Every month, Patch Tuesday tends to focus heavily on operating systems and common enterprise software. But the broader reality of modern infrastructure is that risk doesn't live in one vendor ecosystem.
March 2026 is a good example of that. Alongside the typical operating system updates, a wide range of enterprise vendors released security advisories affecting storage platforms, networking equipment, web frameworks, enterprise middleware, and firmware.
This post walks through some of the more notable advisories released around the March Patch Tuesday cycle to help security and IT teams understand where attention may be needed.
Microsoft Patch Tuesday – March 2026
Key Windows and Office Vulnerabilities Explained
Microsoft's March 10, 2026 Patch Tuesday addressed several vulnerabilities affecting core Windows components and Microsoft Office products. While none were confirmed to be exploited at the time of publication, multiple vulnerabilities could allow attackers to execute code, escalate privileges, or disclose sensitive information if left unpatched.
The vulnerabilities discussed in this advisory include:
- CVE-2026-26107
- CVE-2026-26128
- CVE-2026-25190
- CVE-2026-25189
- CVE-2026-25186
Together, these vulnerabilities highlight common attack patterns involving malicious files, memory corruption, and privilege escalation within Windows systems.
Vulnerability Overview
| CVE | Impact | Severity | Key Risk |
|---|---|---|---|
| CVE-2026-26107 | Remote Code Execution | Important | Malicious Excel file execution |
| CVE-2026-26128 | Elevation of Privilege | Important | SYSTEM privilege escalation |
| CVE-2026-25190 | Remote Code Execution | Important | DLL search path hijacking |
| CVE-2026-25189 | Elevation of Privilege | Important | Use-after-free memory bug |
| CVE-2026-25186 | Information Disclosure | Important | Sensitive data exposure |
Remote Code Execution Vulnerabilities
1. Excel Remote Code Execution — CVE-2026-26107
This vulnerability occurs due to a use-after-free memory condition within Microsoft Excel.
Attack scenario
An attacker creates a malicious Excel spreadsheet and distributes it through phishing emails or downloads. The victim opens the file and malicious code executes with the user's privileges.
Important details
- Attack vector: Local
- User interaction required
- Preview Pane is not an attack vector
Affected products
Microsoft Excel, Microsoft 365 Apps for Enterprise, Office 2019, Office LTSC 2021/2024, Office Online Server, Excel 2016.
2. Windows GDI Remote Code Execution — CVE-2026-25190
This vulnerability exists in the Windows Graphics Device Interface (GDI) due to an untrusted search path vulnerability. The system may load malicious DLL files from unsafe directories.
Attack scenario
An attacker creates a malicious installer containing a malicious DLL. When the victim extracts the installer from an untrusted location, Windows loads the attacker-controlled DLL, allowing arbitrary code execution.
Privilege Escalation Vulnerabilities
3. Windows SMB Server Elevation of Privilege — CVE-2026-26128
This vulnerability occurs due to improper authentication handling in the SMB server component.
- Attack vector: Local
- Privileges required: Low
- User interaction: None
An attacker who successfully exploits the vulnerability could gain SYSTEM privileges, enabling malware installation, modification of system files, and persistence on compromised systems.
4. Windows DWM Core Library Elevation of Privilege — CVE-2026-25189
This vulnerability is caused by a use-after-free flaw in the Desktop Window Manager core library. Attackers could escalate privileges to SYSTEM level, gaining full control over the affected system. The affected component is the Windows Desktop Window Manager (DWM), which manages graphical rendering.
Information Disclosure Vulnerability
5. Windows Accessibility Infrastructure Information Disclosure — CVE-2026-25186
This vulnerability affects Windows Accessibility Infrastructure (ATBroker.exe) and exposes sensitive information to unauthorized actors — including user credentials, application secrets, and privileged user data.
Although it does not directly allow code execution, it can support attack chains leading to privilege escalation or lateral movement.
Reported by James Forshaw from Google Project Zero.
Affected Windows Systems
These vulnerabilities affect a broad range of Windows platforms.
Windows Client: Windows 10 (1607, 1809, 21H2, 22H2), Windows 11 (23H2, 24H2, 25H2, 26H1)
Windows Server: Windows Server 2012/2012 R2, 2016, 2019, 2022, 2025
Security update examples include: KB5078752, KB5078766, KB5078737, KB5078885, KB5079473, KB5079420.
Patch Priority Recommendations
Highest Priority — patch immediately: - CVE-2026-26107 and CVE-2026-25190 — allow arbitrary code execution
High Priority — patch as soon as possible: - CVE-2026-26128 and CVE-2026-25189 — allow SYSTEM privilege escalation
Moderate Priority — patch during regular update cycles: - CVE-2026-25186 — information disclosure that can assist complex attack chains
Security Recommendations
- Apply Microsoft Security Updates — install the March 2026 patches across all affected Windows and Office systems
- Enforce Least Privilege — restrict administrative privileges to reduce escalation impact
- Strengthen Email Security — block suspicious attachments, use advanced phishing protection, deploy email sandboxing
- Monitor SMB Activity — watch for abnormal SMB traffic patterns that may indicate exploitation
- Deploy EDR — endpoint detection can identify malicious DLL loading, privilege escalation attempts, and suspicious Office document behaviour
The March 2026 Patch Tuesday highlights the ongoing risk posed by vulnerabilities in core Windows components and widely used productivity software. Even though Microsoft assessed exploitation as unlikely at release time, attackers frequently combine vulnerabilities like these to create multi-stage attack chains involving initial access through malicious documents, privilege escalation, and lateral movement.
Dell Security Advisories
Dell released several high-severity updates affecting enterprise storage and data protection platforms.
Connectrix B-Series SANnav — DSA-2026-088
Multiple vulnerabilities were addressed across SANnav components, including issues that could potentially lead to privilege escalation or unauthorized access. Affected CVEs include CVE-2025-12680, CVE-2025-12679, CVE-2025-12772 through CVE-2025-12774, CVE-2025-26465, CVE-2025-27818/27819, CVE-2025-32728, CVE-2025-4207, plus several third-party dependency issues.
Connectrix B-Series Fabric OS and SANnav — DSA-2026-087
This update includes vulnerabilities affecting both Fabric OS and SANnav, including older dependency issues. Example CVEs: CVE-2026-0383, CVE-2025-58379 through CVE-2025-58383, CVE-2024-26923, CVE-2023-52426.
Avamar Data Store Gen5A — DSA-2026-086
This advisory addresses multiple vulnerabilities originating from bundled third-party components, including CVE-2025-31146, CVE-2025-25273, CVE-2025-26863, CVE-2025-26697, and CVE-2025-24486. Organizations running Avamar backup infrastructure should review these updates carefully, as backup systems often sit deep in core infrastructure.
Drupal Security Advisories
Unpublished Node Permissions — SA-CONTRIB-2026-029 (Critical)
An access control issue allows bypassing restrictions on unpublished translated nodes. In certain configurations this could allow unauthorized viewing of unpublished content.
AI Module — SA-CONTRIB-2026-028 (Moderately Critical)
Some AI-related modules allow LLM-generated HTML or Markdown content to be rendered in a browser preview. Under specific circumstances this rendering process could expose sensitive data associated with the LLM request. This advisory highlights a newer class of risk tied to AI integrations within CMS platforms.
F5 Security Advisories
F5 released advisories covering multiple third-party components used within their products.
- CVE-2025-20109 — Improper isolation in the stream cache mechanism of certain Intel processors may allow privilege escalation through local access.
- CVE-2025-14524 — A redirect issue involving OAuth2 bearer tokens could expose tokens during cross-protocol redirects (IMAP, LDAP, POP3, SMTP).
- CVE-2025-12817 / CVE-2025-12818 — PostgreSQL authorization issue in CREATE STATISTICS and integer wraparound in libpq client library functions.
- CVE-2025-24325 — Improper input validation in the Intel 800 Series Ethernet Linux kernel driver may allow local privilege escalation.
- CVE-2026-22444 — Apache Solr unexpected configuration access may allow users to create cores using unintended configsets.
Fortinet Security Advisories
Several vulnerabilities were disclosed affecting Fortinet platforms including FortiManager, FortiAnalyzer, FortiSandbox, and FortiSwitch.
High Severity
- FG-IR-26-098 / CVE-2025-54820 — Buffer overflow in the fgtupdates service that could allow remote code execution.
- FG-IR-26-092 / CVE-2025-68648 — Format string vulnerability in the fazsvcd service.
Medium Severity
- CVE-2026-22572 — MFA bypass in GUI authentication
- CVE-2026-25836 — OS command injection in VM image update feature
- CVE-2025-49784 — SQL injection in JSON-RPC API
- CVE-2025-68482 — TLS certificate validation issue during SSO authentication
- CVE-2025-48418 — Privilege escalation via undocumented CLI command
- CVE-2025-68686 — SSL-VPN persistence patch bypass
- CVE-2026-22629 — Authentication lockout bypass race condition
Network security infrastructure is frequently targeted by attackers, making these updates particularly important for organizations using Fortinet platforms.
HP and HPE Security Updates
HP Device Manager (Critical)
The update addresses a large set of vulnerabilities affecting HP Device Manager 5.0.16, including CVE-2025-14180, CVE-2025-14177, CVE-2025-1735, CVE-2025-53066, and CVE-2025-59775.
Intel UEFI Reference Firmware
Multiple vulnerabilities affecting UEFI implementations: CVE-2025-20064, CVE-2025-20105, CVE-2025-20027, CVE-2025-20068. Firmware vulnerabilities can be particularly impactful because they sit below the operating system layer.
HPE Server and Networking
Additional advisories cover Aruba AOS-CX networking platform vulnerabilities, HPE Telco Intelligent Assurance (CVE-2025-33042), and Intel processor firmware issues affecting ProLiant and other HPE systems.
IBM Security Advisories
IBM released a large set of advisories across several enterprise platforms, including Guardium Data Protection, Knowledge Catalog Premium Cartridge, Watsonx BI Assistant, IBM MQ, Spectrum Protect Plus, WebMethods BPM, Sterling B2B Integrator, Instana Observability, and Aspera Orchestrator.
Many of the issues stem from third-party dependency vulnerabilities in Java runtimes, MongoDB, Node.js, Go libraries, Linux kernel components, and Spring frameworks. Notable examples include CVE-2025-15467 (critical in IBM MQ), CVE-2024-57965 (critical in Knowledge Catalog), and CVE-2025-68121 (critical affecting Instana components).
Large enterprise platforms frequently aggregate many dependencies, so advisories often cover dozens of CVEs in a single update.
Ivanti Security Advisories
Ivanti DSM — CVE-2026-3483
An exposed dangerous method in Ivanti DSM prior to version 2026.1.1 could allow a local attacker to exploit the application.
Ivanti Endpoint Manager
Two vulnerabilities were addressed: CVE-2026-1602 (SQL injection) and CVE-2026-1603 (authentication bypass). Endpoint management platforms often operate with elevated privileges, making timely patching especially important.
Key Takeaways
Looking across the March 2026 advisories, several patterns stand out:
Third-party dependencies continue to drive vulnerability exposure. Many advisories originate from embedded components such as Java libraries, open-source frameworks, container runtimes, and networking libraries.
Infrastructure software remains a critical attack surface. Several updates affect SAN storage platforms, enterprise backup systems, firmware and UEFI, network appliances, and management platforms.
Security tools themselves are not immune. Platforms designed to improve security posture — SIEM, observability, firewall management, endpoint management — frequently appear in patch cycles.
Recommendations for Security Teams
- Maintain a vendor inventory — know which platforms your organization depends on, including infrastructure tools that may not be as visible as operating systems
- Monitor vendor advisories — many critical vulnerabilities are published outside traditional OS patch cycles
- Track third-party components — a vulnerability in a common library may affect multiple vendors simultaneously
- Prioritize infrastructure platforms — systems like storage controllers, management platforms, and network appliances often have high privileges and broad access
Disclaimer
This post provides an overview of selected advisories released around the March 2026 Patch Tuesday timeframe across several vendors. It is not a complete list of all vulnerabilities or advisories published during this period.
Every organization operates a different technology stack, and security teams should always review advisories from the vendors whose products are deployed in their environment. Monitoring official vendor security bulletins remains the most reliable way to ensure timely awareness and patching of relevant vulnerabilities.