Cybersecurity Daily — Mar 10, 2026

Patch Tuesday dropped 79 Microsoft fixes — including two publicly disclosed zero-days and an Excel flaw that could turn Copilot into a data exfiltration tool — but the most alarming story today isn't about software. A whistleblower alleges a former DOGE engineer took records on 500 million Americans on a thumb drive, kept his "God-level" credentials, and told a colleague he expected a presidential pardon if caught. CISA is flagging active exploitation of the tools IT teams use to manage everything else, and Russia-linked hackers are stealing Signal and WhatsApp sessions from officials mid-air. The theme today: the people and platforms you trust most are the attack surface.

If you manage Windows machines — or just use one — today is your update day.

Microsoft patched 79 vulnerabilities, including two publicly disclosed zero-days: CVE-2026-21262 and CVE-2026-26127. Neither is confirmed as actively exploited yet, but exploit details were circulating before today's patches. A SQL Server flaw would grant full DBA access: read every record, drop every table.

An Excel bug could let Copilot Agent mode exfiltrate data via a single malicious spreadsheet — a potential zero-click leak for AI-assisted Office users. Several Office RCEs trigger through the Preview Pane — just clicking an email attachment in Outlook can be enough. The Zero Day Initiative flagged CVE-2026-21536 (~9.8) as remotely exploitable without auth, and Rapid7 called out an 8.8 CVSS RCE in Windows Routing and Remote Access Service. Many fixes are privilege-escalation bugs — the tools attackers use to move laterally.

Run Windows Update today. Don't wait for the weekend window.

This is the kind of breach story that keeps federal investigators and identity theft attorneys busy for years.

The Social Security inspector general is investigating claims that a former DOGE engineer took two tightly restricted databases — "Numident" and the "Master Death File" — containing Social Security numbers, dates of birth, citizenship, race, and parents' names for more than 500 million living and dead Americans. The complaint says he kept his agency computer and "God-level" credentials after moving to a contractor role, asked a colleague to help transfer the thumb-drive data to his personal machine to "sanitize" it, and said he'd expect a presidential pardon if prosecuted.

The SSA denies theft; the allegations are unproven and the engineer's attorney denies wrongdoing. The inspector general shared the complaint with the GAO and alerted the Senate HSGAC full committee on March 10, 2026; HSGAC Democrats want an independent probe. Two watchdogs reviewing the same claims is a significant escalation. If true, this would rank among the most consequential insider-threat incidents in U.S. government history.

Two-factor codes meant to lock your chat apps tight? Russian hackers are stealing them mid-air.

The Netherlands' NCSC warns state-linked actors targeted officials, military personnel, and journalists by intercepting one-time SMS and calls for Signal and WhatsApp via SIM-swapping and SS7 weaknesses. Dozens of high-value accounts were compromised and used for espionage and impersonation.

This was precision targeting, not broad consumer phishing. Move off SMS-based verification to app authenticators or hardware security keys and remove SMS as a fallback wherever possible.

CISA added multiple vulnerabilities to its Known Exploited Vulnerabilities catalog today, with accelerated patch deadlines — in one case, 48 hours.

Affected products: Ivanti Endpoint Manager (authentication bypass), SolarWinds Web Help Desk (critical command execution, CVSS ~9.8, tied to active ransomware groups), and Omnissa (formerly VMware Workspace ONE) UEM (SSRF enabling deep pivoting). The through-line: attackers target the platforms IT teams use to manage everything else. Compromise those tools and you inherit their control planes. If you run Ivanti, SolarWinds, or Omnissa, treat this as top priority and escalate to your change board now.