🔬 Assessment

March 2026 Brought 83 Patch Tuesday CVEs and Three CISA KEV Additions — How to Prioritise

March 2026's Patch Tuesday addressed 83 vulnerabilities including three critical Office RCEs, an Active Directory privilege escalation now in CISA's KEV catalogue, and a Kerberos security feature bypass. Add three separate CISA KEV additions throughout the month — F5 BIG-IP, Citrix NetScaler, and Active Directory — and security teams are managing a substantial patching backlog entering April. This analysis cuts through the volume to identify where to focus.

4 min read
#vulnerability-management#patch-tuesday#cisa-kev#prioritisation#microsoft#enterprise

The March Patch Load

March 2026 Patch Tuesday (10 March) delivered 83 security fixes across Microsoft’s product portfolio. The volume is not exceptional — Microsoft regularly releases 80 to 120 CVEs per month — but the composition of this month’s batch demands careful prioritisation.

Three vulnerabilities from the March batch and three additional CISA KEV additions throughout the month combine to create a patching obligation that security teams should be completing now, not deferring to the April cycle.

Tier 1: CISA KEV Additions — Patch Immediately

These vulnerabilities have confirmed active exploitation. There is no acceptable deferral.

CVE-2026-25177 — Active Directory Domain Services Privilege Escalation Added to CISA KEV in late March following confirmed exploitation. Allows a low-privileged domain user to escalate to domain administrator via SPN/UPN manipulation. Every domain controller running an unpatched Windows Server version is exposed. This is the most urgent internal Microsoft patch from March.

CVE-2025-53521 — F5 BIG-IP APM Remote Code Execution Added to CISA KEV 27 March. Not a Patch Tuesday item — an F5 product — but belongs in any comprehensive March patch audit. CVSS 9.8. Actively exploited. If your organisation runs BIG-IP APM in any supported version line, patching is overdue.

CVE-2026-3055 — Citrix NetScaler ADC/Gateway Memory Overread Added to CISA KEV 30 March. CVSS 9.3. Affects NetScaler appliances configured as SAML Identity Providers. Full session token disclosure enabling lateral movement without credentials. See separate article for detailed guidance.

Tier 2: Critical but Not Yet Confirmed Exploited

CVE-2026-26110 and CVE-2026-26113 — Microsoft Office Remote Code Execution Two critical RCEs in Microsoft Office, both with CVSS scores above 8.0, patched in the March Patch Tuesday. Both can be triggered by opening a malicious Office document — a consistently effective phishing delivery mechanism. While neither is currently in the CISA KEV catalogue, Office RCE vulnerabilities reliably progress to active exploitation within 30 to 60 days of patch release as threat actors reverse-engineer the patches. Patch all Office installations.

CVE-2026-23669 — Windows Print Spooler Remote Code Execution A remote code execution vulnerability in the Windows Print Spooler service, architecturally similar to the PrintNightmare family of vulnerabilities that caused widespread damage in 2021. CVSS 8.8. No confirmed exploitation yet but the attack surface (print services are enabled by default on most Windows systems) and the precedent of prior Print Spooler exploitation make this a priority-two patch.

CVE-2026-24297 — Windows Kerberos Security Feature Bypass A race condition in the Kerberos implementation that can be triggered remotely, bypassing security checks in the authentication flow. CVSS 7.5. No user interaction required. Patch all Windows systems — servers first, then workstations.

Tier 3: Complete Within the Normal Patch Cycle

The remaining 77 CVEs from March Patch Tuesday include a mix of elevation-of-privilege, information disclosure, and denial-of-service vulnerabilities across Windows components, Azure services, and developer tools. These should be patched within your standard patch cycle (typically 14 to 30 days for managed systems) with no emergency escalation required.

Prioritisation Framework

When facing high-volume patch releases, apply this ordering:

  1. CISA KEV entries — these have confirmed active exploitation and must be treated as incidents in progress
  2. Remote code execution with no user interaction (CVSS ≥ 9.0) — attackers can scan for these at scale
  3. Privilege escalation in authentication infrastructure (AD, Kerberos, LDAP) — once exploited, impact is organisational-level4. Remote code execution requiring minimal user interaction (Office documents, media files) — high volume phishing delivery
  4. Everything else — standard patch cycle

Practical Advice

Teams that are behind on the March patch cycle should not wait for the April Patch Tuesday. This month’s Tier 1 items have confirmed exploitation; every additional day of exposure is a day attackers can use the vulnerability. Prioritise domain controllers, network perimeter appliances, and Office-running workstations in that order.

For organisations with constrained patching resources, applying the CVE triage framework above is more valuable than attempting to patch everything simultaneously. A targeted, prioritised approach to the top 6–8 CVEs from March will close the most significant exposure within available resources.