March 2026 Patch Tuesday: 77 CVEs, No Zero-Days, But Prioritize This
Just finished reviewing the March 2026 Patch Tuesday drops. According to Krebs on Security, Microsoft addressed 77 vulnerabilities this month. The good news? We’re catching a break compared to February—there are no actively exploited zero-days in this batch. That doesn't mean we can get complacent, though.
I'm flagging CVE-2026-23105 as a priority. It's a Critical RCE in the Windows DHCP Server. If an attacker is on the same network, they could trigger this without authentication. Given how ubiquitous DHCP is in enterprise environments, I'd rate this higher than usual.
Another one to watch is CVE-2026-23088, an Elevation of Privilege (EoP) in the Windows Print Spooler. It feels like "PrintNightmare" never truly ends, doesn't it?
To speed up your verification on the DHCP patch (KB5035853), here is a quick PowerShell one-liner to check your domain controllers:
Get-HotFix -Id KB5035853 -ErrorAction SilentlyContinue | Select-Object PSComputerName, InstalledOn, HotFixID
Also, for those using Defender for Endpoint, you might want to hunt for any suspicious interactions with the DHCP service in the last 24 hours just to be safe:
DeviceProcessEvents
| where Timestamp > ago(1d)
| where FileName == "dhcpserver.exe"
| where InitiatingProcessFolderPath !contains "C:\\Windows\\System32"
How is everyone else prioritizing this month? Are you focusing on the DHCP RCE or holding off for broader testing?
Thanks for the heads-up on the DHCP server flaw. We don't use Windows Server for DHCP (mostly Infoblox), so that's a miss for us, but we are definitely pushing the Print Spooler update aggressively. We've seen too many EoP attempts recently to ignore it.
For those managing WSUS, here is a query to approve the specific Update ID for the Print Spooler fix if you haven't scripted it yet:
$UpdateID = 'YOUR_UPDATE_GUID_HERE'
Get-WsusUpdate -UpdateId $UpdateID -Approval Unapproved | Approve-WsusUpdate -Action Install -TargetGroupName "All Computers"
The lack of zero-days is a welcome relief. I'm taking this month to focus on the 'secure-by-default' improvements Microsoft mentioned in the release notes, specifically the stricter SMB signing requirements.
I'm curious, has anyone tested the impact of CVE-2026-23088 in a lab yet? I'm wondering if it's just another case of requiring local access or if there's a vector for lateral movement we need to worry about before next month.
Great catch on the DHCP RCE. I was about to mark that as 'next week' work since it's not a zero-day, but realized our segmentation between guest Wi-Fi and the corp network relies heavily on that server.
One tip for sysadmins: after patching, verify the service version specifically. Sometimes the KB reports as installed but the service hasn't restarted.
cmd sc query Dhcp | find "STATE"
If it's stuck in STOP_PENDING, you might have a zombie process that needs a manual kill.
While zero-days are absent, that DHCP RCE is a prime candidate for lateral movement. Don't forget that attackers often pivot via less secured internal infrastructure. If you're unsure which servers are exposed, run this PowerShell one-liner to identify targets immediately:
Get-WindowsFeature -Name DHCP | Where-Object { $_.InstallState -eq 'Installed' }
It helps separate the noise from the actual blast radius.
Since we rely heavily on Windows Containers for legacy app migration, ensuring the host OS is patched is critical—even if the containers themselves don't run DHCP. If you need to quickly inventory which servers have the DHCP role enabled to prioritize patching, this PowerShell one-liner helps:
Get-WindowsFeature -Name DHCP | Where-Object {$_.Installed -eq $true}
It’s faster than checking every server manually.
Great catch on prioritizing the DHCP RCE. Since lateral movement is a worry, make sure you verify the service is actually active before panicking. You can use this PowerShell snippet to quickly inventory your exposure across the environment:
Get-Service DHCPServer -ErrorAction SilentlyContinue | Select-Object Name, Status, MachineName
This helps target your patching efforts more efficiently rather than boiling the ocean unnecessarily.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access