Stay Ahead of Threats with the Latest Vulnerability Updates for March
Stay up to date on critical cyber risks, Microsoft’s March Patch Tuesday, and other notable third-party vulnerabilities. Timely patching is key to maintaining a strong security posture and protecting your business from threats.
Quick Highlights
- Microsoft Patch Tuesday:
– 83 vulnerabilities disclosed
– 3 rated Critical, 2 are Zero-Day (both publicly disclosed, 0 exploited)
- High-Severity Advisories from Major Vendors:
– Adobe: 80 vulnerabilities, affecting 8 products
– Cisco: 3 critical-severity flaws in Cisco Secure Firewall Management Center (FMC) and Cisco Catalyst SD-WAN Manager
– Fortinet: 2 high-severity flaws in FortiManager and FortiSwitchAXFixed
– Ivanti: 1 high-severity flaw in Ivanti Desktop and Server Management (DSM)
– SAP: 2 critical, 1 high vulnerabilities in SAP Quotation Management Insurance application (FS-QUO), SAP NetWeaver Enterprise Portal Administration, and SAP Supply Chain Management
– VEEAM: 6 critical-severity flaws, 4 high-severity flaws published
- Top Threats to Watch:
– Iran‑linked targeting of IP cameras to support physical warfare operations and battlefield intelligence across the Middle East.
– Chinese‑nexus APT activity using PlugX malware and conflict‑themed lures to rapidly target organizations in Qatar and the Gulf region.
– Iranian MOIS and MuddyWater operations expanding espionage capabilities, including new backdoors (Dindoor, Fakeset) and Rclone‑based data exfiltration.
– Advanced social engineering campaigns—Teams impersonation, Quick Assist abuse, LastPass‑themed phishing, and commercial‑grade kits like Starkiller that bypass MFA.
– Rise in infostealer and mobile malware innovation, including theft of AI‑agent configuration files (OpenClaw) and the GenAI‑powered Android malware PromptSpy.
Windows 10 Reaches End of Support
As of October 14, 2025, Microsoft has officially ended support for Windows 10. October 2025’s Patch Tuesday was the final security update for the OS—unless your organization enrolls in the Extended Security Updates (ESU) program.
- What This Means for Your Organization:
– No more security patches or bug fixes for Windows 10 devices
– Increased exposure to vulnerabilities and compliance risks
– Continued support requires either: 1.) Enrolling in Microsoft’s paid ESU program, or 2.) Upgrading to Windows 11
- Upgrading Windows 11
Unlike traditional feature upgrades, Windows 11 25H2 is built on the same servicing branch and code base as Windows 11 24H2, making the transition simpler and lower risk.
Fortress has thoroughly tested Windows 11 25H2 and recommends upgrading all supported devices. To begin the upgrade process, contact our 24/7/365 Security Operations Team or reach out to your client experience manager.
Windows 11 End of Support
As of November 2025, Microsoft has officially ended support for earlier versions of Windows 11 (listed below).
- Windows 11 version 21H2 (All Editions)
- Windows 11 version 22H2 (All Editions)
- Windows 11 version 23H2 (Home & Pro)
We would also like to highlight several upcoming End of Support dates for the following Windows releases:
- Windows 11 version 23H2 (Enterprise & Education) – Support ends November 10, 2026. After this date, these editions will no longer receive security updates or fixes.
- Windows 11 version 24H2 (Home & Pro) – Support ends October 13, 2026. Devices running these editions should be upgraded before this date to remain supported and secure.
Fortress recommends reviewing device inventories ahead of these deadlines to ensure systems are upgraded in advance and remain within a supported lifecycle.
* Some specialized editions of Windows 11 24H2 (e.g. Long Term Support Cycle) will continue to receive extended support through 2029. However, for all other editions we recommend upgrading to Windows 11 25H2.
Windows Server 2016 End of Support
Support for Windows Server 2016 is scheduled to end on January 12, 2027, which is now less than a year away. After this date, Microsoft will no longer provide security updates, bug fixes, or technical support for the platform.
Organizations still running Windows Server 2016 should begin planning upgrade or migration strategies to avoid increased security risk and compliance concerns once support ends.
Fortress recommends reviewing affected systems early to allow sufficient time for testing, upgrades, or workload migration before the end-of-support deadline.
Need help planning your transition?
Fortress SRM can help assess your environment, prioritize upgrades, and ensure your endpoints remain patch-compliant and secure.
Patch Tuesday Summary
Microsoft March 2026 Patch Tuesday
83 vulnerabilities disclosed, including 3 critical and 2 zero-days. By category:
- 43 Elevation of Privilege
- 17 Remote Code Execution
- 9 Information Disclosure
- 4 Denial of Service
- 4 Spoofing
- 2 Denial of Service
Critical Common Vulnerabilities and Exposures (CVEs)
Windows Zero-Days
| CVE-ID | Details | Severity | Exploited? |
| CVE-2026-26127 | .NET Denial of Service Vulnerability | Important | No, publicly disclosed |
| CVE-2026-21262 | SQL Server Elevation of Privilege Vulnerability | Important | No, publicly disclosed |
Other Critical CVE’s Worth Mentioning
| CVE-ID | Details | Severity | Exploited? |
| CVE-2026-26144 | Microsoft Excel Information Disclosure Vulnerability | Critical | No |
| CVE-2026-26110 | Microsoft Office Remote Code Execution Vulnerability | Critical | No |
| CVE-2026-26113 | Microsoft Office Remote Code Execution Vulnerability | Critical | No |
Microsoft March 2026 Security Update Release
3rd Party Critical CVE’s Worth Mentioning
Adobe Products *
| CVE-ID(s) | Affected Product | Critical Issues | Key Risks |
| CVE-2026-21361 CVE-2026-21284 CVE-2026-21289 CVE-2026-21290 CVE-2026-21311 CVE-2026-21309 | Adobe Commerce | 6 Critical, 10 Important, 3 Moderate | Security feature bypass, Privilege escalation |
| CVE-2026-21333 CVE-2026-21362 CVE-2026-27271 CVE-2026-27272 CVE-2026-27267 | Adobe Illustrator | 5 Critical, 2 Important | Arbitrary code execution |
| CVE-2026-27267 CVE-2026-27268 CVE-2026-27270 CVE-2026-21363 CVE-2026-21364 CVE-2026-21365 CVE-2026-27214 CVE-2026-27215 CVE-2026-27216 CVE-2026-27217 CVE-2026-27218 CVE-2026-27219 | Adobe Substance 3D Painter | 9 Important | Memory exposure, arbitrary code execution, Application denial-of-service |
| CVE-2026-27220 CVE-2026-27278 | Adobe Acrobat Reader | 2 Critical, 1 Important | Arbitrary code execution |
| CVE-2026-27269 | Adobe Premier Pro | 1 Critical | Arbitrary code execution |
| CVE-2026-27223 through CVE-2026-27266 | Adobe Experience Manager | 33 Important | Arbitrary code execution |
| CVE-2026-27273 CVE-2026-27274 CVE-2026-27275 CVE-2026-27276 CVE-2026-27277 CVE-2026-27279 | Adobe Substance 3D Stager | 6 Critical | Arbitrary code execution |
| CVE-2026-27280 CVE-2026-27281 | Adobe DNG SDK | 1 Critical, 1 Important | Arbitrary Code Execution, Application denial-of-service |
Cisco *
| CVE-ID(s) | Affected Product | Description | Severity | Exploited? |
| CVE-2026-20131 | Cisco Secure Firewall Management Center (FMC) | A vulnerability in the web-based management interface could allow an unauthenticated, remote attacker to execute arbitrary Java code as root on an affected device. | Critical | No |
| CVE-2026-20079 | Cisco Secure Firewall Management Center (FMC) | A vulnerability in the web interface of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to bypass authentication and execute script files on an affected device to obtain root access to the underlying operating system. | Critical | No |
| CVE-2026-20122 CVE-2026-20126 CVE-2026-20128 | Cisco Catalyst SD-WAN Manager | Multiple vulnerabilities could allow an attacker to access an affected system, elevate privileges to root, gain access to sensitive information, and overwrite arbitrary files. | Critical | Yes |
Fortinet *
| CVE-ID | Affected Product | Description | Severity | Exploited? |
| CVE-2025-54820 | FortiManager | A Stack-based Buffer Overflow vulnerability may allow a remote unauthenticatedattacker to execute unauthorized commands via crafted requests, ifthe service is enabled. The success of the attack depends on the ability to bypass the stack protection mechanisms. | High | No |
| CVE-2026-22627 | FortiSwitchAXFixed | A Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) vulnerability may allow an unauthenticatedattacker within the same adjacent network to execute unauthorized code or commands on the device via sending a crafted LLDP packet. | High | No |
Ivanti *
| CVE-ID(s) | Affected Product | Description | Severity | Exploited? |
| CVE-2026-3483 | Ivanti Desktop and Server Management (DSM) | An exposed dangerous method in Ivanti DSM before version 2026.1.1allows a local authenticated attacker to escalate their privileges. | High | No |
Ivanti March 2026 Security Update
SAP *
| CVE-ID | Affected Component | Description | Severity | Exploited? |
| CVE-2019-17571 | SAP Quotation Management Insurance application (FS-QUO) | Vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. | Critical | No |
| CVE-2026-27685 | SAP NetWeaver Enterprise Portal Administration | Vulnerable if a privileged user uploads untrusted or malicious content that, upon deserialization, could result in a high impact on the confidentiality, integrity, and availability of the host system. | Critical | No |
| CVE-2026-27689 | SAP Supply Chain Management | Due to an uncontrolled resource consumption (Denial of Service) vulnerability, an authenticated attacker with regular user privileges and network access can repeatedly invoke a remote-enabled function module with an excessively large loop-control parameter. | High | No |
VEEAM *
| CVE-ID | Affected Component | Description | Severity | Exploited? |
| CVE-2026-21666CVE-2026-21667 | Backup Server | A vulnerability allowing an authenticated domain user to perform remote code execution (RCE). | Critical | No |
| CVE-2026-21708 | Windows-based Veeam Backup & Replication | Veeam Software Appliance | A vulnerability allowing a Backup Viewer to perform remote code execution (RCE) as the postgres user. | Critical | No |
| CVE-2026-21669 | Windows-based Veeam Backup & Replication | A vulnerability allowing an authenticated domain user to perform remote code execution (RCE) on the Backup Server. | Critical | No |
| CVE-2026-21671 | Veeam Software Appliance | A vulnerability allowing an authenticated user with the Backup Administrator role to perform remote code execution (RCE) in high availability (HA) deployments of Veeam Backup & Replication. | Critical | No |
| CVE-2026-21668 | Backup Repository | A vulnerability allowing an authenticated domain user to bypass restrictions and manipulate arbitrary files. | High | No |
| CVE-2026-21672 | Veeam Backup & Replication servers | A vulnerability allowing local privilege escalation on Windows-basedservers. | High | No |
| CVE-2026-21670 | Windows-based Veeam Backup & Replication | Veeam Software Appliance | A vulnerability allowing a low-privileged user to extract saved SSH credentials. | High | No |
Google Chrome
- Version: 146.0.7680.71/72 (Windows and Mac), 146.0.7680.71 (Linux)
- Release Date: Tuesday, March 10, 2026
* Not handled by Fortress SRM.
Threat Intelligence Trends – March 2026
The following resources are grouped by threat type / category.
Emerging Threats
Interplay between Iranian Targeting of IP Cameras and Physical Warfare in the Middle East Check Point Research observed a surge in Iranian‑linked attempts to compromise IP cameras across Israel, Gulf states, Lebanon, and Cyprus, beginning February 28, 2026. The targeting appears to support battlefield intelligence and potential missile operations, with earlier activity aligning to geopolitical flashpoints such as Iran’s temporary airspace closure.
Read more
China‑Nexus Activity Against Qatar Observed Amid Expanding Regional Tensions
Check Point Research observed increased activity from Chinese‑nexus APT groups targeting Qatar, including attempts by the Camaro Dragon threat actor to deploy PlugX malware within one day of the Middle East escalation. The attackers leveraged ongoing regional conflict to craft credible lures and rapidly adapt operations, highlighting China‑linked actors’ agility and expanding focus on the Gulf region.
Read more
Iranian MOIS Actors & the Cyber Crime Connection
Check Point Research reports that Iranian Ministry of Intelligence and Security (MOIS)–linked groups, including Void Manticore and MuddyWater, are increasingly leveraging cybercriminal tools, services, and infrastructure to support state objectives. This convergence enhances operational capabilities, expands deniability, and blurs attribution as Iranian actors adopt ransomware branding, commercial infostealers, and criminal‑ecosystem tradecraft.
Read more
Iran-Linked MuddyWater Deploys New Dindoor Malware Against U.S. Networks
SOCRadar reports that Iranian APT MuddyWater (Seedworm) targeted multiple U.S. organizations—including a bank, airport, nonprofit, and a defense‑linked software firm—using a newly discovered backdoor called Dindoor. The campaign, active since early 2026, also leveraged a second backdoor (Fakeset) and attempted data exfiltration via Rclone, underscoring the group’s expanding espionage capabilities during heightened geopolitical tensions.
Read more
Social Engineering Attacks
Criminals Impersonating City and County Officials in Phishing Emails for Planning and Zoning Permits
The FBI warns of a phishing scheme in which criminals impersonate city and county planning and zoning officials to solicit fraudulent payments. Attackers use real permit information and professional‑looking emails to deceive victims into sending money via wire transfer, peer‑to‑peer apps, or cryptocurrency.
Read more
New A0Backdoor Linked to Teams Impersonation and Quick Assist Social Engineering
BlueVoyant researchers identified a campaign where attackers impersonate IT staff on Microsoft Teams, use email bombing to create urgency, and convince victims to grant remote access through Quick Assist. Once on the device, the threat actors sideload malicious DLLs via digitally signed MSI packages to deploy the new A0Backdoor, which uses anti‑sandbox techniques and covert DNS MX‑based command‑and‑control.
Read more
Hackers Mimic LastPass Support Emails to Steal Vault Passwords
A new phishing campaign impersonates LastPass support by forwarding fake email threads and using display‑name spoofing to create urgency around supposed unauthorized account activity. Victims are funneled to fake login pages on domains like verify‑lastpass[.]com, where attackers harvest vault master passwords.
Read more
Starkiller Phishing Kit
Researchers at Abnormal uncovered Starkiller, a commercial‑grade phishing kit that proxies real login pages in real time to steal credentials and bypass MFA. By loading genuine sites through attacker‑controlled infrastructure, it captures every keystroke and authentication token while remaining nearly impossible for victims to distinguish from the real thing.
Read more
Ransomware & Malware Deployment
Hudson Rock Identifies Real‑World Infostealer Infection Targeting OpenClaw Configurations
Hudson Rock discovered the first live case of an infostealer exfiltrating OpenClaw AI‑agent configuration files, marking a major shift from credential theft to stealing tokens, private keys, and personal AI “identity” data. The malware, likely a Vidar variant, used a broad file‑grabbing routine to sweep the victim’s .openclaw directory, capturing gateway tokens, cryptographic keys, and context files that could enable full impersonation of the user’s AI agent.
Read more
PromptSpy Ushers in a New Era of Android Threats Using GenAI
ESET researchers uncovered PromptSpy, the first known Android malware to abuse generative AI—specifically Google’s Gemini—to analyze on‑screen elements and guide malicious UI actions for persistence. The malware deploys a built‑in VNC module for remote access, captures lockscreen data, blocks uninstallation with invisible overlays, and primarily targets users in Argentina.
Read more
Cloud & Infrastructure Exploits
PayPal February 2026 Data Breach Notification
A coding error in PayPal’s Working Capital loan application exposed sensitive customer data—including names, contact details, Social Security numbers, and dates of birth—from July to December 2025. PayPal reset affected account passwords, issued refunds for unauthorized transactions, and is offering two years of complimentary Equifax credit monitoring to impacted users.
Read more
Protecting Your Data: Essential Actions to Secure Experience Cloud Guest User Access Salesforce warns that threat actors are exploiting misconfigured Experience Cloud guest user settings, allowing unauthorized access to CRM data through a modified AuraInspector scanning tool. The activity stems from overly permissive customer‑configured guest profiles—not a platform vulnerability—and organizations are urged to audit permissions and apply least‑privilege controls immediately.
Read more
Recommended Actions
Mitigations
- Enforce strong network segmentation, isolating OT, surveillance systems, and any public‑facing IoT devices.
- Mandate firmware updates for all IP cameras and IoT appliances; disable UPnP and unnecessary remote access.
- Harden SQL, SharePoint, VPNs, and remote‑access infrastructure—common targets for MOIS- and Chinese‑linked APT groups.
- Require privileged access management (PAM) for all admin accounts with MFA enforced.
- Block high‑risk file types and disable macros for Office installations organization‑wide.
- Enforce strict egress filtering to prevent exfiltration via Rclone or unauthorized cloud apps.
- Deploy application allowlisting on critical assets to prevent execution of tools like PlugX or Dindoor/Fakeset backdoors.
Monitoring/Detection
Emerging Threat & APT Activity
- Track sudden login attempts from Middle East or APAC IP ranges, especially involving VPNs, O365, or identity providers.
- Monitor IP camera and IoT behavior, including unusual outbound traffic to unknown cloud hosts or uncommon ports.
- Alert on high‑volume ZIP/RAR creation, staging directories, or command‑line compressions commonly used during espionage operations.
- Enable robust logging for PowerShell, WMI, LDAP queries, and movement patterns associated with MuddyWater, Void Manticore, and other Iranian/Chinese‑linked threat actors.
- Detect PlugX, Dindoor, or Fakeset indicators such as DLL sideloading, unexpected scheduled tasks, anomalous service creation, or DNS queries with NXDOMAIN‑heavy patterns.
Social Engineering Campaigns
- Flag email bombing campaigns targeting user inboxes, a common precursor to Teams impersonation and IT-helpdesk spoofing.
- Monitor for unexpected Teams messages from external domains or newly created internal accounts.
- Detect connections to typosquatted or newly registered LastPass‑themed domains, especially involving password reset attempts.
- Identify Quick Assist sessions that were not initiated by IT and unusual MSI installation activity from temporary directories.
Ransomware & Infostealers
- Monitor access to sensitive directories, especially:
– .openclaw, AI-agent configs, .json, .pem, .token files - Alert on high volume file reads and broad file grabbing behavior typical of Vidar or similar infostealers.
- Detect outbound connections to:
– Pastebin-style data dump sites
– Temporary file sharing domains
– DNS MX–based C2 traffic (used by A0Backdoor)
Cloud & Infrastructure Exploits
- Implement continuous monitoring of:
– Salesforce guest user permissions
– Public/guest object exposure
– Audit logs for unexpected API usage - In payment/finance systems, monitor:
– Bulk access to PII
– Scripted or automated form submissions
– Authentication failures followed by password resets
About Fortress SRM’s Vigilant Managed Cyber Hygiene Offering
Why Patching Matters
Unpatched software is a leading cause of breaches—nearly 1 in 3 attacks exploit known vulnerabilities.
Vigilant Managed Cyber Hygiene
Fortress SRM’s Vigilant Managed Cyber Hygiene simplifies patch management.
- Automated updates with 97%+ success rate for Microsoft & 100+ third-party applications
- Critical patches, OS upgrades, and configuration updates for all devices, on/off network
- 24/7/365 U.S.-based monitoring and real-time reporting for full visibility
Stay Protected. Stay Proactive.
Learn how Fortress SRM can enhance your cybersecurity strategy