CVE-2026-21536
published 2026-03-05CVE-2026-21536: Microsoft Devices Pricing Program Remote Code Execution Vulnerability
PriorityP269critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.60%
72.7th percentile
Microsoft Devices Pricing Program Remote Code Execution Vulnerability
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | microsoft_devices_pricing_program | — | — |
| msrc | microsoft_devices_pricing_program | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- ·Vulnerability has been fully mitigated server-side by Microsoft; no customer action or patch deployment required. No technical details, payloads, or indicators have been publicly disclosed. ↗
- ·Exploit status is 'Exploitation Unlikely' with no public disclosure or known in-the-wild exploitation, meaning no operational IOCs or detection artifacts are currently available. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_msrc9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Microsoft
Microsoft Devices Pricing Program Remote Code Execution Vulnerability
vendor_msrc·2026-03-10·CVSS 9.8
CVE-2026-21536 [CRITICAL] CWE-434 Microsoft Devices Pricing Program Remote Code Execution Vulnerability
Microsoft Devices Pricing Program Remote Code Execution Vulnerability
FAQ: Why are there no links to an update or instructions with steps that must be taken to protect from this vulnerability?
This vulnerability has already been fully mitigated by Microsoft. There is no action for users of this service to take. The purpose of this CVE is to provide further transparency.
Please see Toward greater transparency: Unveiling Cloud Service CVEs for more information.
Microsoft Devices Pricing Program: Microsoft Devices Pricing Program
Microsoft: Microsoft
Customer Action Required: No
Impact: Remote Code Execution
Exploit Status: Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation Unlikely
GHSA
GHSA-v7pg-pj37-393q: Microsoft Devices Pricing Program Remote Code Execution Vulnerability
ghsa_unreviewed·2026-03-06
CVE-2026-21536 [CRITICAL] CWE-434 GHSA-v7pg-pj37-393q: Microsoft Devices Pricing Program Remote Code Execution Vulnerability
Microsoft Devices Pricing Program Remote Code Execution Vulnerability
No detection rules found.
No public exploits indexed.
Sophos
March Patch Tuesday visits 15 product families
blogs_sophos·2026-03-13
March Patch Tuesday visits 15 product families
Akuter Cyberangriff? Fordern Sie Sofort-Hilfe an
Sophos Central
Partner-Portal
Lizenzen & Accounts
Sophos Home
Sophos Central
Sophos-Central-Anmeldung
Sophos KI
Integrationen
Threat Intelligence
Testversion
Endpoint Protection (Next-Gen Antivirus)
EDR – Endpoint Detection and Response
Server Protection
Mobile Security
XDR – Extended Detection and Response
XDR mit Next-Gen SIEM
ITDR – Identity Threat Detection and Response
Next-Gen Firewall (NGFW)
NDR – Network Detection and Response
Netzwerk-Switches
Wireless Access Points
Workspace Protection
Protected Browser
Zero Trust Network Access (ZTNA)
DNS Protection
Email Monitoring System
E-Mail- und Phishing-Schutz
Awareness-Training für Mitarbeitende
Schutz für Cloud Workloads
Cloud Security Posture Management (CSP
Krebs
Microsoft Patch Tuesday, March 2026 Edition
blogs_krebs·2026-03-11·CVSS 8.8
CVE-2026-21262 [HIGH] Microsoft Patch Tuesday, March 2026 Edition
Microsoft Corp. today pushed security updates to fix at least 77 vulnerabilities in its Windows operating systems and other software. There are no pressing “zero-day” flaws this month (compared to February’s five zero-day treat), but as usual some patches may deserve more rapid attention from organizations using Windows. Here are a few highlights from this month’s Patch Tuesday.
Two of the bugs Microsoft patched today were publicly disclosed previously. CVE-2026-21262 is a weakness that allows an attacker to elevate their privileges on SQL Server 2016 and later editions.
“This isn’t just any elevation of privilege vulnerability, either; the advisory notes that an authorized attacker can elevate privileges to sysadmin over a network,” Rapid7’s Adam Barnett said. “The CVSS v3 base score of
Krebs
Microsoft Patch Tuesday, March 2026 Edition
blogs_krebs·2026-03-11·CVSS 8.8
CVE-2026-2126 [HIGH] Microsoft Patch Tuesday, March 2026 Edition
Microsoft Corp. today pushed security updates to fix at least 77 vulnerabilities in its Windows operating systems and other software. There are no pressing “zero-day” flaws this month (compared to February’s five zero-day treat), but as usual some patches may deserve more rapid attention from organizations using Windows. Here are a few highlights from this month’s Patch Tuesday.
Image: Shutterstock, @nwz.
Two of the bugs Microsoft patched today were publicly disclosed previously. CVE-2026-21262 is a weakness that allows an attacker to elevate their privileges on SQL Server 2016 and later editions.
“This isn’t just any elevation of privilege vulnerability, either; the advisory notes that an authorized attacker can elevate privileges to sysadmin over a network,” Rapid7’s Adam Barnett said
Qualys
Microsoft and Adobe Patch Tuesday, March 2026 Security Update Review | Qualys
blogs_qualys·2026-03-10
Microsoft and Adobe Patch Tuesday, March 2026 Security Update Review | Qualys
#### Table of Contents
- Microsoft Patch Tuesday forMarch2026
- Adobe Patches for March 2026
- Zero-day Vulnerabilities Patched inMarchPatch Tuesday Edition
- Critical Severity Vulnerabilities Patched inMarchPatch Tuesday Edition
- Other Microsoft Vulnerability Highlights
- Microsoft Release Summary
- Discover and Prioritize Vulnerabilities inVulnerability Management, Detection & Response (VMDR)
- Rapid Response with TruRisk Eliminate
- Qualys Monthly Webinar Series
Microsoft has rolled out its March 2026 Patch Tuesday updates, delivering a fresh batch of security fixes designed to keep Windows environments protected from emerging threats. The release addresses multiple vulnerabilities spanning Windows components and other Microsoft products. Here’s a quick breakdown of what you need to
Bleepingcomputer
Microsoft March 2026 Patch Tuesday fixes 2 zero-days, 79 flaws
blogs_bleepingcomputer·2026-03-10·CVSS 8.8
[HIGH] Microsoft March 2026 Patch Tuesday fixes 2 zero-days, 79 flaws
## Microsoft March 2026 Patch Tuesday fixes 2 zero-days, 79 flaws
## Lawrence Abrams
The number of bugs in each vulnerability category is listed below:
46 Elevation of Privilege Vulnerabilities
2 Security Feature Bypass Vulnerabilities
18 Remote Code Execution Vulnerabilities
10 Information Disclosure Vulnerabilities
4 Denial of Service Vulnerabilities
4 Spoofing Vulnerabilities
When BleepingComputer reports on Patch Tuesday security updates, we only count those released by Microsoft today. Therefore, the number of flaws does not include 9 Microsoft Edge flaws, Mariner, Payment Orchestrator Service, Azure, and Microsoft Devices Pricing Program flaws fixed earlier this month.
To learn more about the non-security updates released today, you can review our dedicated articles on the
Qualys
Microsoft and Adobe Patch Tuesday, March 2026 Security Update Review
blogs_qualys·2026-03-10
Microsoft and Adobe Patch Tuesday, March 2026 Security Update Review
## Table of Contents
Microsoft Patch Tuesday forMarch2026
Adobe Patches for March 2026
Zero-day Vulnerabilities Patched inMarchPatch Tuesday Edition
Critical Severity Vulnerabilities Patched inMarchPatch Tuesday Edition
Other Microsoft Vulnerability Highlights
Microsoft Release Summary
Discover and Prioritize Vulnerabilities inVulnerability Management, Detection & Response (VMDR)
Rapid Response with TruRisk Eliminate
Qualys Monthly Webinar Series
Microsoft has rolled out its March 2026 Patch Tuesday updates, delivering a fresh batch of security fixes designed to keep Windows environments protected from emerging threats. The release addresses multiple vulnerabilities spanning Windows components and other Microsoft products. Here’s a quick breakdown of what you need to know.
## Mi
Crowdstrike
March 2026 Patch Tuesday: Updates and Analysis
blogs_crowdstrike
March 2026 Patch Tuesday: Updates and Analysis
4 Ways Businesses Use CrowdStrike Charlotte AI to Transform Security Operations Mar 12, 2026
Enhanced Network Visibility: A Dive into the Falcon macOS Sensor's New Capabilities Mar 11, 2026
March 2026 Patch Tuesday: Eight Critical Vulnerabilities and Two Publicly Disclosed Among 82 CVEs Patched Mar 10, 2026
Falcon for XIoT Extends Asset Protection to Healthcare Environments Mar 09, 2026
4 Ways Businesses Use CrowdStrike Charlotte AI to Transform Security Operations Mar 12, 2026
Enhanced Network Visibility: A Dive into the Falcon macOS Sensor's New Capabilities Mar 11, 2026
March 2026 Patch Tuesday: Eight Critical Vulnerabilities and Two Publicly Disclosed Among 82 CVEs Patched Mar 10, 2026
Falcon for XIoT Extends Asset Protection to Healthcare Environments Mar 09, 2026
Video Highli
Sophos
March Patch Tuesday visits 15 product families
blogs_sophos
March Patch Tuesday visits 15 product families
Share This
Microsoft on Tuesday released 84 patches affecting 15 product families – including a few you’ve possibly never encountered. Eight of the addressed issues are considered by Microsoft to be of Critical severity, though none of those affect Windows, nor are they expected to be exploited within the next 30 days. In addition, five of those Critical issues were in fact addressed by Microsoft in advance of Patch Tuesday itself, as we’ll discuss below. Twenty-two have a CVSS base score of 8.0 or higher, including one with a 9.8 base score. None are known to be under active exploit in the wild, but two are publicly disclosed so far.
At patch time, six CVEs are judged more likely to be exploited in the next 30 days by the company’s estimation. Various of this month’s issues are amenable
2026-03-05
Published