In the month of March, the big theme wasn’t “hundreds of scary CVEs.” It was how quickly risk moves when details are public and how often attacks ride on normal daily behaviour: previewing Office content, running productivity tools, and using browser extensions.

Microsoft’s March 10, 2026 Patch Tuesday fixed ~79 vulnerabilities and included two publicly disclosed “zero-day” issues (publicly known before patch release). Multiple sources also flagged two critical Office vulnerabilities tied to workflows like Preview Pane, plus an attention-grabbing Chrome extension vulnerability involving the Gemini side panel. (BleepingComputer)

Note: The Chrome extension issue (CVE-2026-0628) is outside the Microsoft Patch Tuesday cycle. It’s included here because it was actively discussed in the same Feb 13 → Mar 12 window and impacts endpoint risk, but it is fixed via Chrome (and Chromium-based browser) updates, not Microsoft LCUs

CVE Visibility

Both matter, but publicly disclosed issues usually need faster patching because the “how-to” is available.

The “Patch This First” List (priority windows)  

Priority 0 (0–48 hours): “Daily workflow” risk

• Office (Preview Pane–discussed risk): CVE-2026-26110 / CVE-2026-26113 (Windows Central)

• Chrome extension/Gemini side panel: CVE-2026-0628 (The Hacker News)

Priority 1 (48 hours–7 days): Publicly disclosed Microsoft items

• CVE-2026-21262 (SQL Server), CVE-2026-26127 (.NET) (BleepingComputer)

Priority 2 (ongoing): Verify + reduce repeat risk

• Confirm installs succeeded; tighten extension policy; reduce unnecessary admin privileges.

FAQ  

Q: What’s more urgent — “publicly disclosed” or “critical”?
A: If something is publicly disclosed, attackers don’t need to guess — they can move faster. If something is critical and tied to daily workflows (like Office previewing), it also goes to the top of the list

Q: If nothing is confirmed “exploited in the wild,” why rush?
A: Because “not confirmed” doesn’t mean “not happening.” It often means “not publicly verified yet.” Patch the easiest-to-trigger paths first: Office and browsers.

Q: What’s the simplest rule for employees?
A: Be cautious with unexpected Office files and don’t install random browser extensions.

Beyond the Patch: What still needs “human action”  

Even with patches available, these are the common gaps that keep orgs exposed:

Office Preview workflows (CVE-2026-26110 / 26113):
Patch Office quickly and verify the updated build is actually present (not just “scheduled”). (Windows Central)

Excel + Copilot data exposure angle (CVE-2026-26144):
Attack method: This flaw allows a crafted Excel file to leverage Copilot/agent workflows to exfiltrate sensitive data from the spreadsheet,, creating an ‘AI-assisted data leakage’ scenario.(TechRadar)

Chrome extension exposure (CVE-2026-0628):
Patching Chrome isn’t enough if users can install anything. The durable fix is: update Chrome + enforce an extension allowlist. (Unit 42)

Managing the “friction” with Vulnerability Manager Plus

Here’s how to execute March’s patch plan without a chaotic “push and pray.”

1) Control the rollout (pilot → rings)  

Use Deployment Policy to push patches to a pilot group first, then expand once stability looks good.
Deployment Policy: https://www.manageengine.com/products/desktop-central/help/patch_management/patch-deployment-policy.html (ManageEngine)

2) Automate monthly patching so March doesn’t become a fire drill  

Use Automate Patch Deployment (APD) so Windows + third-party patches roll out on schedule.
APD : https://www.manageengine.com/products/desktop-central/help/patch_management/apd.html (ManageEngine)

3) Prove compliance (not just “we pushed it”)  

Use Patch Reports to show what actually installed and what failed/needs attention.
Patch Reports : https://www.manageengine.com/products/desktop-central/help/reports/viewing_patch_reports.html (ManageEngine)

4) Don’t miss Chrome (this month’s big non-Microsoft storyline)  

Treat Chrome like a first-class patch target (because it is). If Chrome is outdated, it becomes the hole attackers choose.
Patch management setup overview : https://www.manageengine.com/products/desktop-central/help/configuring_desktop_central/patch_management_setup.html (ManageEngine)

Summary Checklist

• Prioritize Office updates (CVE-2026-26110 / 26113) and verify versions. (Windows Central)

• Patch Chrome and enforce an approved-extension policy (CVE-2026-0628). (Unit 42)

• Patch the publicly disclosed Microsoft items (CVE-2026-21262, CVE-2026-26127). (BleepingComputer)

• Use Vulnerability Manager Plus : pilot → deploy → verify (Deployment Policy + APD + Patch Reports). (ManageEngine)

• Microsoft March 2026 Patch Tuesday summary (79 flaws, 2 publicly disclosed): https://www.bleepingcomputer.com/news/microsoft/microsoft-march-2026-patch-tuesday-fixes-2-zero-days-79-flaws/ (BleepingComputer)

• Office Preview Pane discussion (CVE-2026-26110 / 26113): https://www.windowscentral.com/software-apps/the-office-local-loophole-why-microsofts-latest-critical-patches-arent-just-for-it-pros (Windows Central)

• Excel + Copilot angle (CVE-2026-26144): https://www.techradar.com/pro/security/this-fascinating-microsoft-excel-security-flaw-teams-up-spreadsheets-and-copilot-agent-to-steal-data (TechRadar)

• Your Chrome story (CVE-2026-0628): https://thehackernews.com/2026/03/new-chrome-vulnerability-let-malicious.html (The Hacker News)
  
  
  Regards,
  The ManageEngine Team