Microsoft's March 2026 Patch Tuesday release addresses 79 security vulnerabilities across Windows, Office, Exchange Server, Azure, and other products. Most critically, two of these vulnerabilities are confirmed to be actively exploited in the wild as zero-days, making immediate patching essential for all organizations.
Severity Breakdown
- Critical: 11 vulnerabilities
- Important: 62 vulnerabilities
- Moderate: 6 vulnerabilities
The 79 patches address a range of vulnerability types including remote code execution (RCE), privilege escalation, information disclosure, denial of service, and security feature bypass.
Actively Exploited Zero-Days
CVE-2026-21407: Windows Kernel Elevation of Privilege
A privilege escalation vulnerability in the Windows kernel allows a local attacker who has already gained initial access to elevate their privileges to SYSTEM level. The vulnerability exists in the way the kernel handles certain memory operations during process creation. Microsoft has confirmed active exploitation, with threat actors using this vulnerability as part of post-compromise attack chains.
This vulnerability affects Windows 10, Windows 11, and Windows Server 2019/2022/2025. Organizations should prioritize this patch immediately, as privilege escalation vulnerabilities are commonly chained with initial access exploits to achieve full system compromise.
CVE-2026-21433: Microsoft Office Remote Code Execution
A remote code execution vulnerability in Microsoft Office allows an attacker to execute arbitrary code when a user opens a specially crafted document. The vulnerability can be triggered through Word, Excel, or PowerPoint files sent via email or hosted on a malicious website. No macros or user interaction beyond opening the document is required.
This zero-day has been observed in targeted attacks against organizations in the financial and government sectors. Attackers are distributing malicious documents through spear-phishing emails that impersonate business partners and regulatory bodies.
Other Critical Vulnerabilities
- CVE-2026-21415: Exchange Server remote code execution -- allows unauthenticated attackers to execute code on vulnerable Exchange servers
- CVE-2026-21428: Windows LDAP service RCE -- affects Active Directory domain controllers
- CVE-2026-21441: Azure Kubernetes Service elevation of privilege -- allows container escape to host
- CVE-2026-21456: Windows DNS Server RCE -- affects all Windows DNS Server implementations
Patching Priorities
CyberSafe recommends the following prioritization for Canadian organizations:
- Within 24 hours: Apply patches for both zero-day vulnerabilities (CVE-2026-21407 and CVE-2026-21433) across all affected systems
- Within 48 hours: Patch Exchange Server and Active Directory domain controllers for the critical RCE vulnerabilities
- Within 7 days: Apply all remaining Critical-rated patches
- Within 14 days: Apply all Important-rated patches, prioritizing internet-facing systems
Mitigation Guidance
For organizations that cannot patch immediately, Microsoft has provided the following interim mitigations:
- For CVE-2026-21433: Block Office file types from untrusted sources via email gateway rules and enable Protected View for all Office documents from the internet
- For CVE-2026-21407: Limit local administrator access and monitor for suspicious privilege escalation activity
- Ensure endpoint detection and response (EDR) solutions are up to date with the latest detection signatures
- Review and restrict inbound traffic to Exchange servers to trusted IP ranges where possible
How CyberSafe Can Help
CyberSafe's Cyber Defense Services include patch management assistance, vulnerability prioritization, and 24/7 monitoring for exploitation attempts. Our SOC team is monitoring for indicators of compromise associated with both zero-day vulnerabilities and can provide rapid notification if exploitation activity is detected in your environment. Combined with Offensive Security Services, we help you identify and fix vulnerabilities before threat actors can weaponize them.