Microsoft Patch Tuesday: 79 Fixes and a Critical Database Risk
Every second Tuesday of the month, Microsoft releases a batch of security fixes for Windows and its products. It's called Patch Tuesday, and it matters because the moment Microsoft publishes these fixes, the clock starts ticking. Attackers study what was broken and start building exploits. Organizations that haven't patched yet become targets.
This month's release fixed 79 vulnerabilities. That number sounds abstract. What it actually means: 79 different ways an attacker could have used Microsoft's own software against you before today.
Two of those vulnerabilities were already publicly known before the fix arrived — they're called zero-days. Neither has been actively exploited yet. But public disclosure puts them on every attacker's research list. The window between "disclosed" and "weaponised" is getting shorter every year.
- Total vulnerabilities fixed: 79–82 (depending on source — Edge and Azure cloud fixes counted separately)
- Critical: 8
- Zero-days (publicly disclosed): 2
- Privilege escalation flaws: 46 — the single largest category (56%)
- Remote code execution: 16–18
- Information disclosure: 10
- Products affected: Windows, Office, SQL Server, .NET, Azure, SharePoint, Excel, Microsoft Authenticator
- Actively exploited: None confirmed — yet
The SQL Server Flaw You Should Patch First
CVE-2026-21262 — SQL Server Elevation of Privilege
CVSS Score: 8.8 (High) | Zero-Day
Here's a simple way to understand this one.
Imagine your company's database is a bank vault. There are different levels of staff — some can only view balances, others can move money, and the bank manager has the master key to everything. SQL Server works the same way. Regular users have limited access. Administrators — called sysadmins — have total control.
This vulnerability let a regular logged-in user quietly promote themselves to sysadmin without anyone authorising it.
With sysadmin access, an attacker can read every record in the database, modify or delete data without leaving obvious traces, create new admin accounts to maintain access even after a password reset, and tamper with scheduled database jobs — the automated tasks that run reports, process transactions, and move data overnight.
This isn't a dramatic exploit. There's no explosion. The attacker logs in as a normal user and walks out as the administrator. The database never raises an alarm because from its perspective, everything was done by an authorised account.
This was a publicly known flaw — meaning security researchers had already written about the vulnerable behaviour before Microsoft released the fix. That's what makes it a zero-day. The good news: there's no evidence anyone exploited it in the wild. The bad news: that window is now open.
The .NET Crash Flaw
CVE-2026-26127 — .NET Denial of Service
CVSS Score: 7.5 | Zero-Day
.NET is a software framework that thousands of applications are built on — internal business tools, customer portals, APIs, web services. If your organisation runs any custom software built by a developer, there's a reasonable chance it runs on .NET.
This vulnerability allows an attacker with no credentials — just network access — to crash any application built on the affected .NET version. They send a specially crafted request, the application tries to read data from a memory location that doesn't exist, and the whole service falls over.
A real-world example: an e-commerce site running a .NET payment processing service. An attacker sends one malformed request. The payment service crashes. Transactions fail. Customers can't complete purchases. The site team restarts the service, but the attacker keeps triggering it.
This is called a denial of service attack — not destructive in the traditional sense, but effectively shutting down a business function until the patch is applied.
The Office Flaws — Opening a File Shouldn't Be Dangerous
Two critical Remote Code Execution vulnerabilities affect Microsoft Office this month — CVE-2026-26110 and CVE-2026-26113.
Remote Code Execution means an attacker can run their own code on your machine. Not just view your files. Run programs.
What makes these particularly serious is the attack vector: the Preview Pane.
Most people know not to double-click suspicious attachments. But most people don't know that in Outlook and Windows Explorer, just selecting a file to preview it — without opening it — can be enough to trigger the exploit.
The attack path looks like this. An attacker sends an email with a malicious Word or Office document. The victim selects the email. Outlook shows a preview of the attachment in the right-hand panel. The exploit fires. The attacker's code runs on the victim's computer, under the victim's credentials — before the victim has done anything except select an email.
The preview pane has been an attack vector in Office vulnerabilities for over a year now. These are the latest in a pattern. The safest immediate mitigation — until you've patched — is to hide the preview pane in Outlook entirely.
The Excel Flaw That Could Make Copilot Leak Your Data
CVE-2026-26144 — Microsoft Excel Information Disclosure
CVSS Score: 7.5 (Critical)
This one is worth paying attention to because it involves Microsoft's AI assistant, Copilot.
The vulnerability is a cross-site scripting flaw in Excel — a technique where malicious code is injected into content that gets processed by the application. In this case, an attacker could craft a malicious Excel file that, when processed by Copilot in Excel, causes the AI to send sensitive data to an external location the attacker controls.
Microsoft describes it as a potential "zero-click information disclosure attack" — meaning no user action is required beyond opening the file. Copilot processes the content, hits the malicious instruction, and silently exfiltrates data over the network.
This is particularly relevant for organisations that have enabled Microsoft 365 Copilot features for finance, legal, or HR teams — exactly the teams handling the most sensitive spreadsheet data.
The Six Flaws Most Likely to Be Exploited
Microsoft rates every vulnerability by exploitation likelihood. This month, six were flagged as "more likely" to be exploited — all privilege escalation flaws that can take an attacker from a regular user to full SYSTEM control.
CVE-2026-24289 and CVE-2026-26132 — Windows Kernel use-after-free flaws. After an attacker runs code on a machine through any means — phishing, a vulnerable application, physical access — these let them escalate from user to SYSTEM level, bypassing most endpoint security tools in the process.
CVE-2026-23668 — Windows Graphics Component race condition. Race conditions are timing-based bugs where an attacker manipulates the sequence of operations the system performs to gain access they shouldn't have.
CVE-2026-24291 — Windows Accessibility Infrastructure (ATBroker.exe). Security engineers at Immersive highlighted this one specifically: gaining SYSTEM privileges through the accessibility service provides total control over the machine, including the ability to disable or bypass endpoint detection tools. This component is present on virtually every modern Windows installation.
CVE-2026-23669 — Windows Print Spooler Remote Code Execution. Print Spooler vulnerabilities have a long history of being exploited in enterprise environments — they're frequently targeted by ransomware operators specifically because the Spooler service runs with elevated privileges on most Windows servers.
CVE-2026-26123 — Microsoft Authenticator for Android and iOS. An attacker who tricks a user into scanning a QR code or tapping a sign-in link can intercept the authentication flow through a rogue app — effectively capturing the user's login in a man-in-the-middle attack. Targeted campaigns against high-value individuals are the primary risk here.
Why Privilege Escalation Dominates This Month
46 of the 79 vulnerabilities fixed this month — 56% — are privilege escalation flaws. That number deserves context.
Privilege escalation is rarely the first step in an attack. It's what happens after the attacker has already got inside.
Think of a building breach. The attacker picks the lock on a side entrance — that's initial access. But once inside, they're in the mail room. Privilege escalation is finding the master key that opens every door in the building.
In the ransomware playbook, the sequence looks like this. Initial access comes from a phishing email, a compromised credential, or a vulnerable public-facing service. The attacker lands on a machine with limited access. Privilege escalation flaws let them become a system administrator. From there, they move laterally across the network, disable backups, and deploy ransomware with elevated permissions that make recovery harder.
The volume of privilege escalation patches this month means Microsoft's own infrastructure had 46 different master keys lying around. This patch cycle just changed the locks.
MITRE ATT&CK Mapping
| Tactic | Technique ID | Technique Name | How It Applies |
|---|---|---|---|
| Initial Access | T1566.001 | Phishing: Spearphishing Attachment | Office RCE via malicious document preview (CVE-2026-26110, CVE-2026-26113) |
| Execution | T1203 | Exploitation for Client Execution | Code executes via Outlook preview pane without user opening the file |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation | Windows Kernel, ATBroker, Graphics Component flaws → SYSTEM access |
| Privilege Escalation | T1078 | Valid Accounts | SQL Server flaw grants SQLAdmin via authorised session (CVE-2026-21262) |
| Defense Evasion | T1562.001 | Disable or Modify Tools | SYSTEM-level access enables disabling of EDR/security tools |
| Collection | T1005 | Data from Local System | SQLAdmin access enables full database read and exfiltration |
| Exfiltration | T1567 | Exfiltration Over Web Service | Excel/Copilot flaw sends data to attacker-controlled endpoint (CVE-2026-26144) |
| Impact | T1499 | Endpoint Denial of Service | .NET crash flaw takes down dependent services remotely (CVE-2026-26127) |
| Credential Access | T1557 | Adversary-in-the-Middle | Microsoft Authenticator flaw intercepts MFA flow (CVE-2026-26123) |
| Lateral Movement | T1021.002 | Remote Services: SMB/Windows Admin Shares | Windows SMB vulnerabilities enable post-escalation lateral movement |
Indicators of Compromise (IOCs)
These patches address software flaws, not malware — so there are no file hashes or C2 domains to block. Detection focuses on behavioral indicators of post-exploitation activity.
# Privilege escalation behavioral indicators
# Unexpected elevation to SYSTEM or admin from standard user
Alert: Process token escalation to NT AUTHORITY\SYSTEM
from non-privileged account outside maintenance window
# New local admin accounts created unexpectedly
Alert: net user /add or equivalent executed by non-admin process
especially if followed by net localgroup administrators /add
# SQL Server privilege changes
Alert: SQL login granted sysadmin role by non-DBA account
Alert: New SQL Server login created outside change management window
Alert: sp_addsrvrolemember executed outside authorized session
# Print Spooler exploitation indicators
Alert: Unusual child processes spawned by spoolsv.exe
(cmd.exe, powershell.exe, wscript.exe are high-confidence indicators)
# Authenticator / MFA interception
Alert: MFA deep link handled by non-Microsoft Authenticator app
Alert: New device added to MFA without IT-provisioned enrollment
Alert: Authentication token captured from mobile device outside org network
# Office preview pane exploitation
Alert: Office application spawning cmd.exe, powershell.exe, or wscript.exe
without user explicitly opening a document (preview pane vector)
Alert: Network connection initiated by WINWORD.EXE or OUTLOOK.EXE
to external IP immediately after file preview event
# Copilot/Excel exfiltration
Alert: Excel process initiating outbound HTTP/HTTPS connection
to non-Microsoft domain during file processing
SOC Alert Priorities
Alert Priority 1 — SYSTEM-level privilege escalation on Windows endpoints: Any process that elevates from a standard or low-privileged account to SYSTEM outside of a known patch or maintenance activity should be treated as a compromise indicator. Given that CVE-2026-24291 specifically targets the accessibility service (ATBroker.exe), monitor for unusual child processes or privilege changes originating from accessibility-related process paths.
Alert Priority 2 — SQL Server role changes and new logins: CVE-2026-21262 abuses the normal SQL Server permissions model. The only reliable detection is monitoring the database audit log for sysadmin role grants, new login creation, and changes to scheduled jobs — particularly outside business hours or change management windows. If SQL Server auditing is not currently enabled, enabling it should be treated as urgent.
Alert Priority 3 — Office spawning child processes or making network connections: The preview pane RCE flaws (CVE-2026-26110, CVE-2026-26113) execute under the Office application's process. Any instance of WINWORD.EXE, EXCEL.EXE, or OUTLOOK.EXE spawning a command prompt, PowerShell session, or initiating an unexpected outbound network connection is a high-confidence exploitation indicator. This rule should be in place regardless of this month's patches — it catches a broad class of Office-based attacks.
Alert Priority 4 — Print Spooler child process anomalies: CVE-2026-23669 runs in the context of the Spooler service. Spoolsv.exe spawning interactive shells or scripting engines (cmd.exe, powershell.exe, wscript.exe) has been a reliable ransomware precursor indicator for years. If you don't already have this alert configured, add it today.
Alert Priority 5 — MFA enrollment and deep link handling on mobile devices: CVE-2026-26123 requires a rogue app to intercept the authentication flow. Watch for new device enrollments in MFA systems that weren't provisioned through your standard MDM or IT workflow, and monitor for authentication events that complete on devices not recognised in your device inventory.
What To Patch First
Not everything needs to be patched on the same schedule. Based on exploitability and potential impact, here is a practical prioritisation:
Patch immediately (within 24–48 hours): CVE-2026-24291 (ATBroker — SYSTEM escalation), CVE-2026-26110 and CVE-2026-26113 (Office RCE via preview pane), CVE-2026-23669 (Print Spooler RCE). These combine high exploitability with severe post-exploitation impact.
Patch within one week: CVE-2026-21262 (SQL Server privilege escalation), CVE-2026-26144 (Excel/Copilot data exfiltration), CVE-2026-24289 and CVE-2026-26132 (Windows Kernel escalation). These require network access or authenticated sessions — slightly harder to exploit remotely, but devastating if an attacker already has initial access.
Patch in standard cycle: CVE-2026-26127 (.NET DoS), CVE-2026-26123 (Authenticator MFA interception). Real risk but lower exploitability probability according to Microsoft's own assessment.
This patch cycle also connects directly to the kind of full attack chain we've been documenting across recent vulnerability research. When privilege escalation flaws are this abundant, initial access — whether through a phishing email, a stolen credential, or a vulnerable web service — becomes the only hard part:
→ No Malware. No Exploit. Just a Phone Call — The Ericsson Breach Explained
And the pattern of attackers using valid credentials to move laterally — which these privilege escalation flaws enable — is the same trust boundary problem we covered in depth last week:
→ CVE-2026-27944: Nginx UI Backup Exposure — How Valid Credentials Enable Silent Data Theft
The ZyberWalls Perspective
Every month, the security industry treats Patch Tuesday like a to-do list. Apply the patches, tick the boxes, move on.
That framing misses what's actually happening.
79 vulnerabilities in a single month means Microsoft's products — software that runs inside almost every organisation on the planet — had 79 documented ways to be abused. This month's list includes a flaw in the software that manages your databases, a flaw in the tool that handles your email previews, a flaw in the accessibility service running on every Windows machine, and a flaw in the AI assistant increasingly being given access to sensitive spreadsheets.
That's not a to-do list. That's a threat landscape.
The organisations that treat patching as a compliance exercise — deploying updates when it's convenient, skipping reboots to avoid disruption, leaving SQL Server and Print Spooler unpatched because they're "internal systems" — are the ones that end up in breach notifications.
The six flaws Microsoft flagged as "more likely to be exploited" aren't theoretical. They're the techniques ransomware operators use after they've already found a way in through a phishing email or a stolen password. Privilege escalation is the step between "attacker is inside your network" and "attacker owns your network."
Patch the six first. Build the detection rules. Then work through the rest.
Stay Alert. Stay Human. Stay Safe.— ZyberWalls Research Team