Microsoft March Security Updates for Active Directory and SQL Server Privilege Escalation Flaws
Microsoft disclosed multiple privilege escalation vulnerabilities in core enterprise products, including Active Directory Domain Services and SQL Server, with public reporting highlighting network-reachable attack paths that require only authenticated or otherwise authorized access. CVE-2026-25177 affects AD DS and was described as an elevation-of-privilege issue tied to improper restriction of file and resource names, enabling abuse of crafted Unicode characters to create duplicate SPN or UPN values. Reporting indicates this can interfere with Kerberos ticket handling, potentially causing denial of service, triggering fallback to NTLM where enabled, and ultimately enabling escalation to SYSTEM-level control in affected environments.
Microsoft also disclosed CVE-2026-21262 in SQL Server, an Important-rated flaw with a CVSS 8.8 score that allows an authenticated attacker to elevate privileges to sysadmin, giving full control over the database instance. Public reporting said Microsoft assessed exploitation as less likely and had not observed active in-the-wild abuse at disclosure time, but noted the issue was publicly disclosed, increasing the risk of follow-on exploit development. Other referenced items about ADCS ESC1, Cisco SD-WAN Manager, and n8n concern separate products and unrelated vulnerabilities, while the standalone MSRC entry does not provide enough detail in the supplied content to confirm it is part of the same specific event.
Timeline
Apr 14, 2026
Technical details published for SQL Server flaw CVE-2026-32176
By 2026-04-14, public reporting described an exploitation path for Microsoft SQL Server vulnerability CVE-2026-32176 in which an authenticated attacker with sufficient database privileges could inject SQL into a vulnerable system procedure and, via EXECUTE AS context switching, gain sysadmin rights. The report said successful exploitation could enable full control of the SQL Server instance, including persistence, OS command execution, and lateral movement.
Mar 11, 2026
Microsoft discloses and patches SQL Server zero-day CVE-2026-21262
By 2026-03-11, Microsoft disclosed CVE-2026-21262, a publicly known zero-day improper access control vulnerability in Microsoft SQL Server that lets an authenticated low-privileged user escalate to SQL sysadmin. Microsoft released security updates for supported SQL Server versions and said the flaw was publicly disclosed but not observed being actively exploited.
Mar 10, 2026
Microsoft releases fixes for AD DS privilege-escalation flaw CVE-2026-25177
On 2026-03-10, Microsoft issued an Important security update for Active Directory Domain Services to fix CVE-2026-25177, a network-exploitable elevation-of-privilege bug involving crafted Unicode characters in SPN/UPN handling. Microsoft said exploitation was less likely and that it had not seen public exploit code or active attacks at the time of release.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Sources
Related Stories
Microsoft February Patch Tuesday Fixes Actively Exploited Zero-Days Including Windows RDS Privilege Escalation
Microsoft’s February 2026 Patch Tuesday shipped fixes for **58 vulnerabilities** across Windows, Office, and related components, including **six zero-days reported as actively exploited**. Reported zero-days included **CVE-2026-21533** (Windows **Remote Desktop Services** elevation of privilege), **CVE-2026-21510** (Windows Shell security feature bypass involving SmartScreen/Mark-of-the-Web), **CVE-2026-21513** and **CVE-2026-21514** (Office/MSHTML mitigation bypasses requiring user interaction), and **CVE-2026-21525** (Windows Remote Access Connection Manager DoS). Coverage of the release emphasized that elevation-of-privilege issues were the largest category in the update set, and that organizations should prioritize rapid deployment given in-the-wild exploitation claims. For **CVE-2026-21533** (CVSS 7.8, *Important*), reporting cited CrowdStrike observations of an exploit binary used post-compromise to reach **SYSTEM** by modifying a service configuration **registry key** to point to attacker-controlled values, enabling actions such as adding a user to the local Administrators group; the issue primarily impacts Windows systems where RDS is enabled and is positioned as a strong enabler for lateral movement in RDP-heavy environments. Separately, a January 2026-patched local privilege escalation in Windows Error Reporting, **CVE-2026-20817** (CVSS 7.8), was described with technical detail and a released PoC: the WER service (`wersvc.dll`) allegedly failed to validate requester permissions over ALPC, allowing a standard user to trigger process creation with a SYSTEM-derived token retaining powerful privileges (e.g., `SeDebugPrivilege`, `SeImpersonatePrivilege`, `SeBackupPrivilege`), underscoring the broader trend of Windows local EoP bugs being leveraged for post-exploitation escalation.
1 months ago
Microsoft Discloses Multiple Critical Cloud and AI Service Vulnerabilities
Microsoft published several **critical** security advisories affecting cloud and AI services, including **Azure Cloud Shell**, **Azure DevOps**, **Azure Data Factory**, **Microsoft Copilot**, **M365 Copilot**, **Microsoft 365 Copilot BizChat**, **Microsoft Bing**, and **Bing Images**. The issues span **elevation of privilege**, **information disclosure**, **tampering**, and **remote code execution**, with listed weakness classes including **SSRF** (`CWE-918`), **insufficiently protected credentials** (`CWE-522`), **sensitive information exposure** (`CWE-200`), and **command injection** (`CWE-77`/`CWE-78`). Several advisories state that the vulnerabilities **require no customer action to resolve**, indicating Microsoft-managed remediation for affected online services. The most severe disclosures include **CVE-2026-32169** in *Azure Cloud Shell* with a **CVSS 10.0** elevation-of-privilege rating, **CVE-2026-32191** in *Microsoft Bing Images* with a **CVSS 9.8** remote code execution rating, and high-impact flaws in *Azure DevOps* (**CVE-2026-23658**), *Azure Data Factory* (**CVE-2026-23659**), and *Microsoft 365 Copilot BizChat* (**CVE-2026-26137**). Separate advisories also cover information disclosure in *Microsoft Copilot* (**CVE-2026-26136**) and *M365 Copilot* (**CVE-2026-24299**), plus a tampering flaw in *Microsoft Bing* (**CVE-2026-26120**). A separate report on the **RegPwn** Windows Registry privilege-escalation bug (**CVE-2026-24291**) describes a different issue in Windows accessibility and Secure Desktop handling and is not part of the same Microsoft cloud-service disclosure set.
1 weeks ago
Microsoft Discloses Elevation of Privilege Flaws in MMC, Partner Center, and Microsoft 365 Copilot
Microsoft published security advisories for three **elevation of privilege** vulnerabilities affecting **Microsoft Management Console**, **Microsoft Partner Center**, and **Microsoft 365 Copilot**. The issues are tracked as `CVE-2026-27914`, `CVE-2026-24303`, and `CVE-2026-33102`, respectively, and were added to the Microsoft Security Update Guide as separate product-specific flaws. The disclosures indicate that both on-premises administrative tooling and cloud-connected Microsoft services are affected by privilege-escalation weaknesses. While Microsoft did not provide public synopses in the referenced advisories, the listings identify the impacted products and classify each issue as an elevation of privilege vulnerability, signaling potential risk to administrators, partners, and enterprise users relying on those platforms.
1 weeks ago