On March 11, NSFOCUS CERT reported the release of Microsoft’s March Security Update, which addresses a total of 83 security vulnerabilities across a range of widely utilized products, including Windows, Microsoft Office, Microsoft SQL Server, and Azure. This update is particularly significant as it encompasses eight critical vulnerabilities and 75 important ones, some of which pose high risks such as privilege escalation and remote code execution. Users are strongly encouraged to apply the patch promptly to ensure their systems remain secure. A comprehensive list of the vulnerabilities can be found in the appendix.
Key Vulnerabilities
This month’s update highlights several vulnerabilities that warrant particular attention due to their potential impact:
- Microsoft Office Remote Code Execution Vulnerability (CVE-2026-26110): This vulnerability arises from type confusion issues within Microsoft Office, allowing an unauthenticated attacker to execute arbitrary code via the user preview pane. The CVSS score for this vulnerability is 8.4. Official announcement link.
- Microsoft Office Remote Code Execution Vulnerability (CVE-2026-26113): Similar to the previous vulnerability, this one involves untrusted pointer dereference problems, enabling an attacker to execute arbitrary code by sending a malicious file to the user. This vulnerability also carries a CVSS score of 8.4. Official announcement link.
- Microsoft Excel Information Disclosure Vulnerability (CVE-2026-26144): This vulnerability allows unauthenticated attackers to obtain sensitive information through cross-site scripting attacks due to improper data processing in Microsoft Excel. The CVSS score is 7.5. Official announcement link.
- Windows Print Spooler Remote Code Execution Vulnerability (CVE-2026-23669): An authenticated attacker can exploit this vulnerability to execute arbitrary code over the network, with a CVSS score of 8.8. Official announcement link.
- Windows SMB Server Privilege Escalation Vulnerability (CVE-2026-24294): This vulnerability allows an authenticated local attacker to elevate privileges to SYSTEM due to improper authentication issues. The CVSS score is 7.8. Official announcement link.
- Windows Graphics Component Privilege Escalation Vulnerability (CVE-2026-23668): This vulnerability permits an authenticated attacker to elevate privileges to SYSTEM through a flawed synchronization mechanism. The CVSS score is 7.0. Official announcement link.
Scope of Impact
The following table outlines the affected product versions for some of the key vulnerabilities. For additional details on other vulnerabilities, please refer to the official announcement link.
| Vulnerability Number | Affected Product Versions |
| CVE-2026-26110 | Microsoft Office for Android, Microsoft Office 2016 (64-bit and 32-bit editions), Microsoft Office LTSC for Mac 2024, Microsoft 365 Apps for Enterprise (64-bit and 32-bit), Microsoft Office 2019 (64-bit and 32-bit editions) |
| CVE-2026-26113 | Microsoft Office 2016 (64-bit and 32-bit editions), Microsoft Office LTSC for Mac 2024, Microsoft 365 Apps for Enterprise (64-bit and 32-bit), Microsoft SharePoint Server 2019 |
| CVE-2026-26144 | Microsoft 365 Apps for Enterprise (64-bit and 32-bit) |
| CVE-2026-23669, CVE-2026-24294 | Windows Server 2012 R2, Windows Server 2016, Windows 10 Version 1607, Windows 11 Version 24H2 |
| CVE-2026-23668 | Windows Server 2012 R2, Windows Server 2016, Windows 10 Version 1607, Windows 11 Version 23H2 |
Mitigation
Microsoft has released security patches for the affected product versions. It is highly recommended that users install these patches promptly to safeguard their systems. The official download link can be found here. Users should be aware that patch updates may occasionally fail due to network or environmental issues. After installation, it is advisable to verify the successful application of the patch by navigating to “Settings,” selecting “Update and Security,” and reviewing the update history.
Appendix: Vulnerability List
| Affected Products | CVE No. | Vulnerability Title | Severity |
|---|---|---|---|
| Microsoft Office | CVE-2026-26113 | Microsoft Office Remote Code Execution Vulnerability | Critical |
| Azure | CVE-2026-23651 | Microsoft ACI Confidential Containers Privilege Escalation Vulnerability | Critical |
| Device | CVE-2026-21536 | Microsoft Devices Pricing Program Remote Code Execution Vulnerability | Critical |
| Azure | CVE-2026-26124 | Microsoft ACI Confidential Containers Privilege Escalation Vulnerability | Critical |
| Other | CVE-2026-26125 | Payment Orchestrator Service Privilege Escalation Vulnerability | Critical |
| Azure | CVE-2026-26122 | Microsoft ACI Confidential Containers Information Disclosure Vulnerability | Critical |
| Microsoft Office | CVE-2026-26110 | Microsoft Office Remote Code Execution Vulnerability | Critical |
| Microsoft Office | CVE-2026-26144 | Microsoft Excel Information Disclosure Vulnerability | Critical |
Statement
This advisory serves to outline potential risks associated with the vulnerabilities discussed. NSFOCUS does not assume any liability for direct or indirect consequences resulting from the use of this advisory. All rights to modify and interpret this advisory are reserved by NSFOCUS. Reproduction or distribution of this advisory should include this statement without alteration.
About NSFOCUS
NSFOCUS is a leading entity in cybersecurity, committed to protecting telecommunications, internet service providers, hosting providers, and enterprises from sophisticated cyber threats. Established in 2000, NSFOCUS operates globally with over 4,000 employees and maintains a strong presence in both Beijing, China, and Santa Clara, CA, USA. The company has successfully safeguarded over 25% of Fortune Global 500 companies, including major banks and telecommunications firms. With a focus on innovation, NSFOCUS offers a comprehensive array of security solutions, including the Intelligent Security Operations Platform (ISOP), DDoS Protection, and Web Application and API Protection (WAAP), all enhanced by cutting-edge research and technology.
