Serial number: AV26-024
Date: January 13, 2026
Updated: March 18, 2026
On January 13, 2026, Microsoft published security advisories to address vulnerabilities in multiple products. Included were critical updates for the following products:
- Azure Connected Machine Agent
- Azure Core shared client library for Python
- Microsoft 365 Apps for Enterprise
- Microsoft Excel 2016
- Microsoft Office 2016
- Microsoft Office 2019
- Microsoft Office Deployment Tool
- Microsoft Office LTSC 2021
- Microsoft Office LTSC 2024
- Microsoft Office LTSC for Mac 2021
- Microsoft Office LTSC for Mac 2024
- Microsoft SQL Server 2022
- Microsoft SQL Server 2025
- Microsoft SharePoint Enterprise Server 2016
- Microsoft SharePoint Server 2019
- Microsoft SharePoint Server Subscription Edition
- Microsoft Word 2016
- Office Online Server
- Windows 10
- Windows 11
- Windows Admin Center in Azure Portal
- Windows SDK
- Windows Server 2008
- Windows Server 2008 R2
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
- Windows Server 2025
Update 1
On January 26, 2026, Microsoft published an out-of-band security advisory to address an important vulnerability CVE-2026-21509.
As well, on January 26, 2026, Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-21509 to their Known Exploited Vulnerabilities (KEV) Database.
Microsoft has received reports that CVE-2026-20805 and CVE-2026-21509 are being exploited.
Update 2
On March 18, 2026, Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-20963 to their Known Exploited Vulnerabilities (KEV) Database.
The Cyber Centre encourages users and administrators to review the provided web links and apply the necessary updates.
