Another security defect that stands out is CVE-2026-26118, an elevation of privilege issue in Azure MCP Server Tools that could be exploited by sending specially crafted input to a server tool that accepts user-supplied parameters.“If the attacker can interact with the MCP‑backed agent, they can submit a malicious URL in place of a normal Azure resource identifier. The MCP Server then sends an outbound request to that URL and, in doing so, may include its managed identity token. This allows the attacker to capture that token without requiring administrative access,” Microsoft notes.Narang says that the privilege escalation bugs in Windows Graphics Component, Windows Accessibility Infrastructure, Windows Kernel, Windows SMB Server, and Winlogon may require attention, as such vulnerabilities are often exploited following initial access.According to Fortra associate director Tyler Reguly, users should also pay attention to five Azure security defects addressed this month.These include an elevation of privilege issue in Azure Linux Virtual Machines (CVE-2026-23665), and one spoofing and three information disclosure flaws in Azure IoT Explorer (CVE-2026-26121, CVE-2026-23661, CVE-2026-23662, and CVE-2026-23664).These bugs, Reguly points out, require non-standard patching mechanisms, which may require additional effort from IT teams.“CSOs should ensure that they have solid asset inventories around the deployment of cloud-related systems and tools, so that admins know where these things exist and when they need to be fixed. This is the best way to empower your sys admins and security teams on a quiet month like this,” Reguly said.Microsoft also announced fixes for 10 non-Microsoft CVEs, including a flaw in Microsoft Semantic Kernel Python SDK, and nine in Microsoft Edge (which is based on Chromium).On Tuesday, Adobe announced the rollout ofpatches for 80 vulnerabilitiesacross its products, including high-severity flaws in Adobe Commerce.Related:SAP Patches Critical FS-QUO, NetWeaver VulnerabilitiesRelated:Recent Ivanti Endpoint Manager Flaw Exploited in AttacksRelated:CISA Warns of Exploited SolarWinds, Notepad++, Microsoft VulnerabilitiesRelated:Microsoft to Enable ‘Windows Baseline Security’ With New Runtime Integrity Safeguards
“If the attacker can interact with the MCP‑backed agent, they can submit a malicious URL in place of a normal Azure resource identifier. The MCP Server then sends an outbound request to that URL and, in doing so, may include its managed identity token. This allows the attacker to capture that token without requiring administrative access,” Microsoft notes.Narang says that the privilege escalation bugs in Windows Graphics Component, Windows Accessibility Infrastructure, Windows Kernel, Windows SMB Server, and Winlogon may require attention, as such vulnerabilities are often exploited following initial access.According to Fortra associate director Tyler Reguly, users should also pay attention to five Azure security defects addressed this month.These include an elevation of privilege issue in Azure Linux Virtual Machines (CVE-2026-23665), and one spoofing and three information disclosure flaws in Azure IoT Explorer (CVE-2026-26121, CVE-2026-23661, CVE-2026-23662, and CVE-2026-23664).These bugs, Reguly points out, require non-standard patching mechanisms, which may require additional effort from IT teams.“CSOs should ensure that they have solid asset inventories around the deployment of cloud-related systems and tools, so that admins know where these things exist and when they need to be fixed. This is the best way to empower your sys admins and security teams on a quiet month like this,” Reguly said.Microsoft also announced fixes for 10 non-Microsoft CVEs, including a flaw in Microsoft Semantic Kernel Python SDK, and nine in Microsoft Edge (which is based on Chromium).On Tuesday, Adobe announced the rollout ofpatches for 80 vulnerabilitiesacross its products, including high-severity flaws in Adobe Commerce.Related:SAP Patches Critical FS-QUO, NetWeaver VulnerabilitiesRelated:Recent Ivanti Endpoint Manager Flaw Exploited in AttacksRelated:CISA Warns of Exploited SolarWinds, Notepad++, Microsoft VulnerabilitiesRelated:Microsoft to Enable ‘Windows Baseline Security’ With New Runtime Integrity Safeguards
Narang says that the privilege escalation bugs in Windows Graphics Component, Windows Accessibility Infrastructure, Windows Kernel, Windows SMB Server, and Winlogon may require attention, as such vulnerabilities are often exploited following initial access.According to Fortra associate director Tyler Reguly, users should also pay attention to five Azure security defects addressed this month.These include an elevation of privilege issue in Azure Linux Virtual Machines (CVE-2026-23665), and one spoofing and three information disclosure flaws in Azure IoT Explorer (CVE-2026-26121, CVE-2026-23661, CVE-2026-23662, and CVE-2026-23664).These bugs, Reguly points out, require non-standard patching mechanisms, which may require additional effort from IT teams.“CSOs should ensure that they have solid asset inventories around the deployment of cloud-related systems and tools, so that admins know where these things exist and when they need to be fixed. This is the best way to empower your sys admins and security teams on a quiet month like this,” Reguly said.Microsoft also announced fixes for 10 non-Microsoft CVEs, including a flaw in Microsoft Semantic Kernel Python SDK, and nine in Microsoft Edge (which is based on Chromium).On Tuesday, Adobe announced the rollout ofpatches for 80 vulnerabilitiesacross its products, including high-severity flaws in Adobe Commerce.Related:SAP Patches Critical FS-QUO, NetWeaver VulnerabilitiesRelated:Recent Ivanti Endpoint Manager Flaw Exploited in AttacksRelated:CISA Warns of Exploited SolarWinds, Notepad++, Microsoft VulnerabilitiesRelated:Microsoft to Enable ‘Windows Baseline Security’ With New Runtime Integrity Safeguards
According to Fortra associate director Tyler Reguly, users should also pay attention to five Azure security defects addressed this month.These include an elevation of privilege issue in Azure Linux Virtual Machines (CVE-2026-23665), and one spoofing and three information disclosure flaws in Azure IoT Explorer (CVE-2026-26121, CVE-2026-23661, CVE-2026-23662, and CVE-2026-23664).These bugs, Reguly points out, require non-standard patching mechanisms, which may require additional effort from IT teams.“CSOs should ensure that they have solid asset inventories around the deployment of cloud-related systems and tools, so that admins know where these things exist and when they need to be fixed. This is the best way to empower your sys admins and security teams on a quiet month like this,” Reguly said.Microsoft also announced fixes for 10 non-Microsoft CVEs, including a flaw in Microsoft Semantic Kernel Python SDK, and nine in Microsoft Edge (which is based on Chromium).On Tuesday, Adobe announced the rollout ofpatches for 80 vulnerabilitiesacross its products, including high-severity flaws in Adobe Commerce.Related:SAP Patches Critical FS-QUO, NetWeaver VulnerabilitiesRelated:Recent Ivanti Endpoint Manager Flaw Exploited in AttacksRelated:CISA Warns of Exploited SolarWinds, Notepad++, Microsoft VulnerabilitiesRelated:Microsoft to Enable ‘Windows Baseline Security’ With New Runtime Integrity Safeguards
These include an elevation of privilege issue in Azure Linux Virtual Machines (CVE-2026-23665), and one spoofing and three information disclosure flaws in Azure IoT Explorer (CVE-2026-26121, CVE-2026-23661, CVE-2026-23662, and CVE-2026-23664).These bugs, Reguly points out, require non-standard patching mechanisms, which may require additional effort from IT teams.“CSOs should ensure that they have solid asset inventories around the deployment of cloud-related systems and tools, so that admins know where these things exist and when they need to be fixed. This is the best way to empower your sys admins and security teams on a quiet month like this,” Reguly said.Microsoft also announced fixes for 10 non-Microsoft CVEs, including a flaw in Microsoft Semantic Kernel Python SDK, and nine in Microsoft Edge (which is based on Chromium).On Tuesday, Adobe announced the rollout ofpatches for 80 vulnerabilitiesacross its products, including high-severity flaws in Adobe Commerce.Related:SAP Patches Critical FS-QUO, NetWeaver VulnerabilitiesRelated:Recent Ivanti Endpoint Manager Flaw Exploited in AttacksRelated:CISA Warns of Exploited SolarWinds, Notepad++, Microsoft VulnerabilitiesRelated:Microsoft to Enable ‘Windows Baseline Security’ With New Runtime Integrity Safeguards
These bugs, Reguly points out, require non-standard patching mechanisms, which may require additional effort from IT teams.“CSOs should ensure that they have solid asset inventories around the deployment of cloud-related systems and tools, so that admins know where these things exist and when they need to be fixed. This is the best way to empower your sys admins and security teams on a quiet month like this,” Reguly said.Microsoft also announced fixes for 10 non-Microsoft CVEs, including a flaw in Microsoft Semantic Kernel Python SDK, and nine in Microsoft Edge (which is based on Chromium).On Tuesday, Adobe announced the rollout ofpatches for 80 vulnerabilitiesacross its products, including high-severity flaws in Adobe Commerce.Related:SAP Patches Critical FS-QUO, NetWeaver VulnerabilitiesRelated:Recent Ivanti Endpoint Manager Flaw Exploited in AttacksRelated:CISA Warns of Exploited SolarWinds, Notepad++, Microsoft VulnerabilitiesRelated:Microsoft to Enable ‘Windows Baseline Security’ With New Runtime Integrity Safeguards
“CSOs should ensure that they have solid asset inventories around the deployment of cloud-related systems and tools, so that admins know where these things exist and when they need to be fixed. This is the best way to empower your sys admins and security teams on a quiet month like this,” Reguly said.Microsoft also announced fixes for 10 non-Microsoft CVEs, including a flaw in Microsoft Semantic Kernel Python SDK, and nine in Microsoft Edge (which is based on Chromium).On Tuesday, Adobe announced the rollout ofpatches for 80 vulnerabilitiesacross its products, including high-severity flaws in Adobe Commerce.Related:SAP Patches Critical FS-QUO, NetWeaver VulnerabilitiesRelated:Recent Ivanti Endpoint Manager Flaw Exploited in AttacksRelated:CISA Warns of Exploited SolarWinds, Notepad++, Microsoft VulnerabilitiesRelated:Microsoft to Enable ‘Windows Baseline Security’ With New Runtime Integrity Safeguards
Microsoft also announced fixes for 10 non-Microsoft CVEs, including a flaw in Microsoft Semantic Kernel Python SDK, and nine in Microsoft Edge (which is based on Chromium).On Tuesday, Adobe announced the rollout ofpatches for 80 vulnerabilitiesacross its products, including high-severity flaws in Adobe Commerce.Related:SAP Patches Critical FS-QUO, NetWeaver VulnerabilitiesRelated:Recent Ivanti Endpoint Manager Flaw Exploited in AttacksRelated:CISA Warns of Exploited SolarWinds, Notepad++, Microsoft VulnerabilitiesRelated:Microsoft to Enable ‘Windows Baseline Security’ With New Runtime Integrity Safeguards
On Tuesday, Adobe announced the rollout ofpatches for 80 vulnerabilitiesacross its products, including high-severity flaws in Adobe Commerce.Related:SAP Patches Critical FS-QUO, NetWeaver VulnerabilitiesRelated:Recent Ivanti Endpoint Manager Flaw Exploited in AttacksRelated:CISA Warns of Exploited SolarWinds, Notepad++, Microsoft VulnerabilitiesRelated:Microsoft to Enable ‘Windows Baseline Security’ With New Runtime Integrity Safeguards
Related:SAP Patches Critical FS-QUO, NetWeaver VulnerabilitiesRelated:Recent Ivanti Endpoint Manager Flaw Exploited in AttacksRelated:CISA Warns of Exploited SolarWinds, Notepad++, Microsoft VulnerabilitiesRelated:Microsoft to Enable ‘Windows Baseline Security’ With New Runtime Integrity Safeguards
Source: SecurityWeek
