Microsoft's March 2026 Patch Tuesday: Two Zero-Days Are Being Exploited Right Now. Patch Immediately.

Two zero-days. Both actively exploited in the wild. One lets attackers slip past the trust boundary your OS uses to warn you about dangerous files. The other hands them SYSTEM-level privileges on the machine they've already compromised. Microsoft's March 2026 Patch Tuesday is not a routine update.

This month's release addresses approximately 60 vulnerabilities across Windows, Office, Azure, Hyper-V, and more. But two CVEs demand your attention right now, because attackers aren't waiting for your next maintenance window.

I've been on the receiving end of zero-day disclosures during active incident response. The gap between "patch available" and "patch deployed" is where organizations get hurt. What follows is what's actually happening, why these two flaws are worse together than apart, and what you should prioritize this week.

The First Zero-Day: Sneaking Past Mark of the Web

CVE-2024-21412 is a security feature bypass in Internet Shortcut Files. CVSS score of 8.1 (High). It targets one of Windows' most fundamental trust signals: the Mark of the Web (MotW).

When you download a file from the internet, Windows stamps it with a MotW flag. That flag triggers the "this file came from the internet, are you sure?" warning dialog. SmartScreen uses it. Protected View in Office uses it. It's the thin line between a user opening a file and that file executing silently.

CVE-2024-21412 lets an attacker craft a malicious internet shortcut file that evades the MotW flag entirely. No warning. No dialog. The file just runs.

Dustin Childs of Trend Micro's Zero Day Initiative flagged this in his monthly security update review, noting it was already under active attack at the time of Microsoft's release. Not theoretical risk. Active exploitation.

Trend Micro has linked this to a threat actor known as Water Hydra (also tracked as DarkMe), who has been using it to deliver the DarkMe remote access trojan. The attack chain is targeted: financial traders have been the primary victims, lured through trading-related forums and channels. But once a technique works, it spreads. If you've followed how prompt injection remains the top LLM vulnerability year after year, you know trust-boundary bypasses have a way of becoming everyone's problem fast.

When the OS tells your users a file is safe by *not* warning them, you've lost the first and sometimes only line of defense.

The MotW bypass is dangerous on its own. But it's the second zero-day that turns a foothold into full control.

The Second Zero-Day: From Foothold to Full Control

CVE-2024-21338 is a Windows Kernel Elevation of Privilege vulnerability, CVSS 7.8 (High). Completely different class of flaw from the MotW bypass. The combination is what makes this Patch Tuesday especially dangerous.

Think about the kill chain. The first zero-day gets malicious code running on the target machine by slipping past MotW warnings. But that code runs with whatever privileges the current user has. On a properly configured enterprise machine, that's typically a standard user account. Limited damage.

CVE-2024-21338 removes that limitation. An attacker with local access exploits this kernel-level flaw to escalate from standard user to SYSTEM. The highest privilege level on a Windows machine. At SYSTEM, you disable security tools, dump credentials, move laterally, install persistent backdoors. It's the difference between "we have a compromised workstation" and "we have a compromised network."

This pairing should concern every security team. A MotW bypass to get code running, followed immediately by a kernel EoP to get SYSTEM. Two zero-days, both actively exploited, chaining together into a complete compromise path from phishing email to domain admin.

I've shipped enough incident response tooling to know that kernel-level privilege escalation is the inflection point in most serious breaches. Everything before it is containable. Everything after it is a race against the attacker. I've watched similar kernel EoP bugs go from "patch available" to "mass exploitation" in shorter windows every year. The cycle is compressing.

If you're triaging patches this week, these two CVEs go to the front of the line. No exceptions.

The Hyper-V Escape Nobody Wants to Think About

As if two actively exploited zero-days weren't enough, this release also patches CVE-2024-21407: a critical remote code execution vulnerability in Windows Hyper-V. Adam Barnett, a security researcher at Rapid7, highlighted this one in his Patch Tuesday analysis, and for good reason.

CVE-2024-21407 is a VM escape. An attacker on a Hyper-V guest virtual machine can break out and execute arbitrary code on the host operating system. Read that again.

The entire security model of virtualization depends on the hypervisor maintaining isolation between guest and host. A VM escape shatters that assumption. If you're running multi-tenant Hyper-V environments, shared hosting infrastructure, or even developer workstations with local VMs, this is a critical patch.

Microsoft notes the attack complexity is high. The attacker needs environment-specific information and preparatory steps before exploitation. Sure, that's a mitigating factor. But "high complexity" in a Microsoft advisory just means "a skilled attacker can still do this." And skilled attackers are exactly who goes after VM escapes.

For those running cloud infrastructure where region selection is already a geopolitical risk calculation, a Hyper-V escape adds another dimension to your threat model. Your virtualization layer is only as strong as the last patch you applied.

Why This Month Is Different

Most months, Patch Tuesday is background noise. Sixty-odd CVEs, a handful of criticals, queue the patches and move on. This month breaks that pattern for three reasons.

The zero-days chain together. Not two isolated flaws. A complete attack path: initial access via MotW bypass, then privilege escalation via kernel EoP. Attackers are already using this chain in the wild. Every day you delay patching is a day this chain works against your users.

The threat actors are named and active. Water Hydra isn't a hypothetical. They're a tracked threat group actively deploying the DarkMe RAT through these vulnerabilities. This isn't a proof-of-concept sitting on GitHub. It's operational.

The Hyper-V escape raises the stakes for infrastructure teams. Even if you're not directly targeted by the zero-day chain, the VM escape means your virtualization infrastructure needs immediate attention. If you're a cloud provider or MSP running Hyper-V, this is an emergency patch.

I've seen organizations treat Patch Tuesday as a next-sprint problem. After 14+ years building and maintaining production systems, I can tell you the teams that get burned aren't the ones with exotic architectures or unusual attack surfaces. They're the ones with a two-week patch lag on known exploited vulnerabilities. This is one of those things where the boring answer is actually the right one: patch this week, not next.

What to Do Right Now

If you're responsible for Windows systems in any capacity, here's the priority order:

1. Patch CVE-2024-21412 and CVE-2024-21338 immediately. Actively exploited. They chain together. Highest priority this cycle, full stop.
2. Patch CVE-2024-21407 on any Hyper-V hosts. VM escapes are rare and critical. Don't wait for your normal virtualization maintenance window.
3. Review your MotW and SmartScreen policies. If your endpoint protection relies on MotW signals for file reputation, verify coverage extends beyond built-in Windows mechanisms.
4. Check detection coverage for DarkMe RAT indicators. Make sure your EDR and SIEM rules are current for Water Hydra activity.
5. Audit privilege escalation detection. Kernel EoP exploits leave traces in event logs and kernel telemetry. If your monitoring isn't watching for suspicious privilege transitions, that's a blind spot you need to close.

If you're curious about how security gaps compound in AI-assisted development workflows, I wrote about the security nightmares found in vibe-coded applications. Same lesson applies: attack surface grows faster than most teams realize.

The Patch Gap Is the Real Vulnerability

Microsoft did its job. The patches are available. The zero-days are disclosed. The threat intelligence is public. Everything you need to protect your systems is sitting in Windows Update right now.

The vulnerability isn't technical anymore. It's operational. It's the gap between "patch available" and "patch deployed." It's the change advisory board meeting that doesn't happen until Thursday. The test environment that takes three days to validate. The "we'll get to it next cycle" that turns into the incident report nobody wanted to write.

Two zero-days, actively exploited, chaining into full system compromise. A VM escape in your virtualization layer. Roughly 60 total CVEs across the Windows ecosystem.

This is not a drill. Patch today.

Photo by TRG on Unsplash.