"CVE-2026-26144 is a critical-severity information disclosure vulnerability in Microsoft Excel. This cross-site scripting flaw can be exploited to 'cause Copilot Agent mode to exfiltrate data via unintended network egress, enabling a zero-click information disclosure attack,' Redmond warned. Yes, you read that right: a zero-click bug that weaponizes an Excel spreadsheet and the Copilot Agent to steal data."
"Information disclosure vulnerabilities are especially dangerous in corporate environments where Excel files often contain financial data, intellectual property, or operational records. If exploited, attackers could silently extract confidential information from internal systems without triggering obvious alerts."
"As Childs notes, it's 'an attack scenario we're likely to see more often.' This bug requires network access to exploit, but no user interaction or privilege escalation."
Microsoft released 83 CVEs in March's Patch Tuesday, a significant decrease from February's problematic month featuring six exploited zero-days. Only two CVEs are publicly known, and none are currently under active exploitation. Eight CVEs are rated critical, including CVE-2026-26144, a critical information disclosure vulnerability in Microsoft Excel. This cross-site scripting flaw enables zero-click attacks by weaponizing Copilot Agent mode to exfiltrate data through unintended network egress, requiring only network access without user interaction or privilege escalation. Information disclosure vulnerabilities pose particular risks in corporate environments containing financial data and intellectual property. Mitigation strategies include restricting outbound network traffic from Office applications, monitoring unusual network requests from Excel processes, and disabling Copilot Agent until patches are applied.
#microsoft-security-vulnerabilities #zero-click-exploits #ai-security-risks #patch-management #data-exfiltration
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]