Should we patch SQL Server immediately even if it's not internet-facing?

Yes. The zero-day requires only an authorized low-privilege account on the network, not internet exposure. Any internal network attacker or compromised endpoint with SQL access is a viable threat vector.

Does the Office RCE require the user to open the file?

No. CVE-2026-26110 and CVE-2026-26113 are triggered via the Outlook preview pane. The user only needs to click the email to preview it.

Is Excel CVE-2026-26144 exploitable in standard configurations?

Exploitation requires Copilot Agent mode to be enabled and the workbook to contain data the agent can exfiltrate. Organizations with Copilot disabled are not at risk from this specific CVE.

Where can I find the official Microsoft advisory?

All CVEs are documented on the Microsoft Security Response Center at msrc.microsoft.com under the March 2026 security update guide.

Microsoft March 2026 Patch Tuesday Fixes Two Zero-Days

Why This Patch Tuesday Matters

Microsoft's March 2026 Patch Tuesday addressed 79 vulnerabilities, including two publicly disclosed zero-days and three critical remote code execution flaws. While none were confirmed actively exploited at release, the combination of Office preview-pane RCE and SQL Server privilege escalation makes this cycle particularly high-stakes for enterprise defenders.

Zero-Days and Critical CVEs

CVE	Component	CVSS	Type	Priority
CVE-2026-26107	SQL Server	8.8	Privilege Escalation	Critical — patch now
CVE-2026-26082	.NET Framework	7.5	Denial of Service	High
CVE-2026-26110	Microsoft Office	8.0	RCE via Preview Pane	Critical — patch now
CVE-2026-26113	Microsoft Office	7.8	RCE via Preview Pane	Critical — patch now
CVE-2026-26144	Microsoft Excel	6.5	Information Disclosure	Medium

CVE-2026-26107: An authorized attacker can escalate to SQLAdmin over the network without physical access. If SQL Server is reachable from a compromised endpoint, this is lateral movement made trivial.

Priority Areas for Defenders

1. Office Preview-Pane RCE

Preview-pane exploitation lowers the bar significantly — a user doesn't need to open the file. Prioritize Office patches for finance, HR, legal, and executive support teams who receive external attachments daily.

Compensating controls while patch validation runs:

Enable attachment sandboxing / CDR (content disarm and reconstruct)
Block macro-capable file types at the email gateway
Monitor Office process spawning child processes

2. SQL Server Privilege Escalation

Elevating to SQLAdmin from an authorized low-privilege account is a bridge to broader compromise: data exfiltration, persistence via SQL Agent jobs, and lateral movement into connected systems.

Immediate actions:

Audit which accounts have SQL Server access and from where
Enable SQL Server audit logging if not already active
Restrict SQL Server port (1433) to known application servers only

3. Excel Copilot Data Egress

CVE-2026-26144 is a reminder that AI-assisted workflows are now inside the attack surface. If Copilot can move data across trust zones, validate outbound policies from workstations handling sensitive spreadsheets.

Recommended Response Steps

Patch Office and SQL Server endpoints first — highest attacker interest, broad enterprise exposure
Review email attachment controls — preview-pane RCE makes attachment handling a first-line control
Audit SQL privilege paths — identify where low-privilege accounts can escalate
Check Copilot/AI egress boundaries — review outbound connections from Office-enabled systems

Conclusion

March 2026 Patch Tuesday reflects a pattern: traditional vulnerabilities now intersect with AI tooling, cloud-connected administration, and deeply embedded business workflows. Remediation requires understanding how a single flaw might influence identity, data flow, and endpoint trust simultaneously.

Sources

BleepingComputer — Microsoft March 2026 Patch Tuesday — March 10, 2026
Microsoft MSRC — March 2026 Security Updates — Microsoft Security Response Center

Share