Microsoft March Security Updates for Active Directory and SQL Server Privilege Escalation Flaws
Microsoft disclosed multiple privilege escalation vulnerabilities in core enterprise products, including Active Directory Domain Services and SQL Server, with public reporting highlighting network-reachable attack paths that require only authenticated or otherwise authorized access. CVE-2026-25177 affects AD DS and was described as an elevation-of-privilege issue tied to improper restriction of file and resource names, enabling abuse of crafted Unicode characters to create duplicate SPN or UPN values. Reporting indicates this can interfere with Kerberos ticket handling, potentially causing denial of service, triggering fallback to NTLM where enabled, and ultimately enabling escalation to SYSTEM-level control in affected environments.
Microsoft also disclosed CVE-2026-21262 in SQL Server, an Important-rated flaw with a CVSS 8.8 score that allows an authenticated attacker to elevate privileges to sysadmin, giving full control over the database instance. Public reporting said Microsoft assessed exploitation as less likely and had not observed active in-the-wild abuse at disclosure time, but noted the issue was publicly disclosed, increasing the risk of follow-on exploit development. Other referenced items about ADCS ESC1, Cisco SD-WAN Manager, and n8n concern separate products and unrelated vulnerabilities, while the standalone MSRC entry does not provide enough detail in the supplied content to confirm it is part of the same specific event.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Technical details published for SQL Server flaw CVE-2026-32176
By 2026-04-14, public reporting described an exploitation path for Microsoft SQL Server vulnerability CVE-2026-32176 in which an authenticated attacker with sufficient database privileges could inject SQL into a vulnerable system procedure and, via EXECUTE AS context switching, gain sysadmin rights. The report said successful exploitation could enable full control of the SQL Server instance, including persistence, OS command execution, and lateral movement.
Microsoft discloses and patches SQL Server zero-day CVE-2026-21262
By 2026-03-11, Microsoft disclosed CVE-2026-21262, a publicly known zero-day improper access control vulnerability in Microsoft SQL Server that lets an authenticated low-privileged user escalate to SQL sysadmin. Microsoft released security updates for supported SQL Server versions and said the flaw was publicly disclosed but not observed being actively exploited.
Microsoft releases fixes for AD DS privilege-escalation flaw CVE-2026-25177
On 2026-03-10, Microsoft issued an Important security update for Active Directory Domain Services to fix CVE-2026-25177, a network-exploitable elevation-of-privilege bug involving crafted Unicode characters in SPN/UPN handling. Microsoft said exploitation was less likely and that it had not seen public exploit code or active attacks at the time of release.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
CVE-2026-32176: CVE-2026-32176: Elevation of Privilege via SQL Injection in Microsoft SQL Server | CVEReports
cvereports.com
Open sourceMicrosoft Active Directory Domain Services Vulnerability Let Attackers Escalate Privileges
cybersecuritynews.com
Open sourceMicrosoft SQL Server Zero-Day Vulnerability Allows Attackers to Escalate Privileges
cybersecuritynews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft Patches Active Directory Domain Services Elevation of Privilege Flaw
Microsoft disclosed and patched **`CVE-2026-25177`**, an **Active Directory Domain Services (AD DS) Elevation of Privilege** vulnerability, through its Security Update Guide. The issue affects a core identity service used across Windows enterprise environments, where successful exploitation could allow an attacker to gain higher privileges within an AD-managed domain and increase control over affected systems or directory operations. The new advisory follows earlier Microsoft fixes for similar AD DS privilege-escalation bugs, including **`CVE-2022-34691`** and **`CVE-2021-42287`**, underscoring the continued security risk around domain controller and directory service weaknesses. Organizations running AD DS should prioritize Microsoft’s security updates, assess exposure across domain controllers, and review privileged account activity for signs of attempted abuse tied to elevation-of-privilege paths in Active Directory.
May 25, 2026
Microsoft Patches Multiple Windows Elevation-of-Privilege Flaws in Networking Components
Microsoft disclosed and patched several Windows elevation-of-privilege vulnerabilities affecting networking-related components, including **Windows Remote Access Connection Manager**, **Windows SMB Server**, and **Network Connection Status Indicator (NCSI)**. The issues tracked as `CVE-2025-62474`, `CVE-2025-62472`, `CVE-2025-47955`, `CVE-2025-59201`, and `CVE-2025-58726` could allow attackers with limited access to gain higher privileges on targeted systems, extending a pattern of privilege-escalation risk previously seen in the same Remote Access Connection Manager component with `CVE-2022-21914`. Among the disclosed flaws, Microsoft provided additional detail for **`CVE-2025-58726`**, describing an **Important** improper access control issue in **Windows SMB Server** that can let an authorized low-privilege attacker elevate to **SYSTEM** over the network by coercing a victim machine to authenticate to an attacker-controlled SMB server using a specially crafted script. Microsoft assigned the bug **CWE-284** and a **CVSS v3.1 score of 7.5**, said exploitation required specific conditions involving an unused or nonexistent Service Principal Name on the target, and stated that the vulnerability was neither publicly disclosed nor exploited in the wild at publication and that a security fix was available.
May 25, 2026
Microsoft Discloses Windows Elevation of Privilege Vulnerabilities
Microsoft published security advisories for two **Elevation of Privilege** flaws affecting Windows components: `CVE-2026-23660` in **Windows Admin Center in Azure Portal** and `CVE-2025-62472` in **Windows Remote Access Connection Manager**. Both entries were released through Microsoft's Security Update Guide, identifying separate privilege-escalation issues in enterprise-relevant Windows management and connectivity functionality. The disclosures indicate that attackers who successfully exploit the vulnerabilities could gain higher privileges on affected systems, increasing the risk of broader compromise after initial access. Organizations using Windows administrative tooling in Azure environments and systems relying on Remote Access Connection Manager should review Microsoft's advisories, determine exposure to the affected components, and prioritize applicable security updates and mitigation steps.
May 25, 2026