"These bugs are more bark than bite. The DoS vulnerability is assessed as unlikely to be exploited and requires an attacker to be authorized beforehand, while the privilege escalation bug was deemed less likely to be exploited."
"If the attacker can interact with the MCP‑backed agent, they can submit a malicious URL in place of a normal Azure resource identifier. The MCP Server then sends an outbound request to that URL and, in doing so, may include its managed identity token. This allows the attacker to capture that token without requiring administrative access."
"Privilege escalation bugs in Windows Graphics Component, Windows Accessibility Infrastructure, Windows Kernel, Windows SMB Server, and Winlogon may require attention, as such vulnerabilities are often exploited following initial access."
Microsoft announced patches for 83 vulnerabilities affecting its products in March 2026. One critical-severity flaw (CVE-2026-21536) with a CVSS score of 9.8 involves remote code execution in the Devices Pricing Program and has already been mitigated. Two publicly disclosed vulnerabilities include a denial-of-service issue in .NET and a privilege escalation defect in SQL Server, both assessed as unlikely to be exploited. CVE-2026-26118, an elevation of privilege issue in Azure MCP Server Tools, could allow attackers to capture managed identity tokens through specially crafted input. Security researchers highlight that privilege escalation bugs in Windows components warrant attention due to their typical exploitation following initial access.
#microsoft-security-patches #vulnerability-management #privilege-escalation #remote-code-execution #azure-security
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]