 4.0 | |
| CVE-2026-40393 | n/a | No | 8.1 | |
| CVE-2026-31416 | netfilter: nfnetlink_log: account for netlink header size | n/a | No | 8.1 |
| CVE-2026-31423 | net/sched: sch_hfsc: fix divide-by-zero in rtsc_min() | n/a | No | 5.5 |
| CVE-2026-31424 | netfilter: x_tables: restrict xt_check_match/xt_check_target extensions for NFPROTO_ARP | n/a | No | 5.5 |
| CVE-2026-31417 | net/x25: Fix overflow when accumulating packets | n/a | No | 8.1 |
| CVE-2026-31422 | net/sched: cls_flow: fix NULL pointer dereference on shared blocks | n/a | No | 5.5 |
| CVE-2026-31414 | netfilter: nf_conntrack_expect: use expect->helper | n/a | No | 8.1 |
| CVE-2026-31427 | netfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp | n/a | No | 7.8 |
| CVE-2026-31426 | ACPI: EC: clean up handlers on probe failure in acpi_ec_setup() | n/a | No | 5.5 |
| CVE-2026-31419 | net: bonding: fix use-after-free in bond_xmit_broadcast() | n/a | No | 7.1 |
| CVE-2026-31420 | bridge: mrp: reject zero test interval to avoid OOM panic | n/a | No | 5.5 |
| CVE-2026-31421 | net/sched: cls_fw: fix NULL pointer dereference on shared blocks | n/a | No | 5.5 |
| CVE-2026-31428 | netfilter: nfnetlink_log: fix uninitialized padding leak in NFULA_PAYLOAD | n/a | No | 5.5 |
| CVE-2026-31418 | netfilter: ipset: drop logically empty buckets in mtype_del | n/a | No | 8.1 |
CVE | Title | Exploitation status | Publicly disclosed? | CVSS v3 base score |
|---|---|---|---|---|
| CVE-2026-33120 | Microsoft SQL Server Remote Code Execution Vulnerability | Exploitation Less Likely | No | 8.8 |
| CVE-2026-32167 | SQL Server Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 6.7 |
| CVE-2026-32176 | SQL Server Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 6.7 |
CVE | Title | Exploitation status | Publicly disclosed? | CVSS v3 base score |
|---|---|---|---|---|
| CVE-2026-33825 | Microsoft Defender Elevation of Privilege Vulnerability | Exploitation More Likely | Yes | 7.8 |
CVE | Title | Exploitation status | Publicly disclosed? | CVSS v3 base score |
|---|---|---|---|---|
| CVE-2026-32072 | Active Directory Spoofing Vulnerability | Exploitation Less Likely | No | 6.2 |
| CVE-2023-20585 | AMD: CVE-2023-20585 IOMMU Write Buffer Vulnerability | Exploitation Less Likely | No | 5.3 |
| CVE-2026-25184 | Applocker Filter Driver (applockerfltr.sys) Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.0 |
| CVE-2026-32181 | Connected User Experiences and Telemetry Service Denial of Service Vulnerability | Exploitation Less Likely | No | 5.5 |
| CVE-2026-27924 | Desktop Window Manager Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-32152 | Desktop Window Manager Elevation of Privilege Vulnerability | Exploitation More Likely | No | 7.8 |
| CVE-2026-32154 | Desktop Window Manager Elevation of Privilege Vulnerability | Exploitation More Likely | No | 7.8 |
| CVE-2026-27923 | Desktop Window Manager Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-32155 | Desktop Window Manager Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-33096 | HTTP.sys Denial of Service Vulnerability | Exploitation Less Likely | No | 7.5 |
| CVE-2026-26181 | Microsoft Brokering File System Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-32219 | Microsoft Brokering File System Elevation of Privilege Vulnerability | Exploitation Unlikely | No | 7.0 |
| CVE-2026-32091 | Microsoft Brokering File System Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 8.4 |
| CVE-2026-26152 | Microsoft Cryptographic Services Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.0 |
| CVE-2026-26155 | Microsoft Local Security Authority Subsystem Service Information Disclosure Vulnerability | Exploitation Less Likely | No | 6.5 |
| CVE-2026-27914 | Microsoft Management Console Elevation of Privilege Vulnerability | Exploitation More Likely | No | 7.8 |
| CVE-2026-25250 | MITRE: CVE-2026-25250 Secure Boot disable Eazy Fix | Exploitation Less Likely | No | 6.0 |
| CVE-2026-32081 | Package Catalog Information Disclosure Vulnerability | Exploitation Unlikely | No | 5.5 |
| CVE-2026-26170 | PowerShell Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-26183 | Remote Access Management service/API (RPC server) Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-32157 | Remote Desktop Client Remote Code Execution Vulnerability | Exploitation Less Likely | No | 8.8 |
| CVE-2026-26160 | Remote Desktop Licensing Service Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-26159 | Remote Desktop Licensing Service Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-26151 | Remote Desktop Spoofing Vulnerability | Exploitation More Likely | No | 7.1 |
| CVE-2026-32085 | Remote Procedure Call Information Disclosure Vulnerability | Exploitation Unlikely | No | 5.5 |
| CVE-2026-0390 | UEFI Secure Boot Security Feature Bypass Vulnerability | Exploitation More Likely | No | 6.7 |
| CVE-2026-32220 | UEFI Secure Boot Security Feature Bypass Vulnerability | Exploitation Less Likely | No | 4.4 |
| CVE-2026-32212 | Universal Plug and Play (upnp.dll) Information Disclosure Vulnerability | Exploitation Less Likely | No | 5.5 |
| CVE-2026-32214 | Universal Plug and Play (upnp.dll) Information Disclosure Vulnerability | Exploitation Less Likely | No | 5.5 |
| CVE-2026-32079 | Web Account Manager Information Disclosure Vulnerability | Exploitation Unlikely | No | 5.5 |
| CVE-2026-33104 | Win32k Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.0 |
| CVE-2026-33826 | Windows Active Directory Remote Code Execution Vulnerability | Exploitation More Likely | No | 8.0 |
| CVE-2026-32196 | Windows Admin Center Spoofing Vulnerability | Exploitation Less Likely | No | 6.1 |
| CVE-2026-26178 | Windows Advanced Rasterization Platform Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 8.8 |
| CVE-2026-32073 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.0 |
| CVE-2026-26168 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-26173 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.0 |
| CVE-2026-26177 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.0 |
| CVE-2026-26182 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.0 |
| CVE-2026-27922 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.0 |
| CVE-2026-33099 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.0 |
| CVE-2026-33100 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.0 |
| CVE-2026-32088 | Windows Biometric Service Security Feature Bypass Vulnerability | Exploitation Less Likely | No | 6.1 |
| CVE-2026-27913 | Windows BitLocker Security Feature Bypass Vulnerability | Exploitation More Likely | No | 7.7 |
| CVE-2026-26175 | Windows Boot Manager Security Feature Bypass Vulnerability | Exploitation Less Likely | No | 4.6 |
| CVE-2026-26176 | Windows Client Side Caching driver (csc.sys) Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-27926 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.0 |
| CVE-2026-32162 | Windows COM Elevation of Privilege Vulnerability | Exploitation More Likely | No | 8.4 |
| CVE-2026-20806 | Windows COM Server Information Disclosure Vulnerability | Exploitation Unlikely | No | 5.5 |
| CVE-2026-32070 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | Exploitation More Likely | No | 7.0 |
| CVE-2026-33098 | Windows Container Isolation FS Filter Driver Elevation of Privilege Vulnerability | Exploitation Unlikely | No | 7.8 |
| CVE-2026-26153 | Windows Encrypted File System (EFS) Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-32087 | Windows Function Discovery Service (fdwsd.dll) Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.0 |
| CVE-2026-32093 | Windows Function Discovery Service (fdwsd.dll) Elevation of Privilege Vulnerability | Exploitation More Likely | No | 7.0 |
| CVE-2026-32086 | Windows Function Discovery Service (fdwsd.dll) Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.0 |
| CVE-2026-32150 | Windows Function Discovery Service (fdwsd.dll) Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.0 |
| CVE-2026-27931 | Windows GDI Information Disclosure Vulnerability | Exploitation Less Likely | No | 5.5 |
| CVE-2026-27930 | Windows GDI Information Disclosure Vulnerability | Exploitation Less Likely | No | 5.5 |
| CVE-2026-32221 | Windows Graphics Component Remote Code Execution Vulnerability | Exploitation Less Likely | No | 8.4 |
| CVE-2026-27906 | Windows Hello Security Feature Bypass Vulnerability | Exploitation More Likely | No | 4.4 |
| CVE-2026-27928 | Windows Hello Security Feature Bypass Vulnerability | Exploitation Less Likely | No | 8.7 |
| CVE-2026-26156 | Windows Hyper-V Remote Code Execution Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-32149 | Windows Hyper-V Remote Code Execution Vulnerability | Exploitation Less Likely | No | 7.3 |
| CVE-2026-27910 | Windows Installer Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-33824 | Windows Internet Key Exchange (IKE) Service Extensions Remote Code Execution Vulnerability | Exploitation Less Likely | No | 9.8 |
| CVE-2026-27912 | Windows Kerberos Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 8.0 |
| CVE-2026-26179 | Windows Kernel Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-26180 | Windows Kernel Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-32195 | Windows Kernel Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.0 |
| CVE-2026-26163 | Windows Kernel Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-32215 | Windows Kernel Information Disclosure Vulnerability | Exploitation Less Likely | No | 5.5 |
| CVE-2026-32217 | Windows Kernel Information Disclosure Vulnerability | Exploitation Less Likely | No | 5.5 |
| CVE-2026-32218 | Windows Kernel Information Disclosure Vulnerability | Exploitation Less Likely | No | 5.5 |
| CVE-2026-26169 | Windows Kernel Memory Information Disclosure Vulnerability | Exploitation More Likely | No | 6.1 |
| CVE-2026-32071 | Windows Local Security Authority Subsystem Service (LSASS) Denial of Service Vulnerability | Exploitation Less Likely | No | 7.5 |
| CVE-2026-27929 | Windows LUA File Virtualization Filter Driver Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.0 |
| CVE-2026-20930 | Windows Management Services Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-26162 | Windows OLE Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-33101 | Windows Print Spooler Elevation of Privilege Vulnerability | Exploitation Unlikely | No | 7.8 |
| CVE-2026-32084 | Windows Print Spooler Information Disclosure Vulnerability | Exploitation Unlikely | No | 5.5 |
| CVE-2026-27927 | Windows Projected File System Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-26184 | Windows Projected File System Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-32069 | Windows Projected File System Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-32074 | Windows Projected File System Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-32078 | Windows Projected File System Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-26167 | Windows Push Notifications Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 8.8 |
| CVE-2026-32158 | Windows Push Notifications Elevation of Privilege Vulnerability | Exploitation Unlikely | No | 7.8 |
| CVE-2026-32159 | Windows Push Notifications Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-32160 | Windows Push Notifications Elevation of Privilege Vulnerability | Exploitation Unlikely | No | 7.8 |
| CVE-2026-26172 | Windows Push Notifications Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-20928 | Windows Recovery Environment Security Feature Bypass Vulnerability | Exploitation Less Likely | No | 4.6 |
| CVE-2026-32216 | Windows Redirected Drive Buffering System Denial of Service Vulnerability | Exploitation Less Likely | No | 5.5 |
| CVE-2026-27909 | Windows Search Service Elevation of Privilege Vulnerability | Exploitation More Likely | No | 7.8 |
| CVE-2026-26161 | Windows Sensor Data Service Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-26174 | Windows Server Update Service (WSUS) Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.0 |
| CVE-2026-32224 | Windows Server Update Service (WSUS) Elevation of Privilege Vulnerability | Exploitation Unlikely | No | 7.0 |
| CVE-2026-26154 | Windows Server Update Service (WSUS) Tampering Vulnerability | Exploitation Less Likely | No | 7.5 |
| CVE-2026-26165 | Windows Shell Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.0 |
| CVE-2026-26166 | Windows Shell Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.0 |
| CVE-2026-27918 | Windows Shell Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-32151 | Windows Shell Information Disclosure Vulnerability | Exploitation Less Likely | No | 6.5 |
| CVE-2026-32225 | Windows Shell Security Feature Bypass Vulnerability | Exploitation More Likely | No | 8.8 |
| CVE-2026-32202 | Windows Shell Spoofing Vulnerability | Exploitation More Likely | No | 4.3 |
| CVE-2026-32082 | Windows Simple Search and Discovery Protocol (SSDP) Service Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.0 |
| CVE-2026-32083 | Windows Simple Search and Discovery Protocol (SSDP) Service Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.0 |
| CVE-2026-32068 | Windows Simple Search and Discovery Protocol (SSDP) Service Elevation of Privilege Vulnerability | Exploitation Unlikely | No | 7.0 |
| CVE-2026-32183 | Windows Snipping Tool Remote Code Execution Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-33829 | Windows Snipping Tool Spoofing Vulnerability | Exploitation Unlikely | No | 4.3 |
| CVE-2026-32089 | Windows Speech Brokered Api Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-32090 | Windows Speech Brokered Api Elevation of Privilege Vulnerability | Exploitation Unlikely | No | 7.8 |
| CVE-2026-32153 | Windows Speech Runtime Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-27907 | Windows Storage Spaces Controller Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-32076 | Windows Storage Spaces Controller Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-33827 | Windows TCP/IP Remote Code Execution Vulnerability | Exploitation Less Likely | No | 8.1 |
| CVE-2026-27908 | Windows TDI Translation Driver (tdx.sys) Elevation of Privilege Vulnerability | Exploitation More Likely | No | 7.0 |
| CVE-2026-27921 | Windows TDI Translation Driver (tdx.sys) Elevation of Privilege Vulnerability | Exploitation More Likely | No | 7.0 |
| CVE-2026-27915 | Windows UPnP Device Host Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-27919 | Windows UPnP Device Host Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-32075 | Windows UPnP Device Host Elevation of Privilege Vulnerability | Exploitation More Likely | No | 7.0 |
| CVE-2026-27916 | Windows UPnP Device Host Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-27920 | Windows UPnP Device Host Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-32077 | Windows UPnP Device Host Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-27925 | Windows UPnP Device Host Information Disclosure Vulnerability | Exploitation Less Likely | No | 6.5 |
| CVE-2026-32156 | Windows UPnP Device Host Remote Code Execution Vulnerability | Exploitation Less Likely | No | 7.4 |
| CVE-2026-32223 | Windows USB Printing Stack (usbprint.sys) Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 6.8 |
| CVE-2026-32165 | Windows User Interface Core Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-27911 | Windows User Interface Core Elevation of Privilege Vulnerability | Exploitation Unlikely | No | 7.8 |
| CVE-2026-32163 | Windows User Interface Core Elevation of Privilege Vulnerability | Exploitation Unlikely | No | 7.8 |
| CVE-2026-32164 | Windows User Interface Core Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-23670 | Windows Virtualization-Based Security (VBS) Security Feature Bypass Vulnerability | Exploitation Less Likely | No | 5.7 |
| CVE-2026-32080 | Windows WalletService Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.0 |
| CVE-2026-27917 | Windows WFP NDIS Lightweight Filter Driver (wfplwfs.sys) Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.0 |
| CVE-2026-32222 | Windows Win32k Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
CVE | Title | Exploitation status | Publicly disclosed? | CVSS v3 base score |
|---|---|---|---|---|
| CVE-2026-32201 | Microsoft SharePoint Server Spoofing Vulnerability | Exploitation Detected | No | 6.5 |
CVE | Title | Exploitation status | Publicly disclosed? | CVSS v3 base score |
|---|---|---|---|---|
| CVE-2026-33825 | Microsoft Defender Elevation of Privilege Vulnerability | Exploitation More Likely | Yes | 7.8 |
CVE | Title | Exploitation status | Publicly disclosed? | CVSS v3 base score |
|---|---|---|---|---|
| CVE-2026-33824 | Windows Internet Key Exchange (IKE) Service Extensions Remote Code Execution Vulnerability | Exploitation Less Likely | No | 9.8 |
Microsoft addressed 165 vulnerabilities affecting its various products and underlying systems, including one actively exploited vulnerability in Microsoft Office SharePoint, in this month’s Patch Tuesday update.
“By my count, this is the second-largest monthly release in Microsoft’s history,” Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, wrote in a blog post Tuesday.
Microsoft didn’t explain why its monthly batch of patches grew so large this month, but Childs noted that many vulnerability programs are experiencing a significant increase in submissions found by artificial intelligence tools. “For us, our incoming rate has essentially tripled, making triage a challenge, to say the least,” he added.
The zero-day vulnerability — CVE-2026-32201 — has a CVSS rating of 6.5 and allows attackers to view sensitive information and make changes to disclosed information. Microsoft said the improper input validation defect in Microsoft Office SharePoint allows unauthenticated attackers to perform spoofing over a network.
The Cybersecurity and Infrastructure Security Agency added the zero-day to its known exploited vulnerabilities catalog shortly after Microsoft’s disclosure.
Microsoft also addressed a high-severity vulnerability — CVE-2026-33825 — that was publicly known at the time of release. The vendor said the defect in Microsoft Defender is more likely to be exploited and could allow unauthorized attackers to elevate privileges locally.
“What starts as a foothold can quickly become full system domination,” Jack Bicer, director of vulnerability research at Action1, said in a blog post about the vulnerability.
“Once exploited, it allows full control over endpoints, enabling data exfiltration, disabling security tools and lateral movement across networks,” Bicer said.
Proof-of-concept exploit code for the defect is publicly available, which increases the likelihood of exploitation in the wild, he added.
Microsoft disclosed two critical vulnerabilities this month — CVE-2026-33824 affecting Windows IKE Extension and CVE-2026-26149 affecting Microsoft Power Apps — but designated both of the defects as less likely to be exploited.
More than three-quarters of the vulnerabilities disclosed this month are less likely to be exploited, according to Microsoft. Meanwhile, the company designated 19 vulnerabilities as more likely to be exploited.
The full list of vulnerabilities addressed this month is available in Microsoft’s Security Response Center.
The post Microsoft drops its second-largest monthly batch of defects on record appeared first on CyberScoop.
Microsoft is publishing 77 vulnerabilities this March 2026 Patch Tuesday. Microsoft is aware of public disclosure of two of today’s vulnerabilities, but without evidence of exploitation in the wild for any (yet), so there are no Microsoft additions to CISA KEV today. Earlier in the month, Microsoft provided patches to address nine browser vulnerabilities, which are not included in the Patch Tuesday count above.
SQL Server often goes several months in a row without any mention on Patch Tuesday. Today, however, all versions from the latest and greatest SQL Server 2025 back as far as SQL Server 2016 SP3 receive patches for CVE-2026-21262, a SQL Server elevation of privilege vulnerability. This isn’t just any elevation of privilege vulnerability, either; the advisory notes that an authorized attacker can elevate privileges to sysadmin over a network. The CVSS v3 base score of 8.8 is just below the threshold for critical severity, since low-level privileges are required.
Microsoft is aware of public disclosure, so while they assess the likelihood of exploitation as less likely, it would be a courageous defender who shrugged and deferred the patches for this one. Most SQL Server admins and security teams concluded many years ago that exposing SQL Server directly to the internet was not a good idea. Then again, popular search engines for internet-connected devices describe tens of thousands of SQL Server instances, and they can’t all be honeypots.
What could an attacker do as SQL Server sysadmin? Beyond exfiltrating or interfering with the database itself, the obvious target is xp_cmdshell, which allows direct callouts to the underlying OS. The good news is that xp_cmdshell is disabled by default as far back as SQL Server 2005; the bad news is that anyone acting as SQL Server sysadmin can enable it in seconds. At that point, the attacker is acting with the full privileges of the security context under which SQL Server runs, which is ideally a purpose-built account designed with least privilege in mind. If you want to hear some hair-raising stories, you have only to ask any incident response veteran if they’ve ever seen it set up differently.
Anyone paying for Extended Security Updates (ESU) for SQL Server 2014 or SQL Server 2012 may be forgiven for wondering why there’s no security update for those venerable versions of the world’s most widely deployed closed-source database product. We can hope that the vulnerability described by CVE-2026-21262 was introduced in newer codebases only.
Attackers fond of low-effort denial of service attacks against .NET applications will be checking out CVE-2026-26127 today. Microsoft is aware of public disclosure. While the immediate impact of exploitation is likely contained to denial of service by triggering a crash, opportunities for other types of attacks might emerge during a service reboot. Alternatively, if a log forwarder or security agent is impacted, even for a brief period of time, an attacker might carry out an attack in that moment hoping to evade detection under cover of this artificial darkness. Even if a low-skilled attacker simply causes downtime, in some contexts that could be enough to cause an SLA breach or loss of revenue, or at the very least cause a bleary-eyed defender to get paged in the middle of the night.
Microsoft Authenticator mobile app users on both iOS and Android should update to the latest version to prevent exploitation of CVE-2026-26123, which involves a malicious app disguising itself as Microsoft Authenticator. Exploitation succeeds when the malicious app receives enough information to impersonate the user.
Authenticator-type apps are often installed on a personal device, but it's not unusual for them to provide multi-factor authentication (MFA) codes for production services in a bring-your-own-device context. This is as good a time as any for defenders to consider how well their mobile device management policy covers app choice enforcement and patching for MFA apps.
The CVSS v3 base score of 5.5 might appear unremarkable, and exploitation requires user interaction, since the user must install the malicious app in the first place. However, exploitation could begin via an attacker-controlled link, or even a malicious QR code that drives users to the malicious app, and a motivated attacker with a physical presence near the user base might well consider this option.
According to Khaled Mohamed, the researcher who discovered this vulnerability, the legitimate Microsoft Authenticator app did not previously register itself as the handler for deep links into its own custom URL scheme. A malicious app could exploit this gap by simply registering itself as the default handler. He further notes that in this scenario, a user of a mobile device with a malicious app installed only needs to click a generic “Open link” dialog, rather than expressly selecting the malicious app each time. This means that the Microsoft advisory is perhaps too optimistic about how much user interaction is required to trigger exploitation.
Microsoft ranks this vulnerability as important on their proprietary severity scale. The advisory also provides a brief peek behind the curtain, since the executive summary notes that “Cwe is not in rca”. The weakness listed on the advisory is CWE-939: Improper Authorization in Handler for Custom URL Scheme.
There are no significant Microsoft product lifecycle changes this month, unless you are responsible for a Microsoft SQL Server 2012 Parallel Data Warehouse instance, which moves beyond extended support as of March 31st. It would be wise not to count on a last-minute extension, since Microsoft has already granted a six month reprieve.
CVE | Title | Exploitation status | Publicly disclosed? | CVSS v3 base score |
|---|---|---|---|---|
| CVE-2026-26123 | Microsoft Authenticator Information Disclosure Vulnerability | Exploitation Less Likely | No | 5.5 |
CVE | Title | Exploitation status | Publicly disclosed? | CVSS v3 base score |
|---|---|---|---|---|
| CVE-2026-26117 | Arc Enabled Servers - Azure Connected Machine Agent Elevation of Privilege Vulnerability | Exploitation Unlikely | No | 7.8 |
| CVE-2026-23664 | Azure IoT Explorer Information Disclosure Vulnerability | Exploitation Less Likely | No | 7.5 |
| CVE-2026-23661 | Azure IoT Explorer Information Disclosure Vulnerability | Exploitation Less Likely | No | 7.5 |
| CVE-2026-23662 | Azure IoT Explorer Information Disclosure Vulnerability | Exploitation Less Likely | No | 7.5 |
| CVE-2026-26121 | Azure IOT Explorer Spoofing Vulnerability | Exploitation Less Likely | No | 7.5 |
| CVE-2026-26118 | Azure MCP Server Tools Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 8.8 |
| CVE-2026-26141 | Hybrid Worker Extension (Arc‑enabled Windows VMs) Elevation of Privilege Vulnerability | Exploitation Unlikely | No | 7.8 |
| CVE-2026-23665 | Linux Azure Diagnostic extension (LAD) Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-26148 | Microsoft Azure AD SSH Login extension for Linux Elevation of Privilege Vulnerability | Exploitation Unlikely | No | 8.1 |
| CVE-2026-23660 | Windows Admin Center in Azure Portal Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
CVE | Title | Exploitation status | Publicly disclosed? | CVSS v3 base score |
|---|---|---|---|---|
| CVE-2026-26127 | .NET Denial of Service Vulnerability | Exploitation Unlikely | Yes | 7.5 |
| CVE-2026-26131 | .NET Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-26130 | ASP.NET Core Denial of Service Vulnerability | Exploitation Less Likely | No | 7.5 |
CVE | Title | Exploitation status | Publicly disclosed? | CVSS v3 base score |
|---|---|---|---|---|
| CVE-2026-25177 | Active Directory Domain Services Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 8.8 |
| CVE-2026-23667 | Broadcast DVR Elevation of Privilege Vulnerability | Exploitation Unlikely | No | 7.0 |
| CVE-2026-25190 | GDI Remote Code Execution Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-25181 | GDI+ Information Disclosure Vulnerability | Exploitation Less Likely | No | 7.5 |
| CVE-2026-23674 | MapUrlToZone Security Feature Bypass Vulnerability | Exploitation Unlikely | No | 7.5 |
| CVE-2026-25165 | Performance Counters for Windows Elevation of Privilege Vulnerability | Exploitation Unlikely | No | 7.8 |
| CVE-2026-24282 | Push message Routing Service Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 5.5 |
| CVE-2026-24285 | Win32k Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.0 |
| CVE-2026-24291 | Windows Accessibility Infrastructure (ATBroker.exe) Elevation of Privilege Vulnerability | Exploitation More Likely | No | 7.8 |
| CVE-2026-25186 | Windows Accessibility Infrastructure (ATBroker.exe) Information Disclosure Vulnerability | Exploitation Less Likely | No | 5.5 |
| CVE-2026-24293 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-25176 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-25178 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.0 |
| CVE-2026-25179 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.0 |
| CVE-2026-25171 | Windows Authentication Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.0 |
| CVE-2026-23671 | Windows Bluetooth RFCOM Protocol Driver Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.0 |
| CVE-2026-24292 | Windows Connected Devices Platform Service Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-24295 | Windows Device Association Service Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.0 |
| CVE-2026-24296 | Windows Device Association Service Elevation of Privilege Vulnerability | Exploitation Unlikely | No | 7.0 |
| CVE-2026-25189 | Windows DWM Core Library Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-25174 | Windows Extensible File Allocation Table Elevation of Privilege Vulnerability | Exploitation Unlikely | No | 7.8 |
| CVE-2026-25168 | Windows Graphics Component Denial of Service Vulnerability | Exploitation Less Likely | No | 6.2 |
| CVE-2026-25169 | Windows Graphics Component Denial of Service Vulnerability | Exploitation Less Likely | No | 6.2 |
| CVE-2026-23668 | Windows Graphics Component Elevation of Privilege Vulnerability | Exploitation More Likely | No | 7.0 |
| CVE-2026-25180 | Windows Graphics Component Information Disclosure Vulnerability | Exploitation Less Likely | No | 5.5 |
| CVE-2026-24297 | Windows Kerberos Security Feature Bypass Vulnerability | Exploitation Less Likely | No | 6.5 |
| CVE-2026-24287 | Windows Kernel Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-24289 | Windows Kernel Elevation of Privilege Vulnerability | Exploitation More Likely | No | 7.8 |
| CVE-2026-26132 | Windows Kernel Elevation of Privilege Vulnerability | Exploitation More Likely | No | 7.8 |
| CVE-2026-24288 | Windows Mobile Broadband Driver Remote Code Execution Vulnerability | Exploitation Less Likely | No | 6.8 |
| CVE-2026-25175 | Windows NTFS Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-23669 | Windows Print Spooler Remote Code Execution Vulnerability | Exploitation Less Likely | No | 8.8 |
| CVE-2026-24290 | Windows Projected File System Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-23673 | Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability | Exploitation Unlikely | No | 7.8 |
| CVE-2026-25172 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | Exploitation Less Likely | No | 8.8 |
| CVE-2026-25173 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | Exploitation Less Likely | No | 8.0 |
| CVE-2026-26111 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | Exploitation Less Likely | No | 8.8 |
| CVE-2026-25185 | Windows Shell Link Processing Spoofing Vulnerability | Exploitation Less Likely | No | 5.3 |
| CVE-2026-24294 | Windows SMB Server Elevation of Privilege Vulnerability | Exploitation More Likely | No | 7.8 |
| CVE-2026-26128 | Windows SMB Server Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-25166 | Windows System Image Manager Assessment and Deployment Kit (ADK) Remote Code Execution Vulnerability | Exploitation Unlikely | No | 7.8 |
| CVE-2026-25188 | Windows Telephony Service Elevation of Privilege Vulnerability | Exploitation Unlikely | No | 8.8 |
| CVE-2026-23672 | Windows Universal Disk Format File System Driver (UDFS) Elevation of Privilege Vulnerability | Exploitation Unlikely | No | 7.8 |
| CVE-2026-25187 | Winlogon Elevation of Privilege Vulnerability | Exploitation More Likely | No | 7.8 |
CVE | Title | Exploitation status | Publicly disclosed? | CVSS v3 base score |
|---|---|---|---|---|
| CVE-2026-26144 | Microsoft Excel Information Disclosure Vulnerability | Exploitation Unlikely | No | 7.5 |
| CVE-2026-26112 | Microsoft Excel Remote Code Execution Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-26107 | Microsoft Excel Remote Code Execution Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-26108 | Microsoft Excel Remote Code Execution Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-26109 | Microsoft Excel Remote Code Execution Vulnerability | Exploitation Unlikely | No | 8.4 |
| CVE-2026-26134 | Microsoft Office Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-26113 | Microsoft Office Remote Code Execution Vulnerability | Exploitation Less Likely | No | 8.4 |
| CVE-2026-26110 | Microsoft Office Remote Code Execution Vulnerability | Exploitation Less Likely | No | 8.4 |
| CVE-2026-26114 | Microsoft SharePoint Server Remote Code Execution Vulnerability | Exploitation Less Likely | No | 8.8 |
| CVE-2026-26106 | Microsoft SharePoint Server Remote Code Execution Vulnerability | Exploitation Less Likely | No | 8.8 |
| CVE-2026-26105 | Microsoft SharePoint Server Spoofing Vulnerability | Exploitation Less Likely | No | 8.1 |
| CVE-2026-24285 | Win32k Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.0 |
| CVE-2026-25180 | Windows Graphics Component Information Disclosure Vulnerability | Exploitation Less Likely | No | 5.5 |
CVE | Title | Exploitation status | Publicly disclosed? | CVSS v3 base score |
|---|---|---|---|---|
| CVE-2026-26030 | GitHub: CVE-2026-26030 Microsoft Semantic Kernel InMemoryVectorStore filter functionality vulnerable | Exploitation Unlikely | No | 9.9 |
| CVE-2026-23654 | GitHub: Zero Shot SCFoundation Remote Code Execution Vulnerability | Exploitation Unlikely | No | 8.8 |
CVE | Title | Exploitation status | Publicly disclosed? | CVSS v3 base score |
|---|---|---|---|---|
| CVE-2026-21262 | SQL Server Elevation of Privilege Vulnerability | Exploitation Less Likely | Yes | 8.8 |
| CVE-2026-26115 | SQL Server Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 8.8 |
| CVE-2026-26116 | SQL Server Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 8.8 |
CVE | Title | Exploitation status | Publicly disclosed? | CVSS v3 base score |
|---|---|---|---|---|
| CVE-2026-20967 | System Center Operations Manager (SCOM) Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 8.8 |
CVE | Title | Exploitation status | Publicly disclosed? | CVSS v3 base score |
|---|---|---|---|---|
| CVE-2026-25177 | Active Directory Domain Services Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 8.8 |
| CVE-2026-23667 | Broadcast DVR Elevation of Privilege Vulnerability | Exploitation Unlikely | No | 7.0 |
| CVE-2026-25190 | GDI Remote Code Execution Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-25181 | GDI+ Information Disclosure Vulnerability | Exploitation Less Likely | No | 7.5 |
| CVE-2026-23674 | MapUrlToZone Security Feature Bypass Vulnerability | Exploitation Unlikely | No | 7.5 |
| CVE-2026-25167 | Microsoft Brokering File System Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.4 |
| CVE-2026-24283 | Multiple UNC Provider Kernel Driver Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 8.8 |
| CVE-2026-25165 | Performance Counters for Windows Elevation of Privilege Vulnerability | Exploitation Unlikely | No | 7.8 |
| CVE-2026-24282 | Push message Routing Service Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 5.5 |
| CVE-2026-24285 | Win32k Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.0 |
| CVE-2026-24291 | Windows Accessibility Infrastructure (ATBroker.exe) Elevation of Privilege Vulnerability | Exploitation More Likely | No | 7.8 |
| CVE-2026-25186 | Windows Accessibility Infrastructure (ATBroker.exe) Information Disclosure Vulnerability | Exploitation Less Likely | No | 5.5 |
| CVE-2026-24293 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-25176 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-25178 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.0 |
| CVE-2026-25179 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.0 |
| CVE-2026-23656 | Windows App Installer Spoofing Vulnerability | Exploitation Unlikely | No | |
| CVE-2026-25171 | Windows Authentication Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.0 |
| CVE-2026-23671 | Windows Bluetooth RFCOM Protocol Driver Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.0 |
| CVE-2026-24292 | Windows Connected Devices Platform Service Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-24295 | Windows Device Association Service Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.0 |
| CVE-2026-24296 | Windows Device Association Service Elevation of Privilege Vulnerability | Exploitation Unlikely | No | 7.0 |
| CVE-2026-25189 | Windows DWM Core Library Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-25174 | Windows Extensible File Allocation Table Elevation of Privilege Vulnerability | Exploitation Unlikely | No | 7.8 |
| CVE-2026-25168 | Windows Graphics Component Denial of Service Vulnerability | Exploitation Less Likely | No | 6.2 |
| CVE-2026-25169 | Windows Graphics Component Denial of Service Vulnerability | Exploitation Less Likely | No | 6.2 |
| CVE-2026-23668 | Windows Graphics Component Elevation of Privilege Vulnerability | Exploitation More Likely | No | 7.0 |
| CVE-2026-25180 | Windows Graphics Component Information Disclosure Vulnerability | Exploitation Less Likely | No | 5.5 |
| CVE-2026-25170 | Windows Hyper-V Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.0 |
| CVE-2026-24297 | Windows Kerberos Security Feature Bypass Vulnerability | Exploitation Less Likely | No | 6.5 |
| CVE-2026-24287 | Windows Kernel Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-24289 | Windows Kernel Elevation of Privilege Vulnerability | Exploitation More Likely | No | 7.8 |
| CVE-2026-26132 | Windows Kernel Elevation of Privilege Vulnerability | Exploitation More Likely | No | 7.8 |
| CVE-2026-24288 | Windows Mobile Broadband Driver Remote Code Execution Vulnerability | Exploitation Less Likely | No | 6.8 |
| CVE-2026-25175 | Windows NTFS Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-23669 | Windows Print Spooler Remote Code Execution Vulnerability | Exploitation Less Likely | No | 8.8 |
| CVE-2026-24290 | Windows Projected File System Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-23673 | Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability | Exploitation Unlikely | No | 7.8 |
| CVE-2026-25172 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | Exploitation Less Likely | No | 8.8 |
| CVE-2026-25173 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | Exploitation Less Likely | No | 8.0 |
| CVE-2026-26111 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | Exploitation Less Likely | No | 8.8 |
| CVE-2026-25185 | Windows Shell Link Processing Spoofing Vulnerability | Exploitation Less Likely | No | 5.3 |
| CVE-2026-24294 | Windows SMB Server Elevation of Privilege Vulnerability | Exploitation More Likely | No | 7.8 |
| CVE-2026-26128 | Windows SMB Server Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-25166 | Windows System Image Manager Assessment and Deployment Kit (ADK) Remote Code Execution Vulnerability | Exploitation Unlikely | No | 7.8 |
| CVE-2026-25188 | Windows Telephony Service Elevation of Privilege Vulnerability | Exploitation Unlikely | No | 8.8 |
| CVE-2026-23672 | Windows Universal Disk Format File System Driver (UDFS) Elevation of Privilege Vulnerability | Exploitation Unlikely | No | 7.8 |
| CVE-2026-25187 | Winlogon Elevation of Privilege Vulnerability | Exploitation More Likely | No | 7.8 |
CVE | Title | Exploitation status | Publicly disclosed? | CVSS v3 base score |
|---|---|---|---|---|
| CVE-2026-26127 | .NET Denial of Service Vulnerability | Exploitation Unlikely | Yes | 7.5 |
| CVE-2026-21262 | SQL Server Elevation of Privilege Vulnerability | Exploitation Less Likely | Yes | 8.8 |
Microsoft addressed 83 vulnerabilities that cut across its broad portfolio of enterprise software and underlying services in its latest security update. The company’s Patch Tuesday release contained no actively exploited zero-day vulnerabilities and six defects it described as more likely to be exploited.
The vendor’s batch of patches marks the first monthly update without an actively exploited zero-day in six months.
The “lack of bugs under active attack is a nice change from last month,” when Microsoft reported six actively exploited vulnerabilities, Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, said in a blog post Tuesday.
Two vulnerabilities addressed this month — CVE-2026-21262 and CVE-2026-26127 — were listed as publicly known at the time of release. “These bugs are more bark than bite,” said Satnam Narang, senior staff research engineer at Tenable.
More than half of the defects in this month’s update can trigger escalated privileges, and six of those vulnerabilities — CVE-2026-23668, CVE-2026-24289, CVE-2026-24291, CVE-2026-24294, CVE-2026-25187 and CVE-2026-26132 — were rated as more likely to be exploited, Narang added.
An information-disclosure defect in Microsoft Excel — CVE-2026-26144 — showcases an attack scenario that’s likely to occur more often, according to Childs. “An attacker could use it to cause the Copilot Agent to exfiltrate data off the target,” essentially making it a zero-click operation, he wrote.
Researchers also focused on a pair of defects in Microsoft Office with CVSS ratings of 8.4 — CVE-2026-26110 and CVE-2026-26113 — that attackers can trigger to execute arbitrary code. The preview plane in Microsoft Office can serve as the attack vector for both vulnerabilities.
“Remote-code execution vulnerabilities in Office applications pose significant risks for organizations, as documents are widely shared via email, file shares, and collaboration platforms,” Mike Walters, president and co-founder of Action1, said in an email.
“If exploited, attackers could gain control of user systems, deploy ransomware, steal corporate data, or move laterally across internal networks,” he added. “Even a single malicious document could compromise an endpoint and give attackers a foothold inside the organization.”
The full list of vulnerabilities addressed this month is available in Microsoft’s Security Response Center.
The post Microsoft’s monthly Patch Tuesday is first in 6 months with no actively exploited zero-days appeared first on CyberScoop.
Microsoft is publishing 55 vulnerabilities this February 2026 Patch Tuesday. Microsoft is aware of exploitation in the wild for six of today’s vulnerabilities, and notes public disclosure for three of those. Earlier in the month, Microsoft provided patches to address three browser vulnerabilities, which are not included in the Patch Tuesday count above.
All three of the publicly disclosed zero-day vulnerabilities published today are security feature bypasses, and Microsoft acknowledges the same cast of reporters in each case.
CVE-2026-21510 describes a zero-day Windows Shell security feature bypass vulnerability which is already exploited in the wild. Not to be confused with PowerShell, most people will use the Windows Shell without ever learning its name or even really contemplating its existence. The Windows Shell is Microsoft’s term for the GUI interaction logic for the entire OS provided by explorer.exe and associated libraries and APIs.
CVE-2026-21510 provides an attacker with a way to dodge those pesky Smart Screen or other “are you sure?” prompts. The advisory sets out that “an attacker must convince a user to open a malicious link or shortcut file”. We could parse this wording more than one way, and while shortcut files with a .lnk extension are certainly a prime suspect here, it’s possible that .url files might also be a vector.
The venerable MSHTML/Trident web rendering engine is still present in Windows as a daily driver for Office and Explorer, many years after most people stopped using Internet Explorer. Accordingly, every so often Microsoft has to patch another zero-day vulnerability in the browser it can’t quite bring itself to rip out of its flagship operating system. Today’s example is CVE-2026-21513, a security feature bypass which starts with the attacker convincing a user to open a malicious HTML file or shortcut file.
If good things come in threes, then perhaps CVE-2026-21514 makes security bypass zero-day vulnerabilities a good thing. Exploitation involves bypassing Object Linking & Embedding (OLE) mitigations by convincing the user to open a malicious Word document. The advisory only lists remediations for LTSC versions of Office and on-prem Microsoft 365 Apps for Enterprise, without mentioning the standard Microsoft 365 suite.
It’s curious that Microsoft has evaluated the attack vector for CVE-2026-21514 as local, because MSRC typically assesses any vulnerability which boils down to “remote attacker tricks user into opening malicious payload” as a remote attack, based on the location of the attacker. However, the advisory specifically calls out that “reliance on untrusted inputs in a security decision in Microsoft Office Word allows an unauthorized attacker to bypass a security feature locally.” It’s not clear whether this is a deviation from prior practice by MSRC, an inadvertent mis-assessment, or an unusual-but-correct assessment of an attack vector that relies on details which Microsoft has not made public. Happily, the Preview Pane is not a vector, which raises the bar slightly for an attacker, since the user must explicitly open the malicious file or web page.
Ultimately, although none of the advisories for CVE-2026-21510, CVE-2026-21513, or CVE-2026-21514 explicitly come out and say it, it’s likely that exploitation in each case involves tricking Windows into participating in another Mark-of the Web laundering scheme using flaws in old components.
For the second month in a row, the Windows Desktop Windows Manager (DWM) is the site of an exploited-in-the-wild zero-day vulnerability. Last month’s CVE-2026-20805 was an information disclosure vulnerability, effectively a treasure map for threat actors seeking the otherwise obfuscated in-memory address of the kernel-space DWM process. The publication of zero-day elevation of privilege (EoP) vulnerability CVE-2026-21519 today very likely reflects MSTIC and MSRC working to thwart the same threat actor in both cases. As Rapid7 has noted in the past, initial access coupled with local elevation of privilege vulnerabilities is the staple diet of many successful attackers, so the lower CVSS v3 base score of 7.8 seen here versus a broadly equivalent remote code execution is not a sign to delay patching.
Remote Desktop Services (RDP) are designed to allow a duly authorized remote user to interact with the server, but CVE-2026-21533 allows an unauthorized local user to elevate privileges to SYSTEM. Every Windows Server product back as far as Server 2012 receives patches, so this one has been present for a while. It’s possible that today’s patches close off a long-running exploitation story for at least one threat actor.
Exploited in the wild, but perhaps of less concern is CVE-2026-21525, a local denial of service vulnerability in the Windows Remote Access Connection Manager (RasMan). Somewhat unusually for a local vulnerability, the advisory sets out that no privileges are required at all, so even a guest account can exploit this one. You have disabled those guest accounts, right?
There are no significant Microsoft product lifecycle changes this month.
CVE | Title | Exploitation status | Publicly disclosed? | CVSS v3 base score |
|---|---|---|---|---|
| CVE-2026-20841 | Windows Notepad App Remote Code Execution Vulnerability | Exploitation Less Likely | No | 8.8 |
CVE | Title | Exploitation status | Publicly disclosed? | CVSS v3 base score |
|---|---|---|---|---|
| CVE-2026-21512 | Azure DevOps Server Cross-Site Scripting Vulnerability | Exploitation Less Likely | No | 6.5 |
| CVE-2026-21529 | Azure HDInsight Spoofing Vulnerability | Exploitation Unlikely | No | 5.7 |
| CVE-2026-21528 | Azure IoT Explorer Information Disclosure Vulnerability | Exploitation Unlikely | No | 6.5 |
| CVE-2026-21228 | Azure Local Remote Code Execution Vulnerability | Exploitation Less Likely | No | 8.1 |
| CVE-2026-21531 | Azure SDK for Python Remote Code Execution Vulnerability | Exploitation Less Likely | No | 9.8 |
| CVE-2026-21522 | Microsoft ACI Confidential Containers Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 6.7 |
| CVE-2026-23655 | Microsoft ACI Confidential Containers Information Disclosure Vulnerability | Exploitation Less Likely | No | 6.5 |
CVE | Title | Exploitation status | Publicly disclosed? | CVSS v3 base score |
|---|---|---|---|---|
| CVE-2026-21218 | .NET Spoofing Vulnerability | Exploitation Unlikely | No | 7.5 |
| CVE-2026-21523 | GitHub Copilot and Visual Studio Code Remote Code Execution Vulnerability | Exploitation Less Likely | No | 8.0 |
| CVE-2026-21518 | GitHub Copilot and Visual Studio Code Security Feature Bypass Vulnerability | Exploitation Less Likely | No | 6.5 |
| CVE-2026-21257 | GitHub Copilot and Visual Studio Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 8.0 |
| CVE-2026-21256 | GitHub Copilot and Visual Studio Remote Code Execution Vulnerability | Exploitation Less Likely | No | 8.8 |
CVE | Title | Exploitation status | Publicly disclosed? | CVSS v3 base score |
|---|---|---|---|---|
| CVE-2026-21519 | Desktop Window Manager Elevation of Privilege Vulnerability | Exploitation Detected | No | 7.8 |
| CVE-2026-20846 | GDI+ Denial of Service Vulnerability | Exploitation Less Likely | No | 7.5 |
| CVE-2026-21253 | Mailslot File System Elevation of Privilege Vulnerability | Exploitation More Likely | No | 7.0 |
| CVE-2026-21527 | Microsoft Exchange Server Spoofing Vulnerability | Exploitation Less Likely | No | 6.5 |
| CVE-2026-21513 | MSHTML Framework Security Feature Bypass Vulnerability | Exploitation Detected | Yes | 8.8 |
| CVE-2026-21236 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | Exploitation Unlikely | No | 7.8 |
| CVE-2026-21238 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | Exploitation More Likely | No | 7.8 |
| CVE-2026-21234 | Windows Connected Devices Platform Service Elevation of Privilege Vulnerability | Exploitation Unlikely | No | 7.0 |
| CVE-2026-21246 | Windows Graphics Component Elevation of Privilege Vulnerability | Exploitation Unlikely | No | 7.8 |
| CVE-2026-21235 | Windows Graphics Component Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.3 |
| CVE-2026-21240 | Windows HTTP.sys Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-21248 | Windows Hyper-V Remote Code Execution Vulnerability | Exploitation Less Likely | No | 7.3 |
| CVE-2026-21247 | Windows Hyper-V Remote Code Execution Vulnerability | Exploitation Less Likely | No | 7.3 |
| CVE-2026-21244 | Windows Hyper-V Remote Code Execution Vulnerability | Exploitation Less Likely | No | 7.3 |
| CVE-2026-21255 | Windows Hyper-V Security Feature Bypass Vulnerability | Exploitation Less Likely | No | 8.8 |
| CVE-2026-21239 | Windows Kernel Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-21231 | Windows Kernel Elevation of Privilege Vulnerability | Exploitation More Likely | No | 7.8 |
| CVE-2026-21222 | Windows Kernel Information Disclosure Vulnerability | Exploitation Less Likely | No | 5.5 |
| CVE-2026-21249 | Windows NTLM Spoofing Vulnerability | Exploitation Less Likely | No | 3.3 |
| CVE-2026-21525 | Windows Remote Access Connection Manager Denial of Service Vulnerability | Exploitation Detected | No | 6.2 |
| CVE-2026-21533 | Windows Remote Desktop Services Elevation of Privilege Vulnerability | Exploitation Detected | No | 7.8 |
| CVE-2026-21510 | Windows Shell Security Feature Bypass Vulnerability | Exploitation Detected | Yes | 8.8 |
| CVE-2026-21508 | Windows Storage Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.0 |
| CVE-2026-21242 | Windows Subsystem for Linux Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.0 |
| CVE-2026-21237 | Windows Subsystem for Linux Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.0 |
CVE | Title | Exploitation status | Publicly disclosed? | CVSS v3 base score |
|---|---|---|---|---|
| CVE-2026-21259 | Microsoft Excel Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-21258 | Microsoft Excel Information Disclosure Vulnerability | Exploitation Less Likely | No | 5.5 |
| CVE-2026-21261 | Microsoft Excel Information Disclosure Vulnerability | Exploitation Less Likely | No | 5.5 |
| CVE-2026-21260 | Microsoft Outlook Spoofing Vulnerability | Exploitation Unlikely | No | 7.5 |
| CVE-2026-21511 | Microsoft Outlook Spoofing Vulnerability | Exploitation More Likely | No | 7.5 |
| CVE-2026-21514 | Microsoft Word Security Feature Bypass Vulnerability | Exploitation Detected | Yes | 7.8 |
CVE | Title | Exploitation status | Publicly disclosed? | CVSS v3 base score |
|---|---|---|---|---|
| CVE-2026-21516 | GitHub Copilot for Jetbrains Remote Code Execution Vulnerability | Exploitation Less Likely | No | 8.8 |
CVE | Title | Exploitation status | Publicly disclosed? | CVSS v3 base score |
|---|---|---|---|---|
| CVE-2026-21527 | Microsoft Exchange Server Spoofing Vulnerability | Exploitation Less Likely | No | 6.5 |
CVE | Title | Exploitation status | Publicly disclosed? | CVSS v3 base score |
|---|---|---|---|---|
| CVE-2026-21229 | Power BI Remote Code Execution Vulnerability | Exploitation Unlikely | No | 8.0 |
CVE | Title | Exploitation status | Publicly disclosed? | CVSS v3 base score |
|---|---|---|---|---|
| CVE-2026-21537 | Microsoft Defender for Endpoint Linux Extension Remote Code Execution Vulnerability | Exploitation Less Likely | No | 8.8 |
CVE | Title | Exploitation status | Publicly disclosed? | CVSS v3 base score |
|---|---|---|---|---|
| CVE-2026-21251 | Cluster Client Failover (CCF) Elevation of Privilege Vulnerability | Exploitation Unlikely | No | 7.8 |
| CVE-2026-21519 | Desktop Window Manager Elevation of Privilege Vulnerability | Exploitation Detected | No | 7.8 |
| CVE-2026-20846 | GDI+ Denial of Service Vulnerability | Exploitation Less Likely | No | 7.5 |
| CVE-2026-21253 | Mailslot File System Elevation of Privilege Vulnerability | Exploitation More Likely | No | 7.0 |
| CVE-2026-21513 | MSHTML Framework Security Feature Bypass Vulnerability | Exploitation Detected | Yes | 8.8 |
| CVE-2023-2804 | Red Hat, Inc. CVE-2023-2804: Heap Based Overflow libjpeg-turbo | Exploitation Less Likely | No | 6.5 |
| CVE-2026-21236 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | Exploitation Unlikely | No | 7.8 |
| CVE-2026-21241 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | Exploitation More Likely | No | 7.0 |
| CVE-2026-21238 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | Exploitation More Likely | No | 7.8 |
| CVE-2026-21517 | Windows App for Mac Installer Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.0 |
| CVE-2026-21234 | Windows Connected Devices Platform Service Elevation of Privilege Vulnerability | Exploitation Unlikely | No | 7.0 |
| CVE-2026-21246 | Windows Graphics Component Elevation of Privilege Vulnerability | Exploitation Unlikely | No | 7.8 |
| CVE-2026-21235 | Windows Graphics Component Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.3 |
| CVE-2026-21250 | Windows HTTP.sys Elevation of Privilege Vulnerability | Exploitation Unlikely | No | 7.8 |
| CVE-2026-21240 | Windows HTTP.sys Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-21232 | Windows HTTP.sys Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-21248 | Windows Hyper-V Remote Code Execution Vulnerability | Exploitation Less Likely | No | 7.3 |
| CVE-2026-21247 | Windows Hyper-V Remote Code Execution Vulnerability | Exploitation Less Likely | No | 7.3 |
| CVE-2026-21244 | Windows Hyper-V Remote Code Execution Vulnerability | Exploitation Less Likely | No | 7.3 |
| CVE-2026-21255 | Windows Hyper-V Security Feature Bypass Vulnerability | Exploitation Less Likely | No | 8.8 |
| CVE-2026-21245 | Windows Kernel Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-21239 | Windows Kernel Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 |
| CVE-2026-21231 | Windows Kernel Elevation of Privilege Vulnerability | Exploitation More Likely | No | 7.8 |
| CVE-2026-21222 | Windows Kernel Information Disclosure Vulnerability | Exploitation Less Likely | No | 5.5 |
| CVE-2026-21243 | Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability | Exploitation Unlikely | No | 7.5 |
| CVE-2026-21249 | Windows NTLM Spoofing Vulnerability | Exploitation Less Likely | No | 3.3 |
| CVE-2026-21525 | Windows Remote Access Connection Manager Denial of Service Vulnerability | Exploitation Detected | No | 6.2 |
| CVE-2026-21533 | Windows Remote Desktop Services Elevation of Privilege Vulnerability | Exploitation Detected | No | 7.8 |
| CVE-2026-21510 | Windows Shell Security Feature Bypass Vulnerability | Exploitation Detected | Yes | 8.8 |
| CVE-2026-21508 | Windows Storage Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.0 |
| CVE-2026-21242 | Windows Subsystem for Linux Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.0 |
| CVE-2026-21237 | Windows Subsystem for Linux Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.0 |
CVE | Title | Exploitation status | Publicly disclosed? | CVSS v3 base score |
|---|---|---|---|---|
| CVE-2026-21519 | Desktop Window Manager Elevation of Privilege Vulnerability | Exploitation Detected | No | 7.8 |
| CVE-2026-21514 | Microsoft Word Security Feature Bypass Vulnerability | Exploitation Detected | Yes | 7.8 |
| CVE-2026-21513 | MSHTML Framework Security Feature Bypass Vulnerability | Exploitation Detected | Yes | 8.8 |
| CVE-2026-21525 | Windows Remote Access Connection Manager Denial of Service Vulnerability | Exploitation Detected | No | 6.2 |
| CVE-2026-21533 | Windows Remote Desktop Services Elevation of Privilege Vulnerability | Exploitation Detected | No | 7.8 |
| CVE-2026-21510 | Windows Shell Security Feature Bypass Vulnerability | Exploitation Detected | Yes | 8.8 |
CVE | Title | Exploitation status | Publicly disclosed? | CVSS v3 base score |
|---|---|---|---|---|
| CVE-2026-21531 | Azure SDK for Python Remote Code Execution Vulnerability | Exploitation Less Likely | No | 9.8 |
Microsoft’s latest security update is littered with zero-day vulnerabilities, actively exploited defects that account for more than 10% of the total CVEs the vendor addressed in this month’s Patch Tuesday update.
The vendor addressed 59 vulnerabilities affecting its various products for business operations and underlying systems, including six defects that were actively exploited prior to Microsoft’s release of its monthly batch of patches. Microsoft said three of the exploited vulnerabilities were publicly known, suggesting attackers already had details about the defects prior to Tuesday’s release.
“The number of bugs under active attack is extraordinarily high,” Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, said in a blog post.
Microsoft’s February security update matched the high it reached last March when it disclosed six actively exploited zero-days.
The highest rated zero-days, a pair of defects with CVSS ratings of 8.8, include CVE-2026-21510 affecting Windows Shell 8.8 and CVE-2026-21513 affecting Internet Explorer. Both vulnerabilities require user interaction and could allow attackers to execute code.
Mike Walters, president and co-founder of Action1, said CVE-2026-21510 is caused by a protection mechanism failure that allows an attacker to bypass Windows protections by tricking a user to click on a single malicious link.
“Functional exploit techniques exist, demonstrating reliable bypass of Windows Shell and SmartScreen security prompts through crafted links or shortcut files. No privileges are required by the attacker, making this vulnerability highly attractive for phishing-based attacks,” Walters said in a blog post.
The remaining zero-days include three defects with CVSS ratings of 7.8: CVE-2026-21514 affecting Microsoft Office Word, CVE-2026-21519 affecting Desktop Window Manager, and CVE-2026-21533 affecting Windows Remote Desktop. CVE-2026-21525, which affects Windows Remote Access Connection Manager, has a CVSS rating of 6.2.
The Cybersecurity and Infrastructure Security Agency added all six of the zero-days to its known exploited vulnerabilities catalog Tuesday.
Three of the vulnerabilities — CVE-2026-21510, CVE-2026-21513 and CVE-2026-21514 — bear strong similarities as security feature bypasses, Satnam Narang, senior staff research engineer at Tenable, said in an email.
These security features protect users from opening malicious files, he said. “Users have grown accustomed to receiving these alerts, so when vulnerabilities can bypass those protection mechanisms, users are more at risk of compromise.”
Microsoft disclosed two critical vulnerabilities with CVSS ratings of 9.8 this month, including CVE-2026-21531 affecting Azure SDK and CVE-2026-24300 affecting Azure Front Door.
The vast majority of defects Microsoft addressed this month fell into the high-severity category, accounting for 43 vulnerabilities total. The vendor described five of those vulnerabilities as more likely to be exploited.
The full list of vulnerabilities addressed this month is available in Microsoft’s Security Response Center.
The post Microsoft Patch Tuesday matches last year’s zero-day high with six actively exploited vulnerabilities appeared first on CyberScoop.
If you received an email with the subject “I LOVE YOU” and an attachment called “LOVE-LETTER-FOR-YOU.TXT”, would you open it? Probably not, but back in the year 2000, plenty of people did exactly that. The internet learned a hard lesson about the disproportionate power available to a university dropout with some VBScript skills, and millions of ordinary people suffered the anguish of deleted family photos or even reputational damage as the worm propagated itself across their entire Outlook address book.
In the quarter century since ILOVEYOU rampaged across global networks, cybersecurity has moved from a niche topic to an “everyone” problem, and many users are wary of all sorts of threats. In recent years, the increasing ubiquity and urgency of AI adoption across the business landscape has attracted the attention of both security researchers and threat actors.
Of course, recency bias and shiny object fixation are real. Even as AI and automation continue to drive down time to known exploitation (TTKE), an attacker who abuses a traditional exploit chain to achieve SYSTEM privileges on a sensitive server still has the keys to the kingdom.
Wormable remote code execution (RCE) vulnerabilities remain rare, but well over half of the 25 exploited-in-the-wild zero-day vulnerabilities published by Microsoft during 2025 provided attackers with elevation of privilege opportunities on Windows assets. Some of those flaws are older than the iPhone, let alone ChatGPT.
Microsoft's decades-long commitment to backwards compatibility creates a conveyor belt supply of déjà vu vulnerabilities. Ultimately, the most pressing threats faced by defenders managing Microsoft estates remain essentially unchanged. Rather than a new wave of AI-related flaws, the chief danger stems from the towering tech debt within core Windows components.
If we really want to know which Microsoft vulnerabilities will provide the most value to attackers in 2026, we should ask a threat actor. Since that might prove difficult to arrange, we’ll do the next best thing: review vulnerabilities exploited in the wild during 2025.
⠀
The vast Microsoft ecosystem has something for everyone, whether customer or threat actor. Patch Tuesday January 2025 brought us a trio of exploited-in-the-wild Hyper-V kernel vulnerabilities. By September 2025, at least one plausible public proof-of-concept (PoC) for CVE-2025-21333 was published by a vulnerability researcher who apparently shares a name with a Kazakhstani Olympic gymnast. The only safe assumption is that a well-resourced threat actor could develop a private exploit far in advance of that.
Starting from a child VM or Windows Sandbox, exploitation first requires setting out a banquet of benign requests for the hypervisor, delivered via the Hyper-V Virtualization Service Provider (VSP). The goal: mass-allocating objects to arrange large swathes of hypervisor memory in a predictable pattern (aka “heap feng shui”). Next, the attacker sends a malicious request with an oversized buffer, which an unpatched VSP merrily copies into kernel memory, overwriting the header of the adjacent object, whose relative position is now easily surmised. Once the kernel subsequently references the artfully corrupted sibling object, execution as SYSTEM jumps to a portion of memory where the attacker has planted shellcode to exfiltrate a token. The compromised hypervisor could be anything from a developer laptop running a malicious container all the way up to enterprise private cloud infrastructure.
So far, January 2025 is the only time that Microsoft has ever published vulnerabilities in the Hyper-V VSP. Generally speaking, a significant degree of sophistication is required to develop successful exploits of this nature. This goes double if the name of the game is stealth and stability, since a wave of unexplained BSOD events on critical production infrastructure tends to attract blue team attention. Still, once a viable proof of concept hits the public internet, ransomware crews will fold it into their toolkits, and someone, somewhere, is either sitting on an unknown Hyper-V VSP exploit, or hard at work creating the next one.
It’s hard to imagine a modern computer without storage or networking capabilities. In fact, it’s hard to imagine a computer from several decades ago without storage or networking. Microsoft is now middle-aged, and that means that buried deep within your shiny new PC are a variety of architectural decisions and logic paths born in the 1980s. If this sounds far-fetched, take a minute to find yourself a fully-patched Windows 11 25H2 machine, and then try to rename any file or directory CON, NUL or PRN. I’ll wait.
Generally speaking, user-mode applications are prevented from wreaking havoc on the kernel through a careful separation of concerns. On Windows, when a user mode application wants to communicate over the network, it talks to WinSock, which in turn talks to the ancillary function driver (AFD), which sits on the kernel side, and coordinates with the kernel network drivers which handle the actual traffic. The AFD is a security boundary between user space and kernel space, and it must be universally accessible to local processes, because even a browser tab in a sandbox needs to make network calls. Any defect in the way AFD parses input from user space can thus provide a way to influence the kernel in unexpected ways. A number of advanced exploit development courses, including offerings from SANS and OffSec, cover AFD in detail.
⠀
⠀
Patch Tuesday February 2025 brought us CVE-2025-21418, which Microsoft credited to Anonymous. We don’t know whether the unnamed tipster provided evidence of exploitation in the wild, or whether Microsoft threat hunters subsequently tracked down their own trail of suspicious bread crumbs, but notorious threat actors such as North Korea’s Lazarus are known to be enthusiastic students of AFD exploits. With several high-profile zero-day vulnerabilities emerging from AFD from late 2024 onwards, it tracks that Microsoft subsequently published and patched a cluster of AFD vulnerabilities in the latter half of 2025.
Any defenders who had enjoyed a quieter start to the year were rudely awakened by Patch Tuesday March 2025, when six exploited-in-the-wild vulnerabilities all dropped at once. Exploitation of most of the zero-day vulnerabilities published in March starts with the user mounting a malicious Virtual Hard Disk (VHD) image or plugging in a malicious USB stick so that the attacker can exploit a weakness in a filesystem driver, including NTFS and FastFAT.
Remember that information security training which asked you to imagine finding a USB stick with an “IMPORTANT (CONFIDENTIAL)” label on the floor outside the office? The one which asked if you would A) plug the mystery stick into your work PC B) use your boss’ personal laptop in case the files are business critical C) try it in all the PCs in the office until someone asks you to stop or D) report it immediately to the security officer? This is why.
Meanwhile, the true villain of the month was almost certainly CVE-2025-24983, a no-user-interaction-required elevation of privilege vulnerability in the Win32 kernel subsystem. At the time, we pondered why Windows 11 and Server 2019 onwards didn’t receive patches for what looks like a fairly severe vulnerability, but since Microsoft is gradually reimplementing portions of the kernel in memory-safe Rust, we can hope that the vulnerability simply doesn’t exist in modern Windows.
If anyone ever corners you at a party and talks at length about the Ancillary Function Driver as a bounteous source of elevation of privilege vulnerabilities, you will probably have to concede that they are technically correct. While your options include “doing a lap” and then climbing out of the bathroom window, the power move here is to hold your ground, and point to the Common Log File System driver as a far richer vein of exploitable goodness.
As of Patch Tuesday April 2025, CLFS boasts almost twice the number of total vulnerabilities over the past five years vs. AFD, and more than double the number of known-exploited zero-day vulnerabilities. It really is the gift which keeps on giving.
⠀
⠀
It makes sense that something like the Ancillary Function Driver lives in kernel space. After all, something has to sit inside the perimeter to marshall all those network requests from dozens of Chrome tabs. What about the Common Log File System driver though?
It would be tempting to imagine that anything which simply handles log files shouldn’t need direct kernel access at all. When exploring this concept, it’s useful to understand that not only was CLFS designed a long time ago, when high performance in user mode was harder to achieve than it is today, but also that CLFS is much more than simply a means to interact with log files. CLFS is the home of still-essential building blocks like Transactional NTFS (TxF), first introduced almost 25 years ago in Windows Vista, which provides a means for applications to guarantee the integrity of data on disk.
For the past several years, Microsoft has strongly recommended that developers avoid the use of TxF, and while Microsoft is gradually providing modern alternatives to TxF functionality, essential Windows functions such as Windows Update still rely on it to manage critical file integrity. Moreover, CLFS is more than just TxF, and is so tightly integrated into Windows that it’s here to stay for the foreseeable future.
A few days after Patch Tuesday May 2025, Satya Nadella took to the stage at Microsoft Build 2025 to pitch his vision of the open agentic web, although exactly who this version of the future would be open to remains an open question, like: What if a cloud email service was vulnerable to a zero-click prompt injection attack, but could also now buy things with your credit card?
While critical reception for the open agentic web has been mixed, threat actors will be glad of the new attack surface. Meanwhile, defenders worried about in-the-wild exploitation were hard at work patching some more frequent fliers, including another pair of CLFS vulnerabilities and an MSHTML/Trident arbitrary code execution bug. That last one will be familiar to regular Patch Tuesday watchers, but it might come as a surprise to anyone who thought Internet Explorer had gone to live on a nice farm upstate years ago.
The Ancillary Function Driver made another appearance, although it couldn’t quite summon the same main character energy this time around. The May 2025 episode of “AFD vulns exploited in the wild” offered elevation to Administrator, rather than SYSTEM, and a lower exploit code maturity rating. We can always be grateful for small mercies.
[1]: With apologies to Emily Brontë.
Windows archeologists and internet users of a certain age may remember WebDAV, a standard originally dreamed up to support interactivity on the web. It was employed by versions of Microsoft Exchange up to and including 2010 to handle interactions with mailboxes and public folders.
Surprising no-one, Windows still more or less supports WebDAV, and it was only a matter of time before that turned out to be a bit of a problem, in the form of CVE-2025-33053 published as part of Patch Tuesday June 2025. Microsoft acknowledged Check Point Research (CPR) on the advisory; CPR in turn attributes exploitation to an APT (Advanced Persistent Threat), which they track as the objectively cool-sounding Stealth Falcon, an established threat actor with a long-running interest in governments and government-adjacent entities across the Middle East and beyond.
June 2025 also saw the publication of CVE-2025-32711, a critical information disclosure vulnerability in Microsoft 365 Copilot. Microsoft is not aware of exploitation in the wild. The researchers named it EchoLeak, describing it as “the first real-world zero-click prompt injection exploit in a production LLM system,” although other researchers arguably got there first.
EchoLeak relies on hidden white-text-on-white-background instructions in an email, which are then ingested into the LLM via RAG (Retrieval-Augmented Generation) when the user asks an entirely pedestrian question (e.g. “Summarize my emails from the past two days”) which requires Copilot to scan the inbox. The malicious instructions have two parts: First, dig up some juicy info, and then retrieve an image from an attacker-controlled server with the sensitive data exfiltrated as a URL parameter.
EchoLeak circumvented Copilot’s Content Security Policy by making the request via a trusted Microsoft service: a now-patched Teams image preview proxy. History suggests that attackers will find other ways out of the walled garden. The Microsoft advisory makes a virtue of minimalism by providing almost no information about the nature of the vulnerability, although Microsoft is surely to be commended for assigning CVEs for cloud service vulnerabilities.
When Patch Tuesday July 2025 came and went without a single exploited-in-the-wild vulnerability published, many people may have breathed a sigh of relief. Possibly this was a valid move, at least for anyone not responsible for a SharePoint instance.
SharePoint defenders will remember July as the month of ToolShell, an actively-exploited vulnerability chain in SharePoint which Microsoft published out of band ten days after Patch Tuesday. Out of band patches for Microsoft flagship products are rare, since they inevitably cause downstream disruption. Once MSTIC publicly attributes exploitation to two Chinese nation-state actors, that line has been crossed.
The vulnerability described by the out-of-band CVE-2025-53770 turned out to be a bypass for the patch introduced by CVE-2025-49704 earlier in the month, which was itself a response to a successful Pwn2Own Berlin entry from May.
Microsoft was not aware of exploitation in the wild for any of the vulnerabilities published as part of Patch Tuesday August 2025. SharePoint admins may have been dealing with the fallout from last month’s ToolShell and bracing for a possible repeat, but August might otherwise have made for an eerily quiet month. Still, the Windows implementation of Kerberos managed to cough up a publicly-disclosed elevate-to-domain-admin vulnerability.
Separately, we learned that simply saving a JPEG could be enough to hand an attacker RCE capabilities, because the internet never sleeps. If the vulnerable codepath had been within JPEG decoding, rather than encoding, this one could have been the biggest vuln of the year.
Patch Tuesday September 2025 was the second month in a row with no known-exploited vulnerabilities, but vuln spotters will appreciate that this month saw the publication of a fairly rare beast: a Microsoft vulnerability with a perfect(?) CVSS v3 base score of 10.0, albeit a cloud service vulnerability discovered by Microsoft and patched prior to publication. No customer action required, but also no customer verification possible, and since the impacted cloud service was Azure Networking, the blast radius could have been stupendous.
These days, there are plenty of seasoned IT professionals who don’t even know what a dialup modem negotiation song sounds like, simply because broadband has been around for that long. For younger readers, “broadband” is what we used to call “internet fast enough that you don’t have to wait to download a single email attachment”.
By this point, we all know where this is going: Windows still ships with modem capabilities well beyond their sell-by date, and someone found a good old elevation of privilege vulnerability. The vulnerable fax modem driver was developed almost 30 years ago by a long-defunct third party, and Microsoft has now taken uncharacteristically bold action by removing it from Windows altogether, perhaps recognizing that traditional landlines are no longer available at all in many places. Are there other fax modem drivers still lurking in Windows? You betcha.
Patch Tuesday October 2025 also marked the end of Windows 10, unless you count the cash-for-patches Extended Security Updates (ESU) program.
Patch Tuesday November 2025 included an exploited-in-the-wild vulnerability in the Windows kernel itself. While the advisory was light with details, exploitation of CVE-2025-62215 led to elevation to SYSTEM, presumably via a complex bit of memory management three card monte. Those kernel Rust rewrites can’t come soon enough.
After a year filled with variations of the same old exploitable vulns, it might almost be refreshing to consider the altogether more modern-sounding exploited-in-the-wild vulnerability published on Patch Tuesday December 2025. CVE-2025-62221 describes an elevation of privilege vulnerability in the Windows Cloud Files Mini Filter Driver.
On Windows, a file or directory can contain a reparse point, a collection of user-controlled metadata designed to be interpreted by a file filter driver. An example would be a file which appears present in a local folder, but where the actual contents of the file are stored remotely on OneDrive. The user double-clicks on the file, the file filter driver intercepts the request, reads the metadata, and calls out to OneDrive, while the user gets the experience of opening the file as though it had been stored locally. Of course, the file filter driver needs kernel access to perform its duties. Find an exploitable flaw in the way a file filter driver parses the metadata, and you can trick it into doing things like overwriting protected system files.
As Rapid7 has observed repeatedly, time to known exploitation for widely-exploited vulnerabilities has been shrinking year-on-year. By 2022, the time to exploitation after public disclosure for some of the most notable security vulnerabilities was as low as 24 hours. With exploit development now widely augmented by automation and AI, there is every reason to suppose that the window will continue to shrink further.
A wormable unauthenticated RCE vulnerability remains the scariest scenario, but mercifully these are historically rare. The one-two combo of minimally-privileged initial access and local privilege escalation presents a much more clear and present danger in most modern threat models. Sure, you could parachute in from a helicopter, abseil down from the roof, and crawl through an air vent to steal the diamond, but why bother when you could simply tailgate a delivery driver, and then distract a maintenance worker while you swipe their all-access keycard?
In 2026, Microsoft will regularly publish AI-related vulnerabilities, and AI-wielding threat actors will hammer Microsoft’s cloud services. Blue teams managing significant Windows estates will still spend more time worrying about on-prem vulnerabilities where the root cause is a classic software engineering snafu.
Arguably the biggest takeaway from 2025 is that the more things change, the more they stay the same. The scariest Microsoft vulnerabilities tend to emerge from the same few familiar places: core Windows components with codebases older than many of the humans who rely on them.
Microsoft’s wildly successful business model is founded on a decades-long insistence on ironclad backwards compatibility. Why? Enterprise customers with deep pockets and deeper catalogues of ancient business applications. These retro capabilities come at a high price: a supervolcano of tech debt potentially unmatched in all of human history, and a seemingly endless supply of sort-of-new but depressingly familiar vulnerabilities.
For anyone responsible for defending a significant Microsoft footprint in 2026, tomorrow’s biggest problem remains today’s secrets exposed by yesterday’s software design choices.
Microsoft’s first security update of 2026 addressed 112 vulnerabilities affecting its products and underlying systems, including one actively exploited zero-day in Desktop Window Manager.
The company’s latest Patch Tuesday update marks the second consecutive month with no critical vulnerabilities disclosed. The batch of patches also contains more than 110 CVEs for the second January in a row.
The zero-day vulnerability — CVE-2026-20805 — is an information disclosure defect with a CVSS rating of 5.5 that can be exploited by an unauthorized attacker to expose sensitive information. The Cybersecurity and Infrastructure Security Agency added the defect to its known exploited vulnerabilities catalog Tuesday.
Information disclosure vulnerabilities are sporadically exploited in the wild, but not often, according to Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative. “This shows how memory leaks can be as important as code execution bugs since they make the remote code executions reliable,” he wrote in a blog post.
Jack Bicer, director of vulnerability research at Action1, concurred, added that the memory exposed by exploitation of CVE-2026-20805 can undermine defenses and bolster additional exploits.
“This vulnerability increases the risk of successful multi-stage attacks,” Bicer said in an email. “Leaked memory details can be combined with other vulnerabilities to achieve privilege escalation or data theft, potentially leading to broader system compromise, regulatory exposure and loss of trust.”
Microsoft did not say how many attacks are linked to the zero-day. Yet, exploitation requires an attacker to have local access on the targeted system, Satnam Narang, senior staff research engineer at Tenable, said in an email.
“While Desktop Window Manager is a frequent flyer on Patch Tuesday with 20 CVEs patched in this library since 2022, this is the first time we’ve seen an information disclosure bug in this component exploited in the wild,” he added. “Attackers have historically used it to climb the ladder of privileges.”
The most severe defects disclosed by Microsoft this month include CVE-2026-20947 and CVE-2026-20963 affecting Microsoft Office SharePoint, CVE-2026-20868 affecting Windows Routing and Remote Access Service, CVE-2026-20952 and CVE-2026-20955 affecting Microsoft Office, and CVE-2026-20944 affecting Microsoft Office Word.
Microsoft also flagged eight vulnerabilities, each with a CVSS rating of 7.8, as more likely to be exploited this month.
The full list of vulnerabilities addressed this month is available in Microsoft’s Security Response Center.
The post Microsoft Patch Tuesday addresses 112 defects, including one actively exploited zero-day appeared first on CyberScoop.
Microsoft addressed 57 vulnerabilities affecting its various products for business operations and core systems, including one actively exploited zero-day, the company said in its latest monthly security update.
The zero-day vulnerability — CVE-2025-62221 — affects the Windows Cloud Files Mini Filter Driver and has a CVSS rating of 7.8. Attackers could exploit the use-after-free defect to gain system privileges, Microsoft said.
“These types of bugs are often combined with a code execution bug to take over a system,” Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, said in a blog post, adding that the vulnerability appears to affect every supported version of Windows.
The Cybersecurity and Infrastructure Security Agency added the zero-day to its known exploited vulnerabilities catalog Tuesday.
Microsoft’s final Patch Tuesday release of the year brings the total number of vulnerabilities patched by the vendor in 2025 to 1,139 CVEs, according to Childs. “This makes 2025 the second-largest year in volume, trailing 2020 by a mere 11 CVEs. As Microsoft’s portfolio continues to increase and as AI bugs become more prevalent, this number is likely to go higher in 2026,” he said.
Microsoft disclosed no critical vulnerabilities this month. The most severe defects it disclosed include five high-severity vulnerabilities — CVE-2025-62456 and CVE-2025-64678 affecting the Windows Resilient File System, CVE-2025-62549 affecting the Windows Routing and Remote Access Service, CVE-2025-62550 affecting the Azure Monitor Agent, CVE-2025-64672 affecting Microsoft Office SharePoint — each with CVSS ratings of 8.8.
Microsoft flagged six vulnerabilities as more likely to be exploited this month, including the zero-day, CVE-2025-59516 and CVE-2025-59517 affecting the Windows Storage VSP Driver, CVE-2025-62458 affecting Windows Win32K, CVE-2025-62470 affecting the Windows Common Log File System Driver and CVE-2025-62472 affecting the Windows Remote Access Connection Manager.
The full list of vulnerabilities addressed this month is available in Microsoft’s Security Response Center.
The post Microsoft’s last Patch Tuesday of 2025 addresses 57 defects, including one zero-day appeared first on CyberScoop.
Microsoft addressed 63 vulnerabilities affecting its underlying systems and core products, including one actively exploited zero-day, the company said in its latest monthly security update.
The zero-day vulnerability — CVE-2025-62215 — affects the Windows Kernel and has a CVSS rating of 7.0 due to a high attack complexity, according to Microsoft. Exploitation, which could allow an attacker to gain system privileges, requires an attacker to win a race condition, the company said. Microsoft did not provide any further details about the scope of exploitation.
The race condition is notable because it indicates some race conditions are more reliable than others, Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, said in a blog post. Race conditions in vulnerabilities, which involve multiple simultaneous processes designed to trigger errors, often impede exploitation.
“Bugs like these are often paired with a code execution bug by malware to completely take over a system,” Childs added.
Mike Walters, president and co-founder at Action1, said a functional exploit for CVE-2025-62215 exists, but no public proof-of-concept has been released. “Exploitation is complex, but a functional exploit seen in the wild raises urgency, since skilled actors can reliably weaponize this in targeted campaigns,” he said in an email.
An attacker with low-privilege local access can trigger the race condition by running a specially crafted application, according to Ben McCarthy, lead cyber security engineer at Immersive. “The goal is to get multiple threads to interact with a shared kernel resource in an unsynchronized way, confusing the kernel’s memory management and causing it to free the same memory block twice,” he said in an email.
The most severe defect disclosed this month — CVE-2025-60724 — is a remote-code execution vulnerability affecting Microsoft Graphics Component with a CVSS rating of 9.8, but Microsoft designated the flaw as less likely to be exploited.
Microsoft flagged five defects as more likely to be exploited this month, including three vulnerabilities — CVE-2025-60719, CVE-2025-62213 and CVE-2025-62217 — affecting Windows Ancillary Function Driver for WinSock with CVSS ratings of 7.0.
The kernel-mode driver is fundamental to Windows, making defects in the component inherently high-risk, according to McCarthy.
“Due to it being so intertwined with network-related functionality of Windows, it has the potential to be a way in for many applications in the Windows ecosystem. There have been many vulnerabilities in the past that have been weaponized in this kernel-mode driver,” he added.
The full list of vulnerabilities addressed this month is available in Microsoft’s Security Response Center.
The post Microsoft Patch Tuesday addresses 63 defects, including one actively exploited zero-day appeared first on CyberScoop.
Login