CVE-2026-25187

Microsoft's March 2026 Patch Tuesday patches 84 vulnerabilities including two publicly disclosed zero-days, a critical CVSS 9.8 remote code execution flaw, a zero-click Excel data exfiltration bug via Copilot, and six privilege escalation flaws rated exploitation more likely.

Severity

critical

CVSS Score

9.8 / 10

Published

Mar 11, 2026

Affected Products

›Windows (all supported versions — multiple privilege escalation flaws)
›Microsoft SQL Server 2016 and later (CVE-2026-21262, CVSS 8.8)
›.NET framework (CVE-2026-26127, CVSS 7.5)
›Microsoft Office / Excel (CVE-2026-26110, CVE-2026-26113, CVE-2026-26144)
›Windows Winlogon (CVE-2026-25187, CVSS 7.8)
›Azure Model Context Protocol Server (CVE-2026-26118, CVSS 8.8)
›Microsoft Devices Pricing Program (CVE-2026-21536, CVSS 9.8 — already mitigated by Microsoft)
›Windows Graphics Component, Windows Accessibility Infrastructure, Windows Kernel, Windows SMB Server

Full Analysis

Microsoft March 2026 Patch Tuesday: 84 Flaws Fixed Including Two Zero-Days, a CVSS 9.8 RCE, and a Zero-Click Copilot Data Leak

Deep-dive: technical breakdown, real-world impact, complete remediation steps, and expert context.

Read the full report →

← All threat reports All articles