SANS Stormcast Wednesday, March 11th, 2026: Windows, Fortinet, Adobe, and Zoom Patches - SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

Summary4 min read

Episode Overview

Main Theme:
This episode of the SANS Internet Stormcenter Daily Cyber Security Podcast, hosted by Johannes B. Ullrich, provides an in-depth briefing on the major security patches released for various platforms and products on March 11, 2026. The episode’s primary focus centers around Microsoft's Patch Tuesday, but it also covers critical updates from Fortinet, Adobe, and Zoom, highlighting newly-addressed vulnerabilities, their implications, and which require urgent attention.

Key Discussion Points and Insights

1. Microsoft Patch Tuesday Rundown

Scope and Numbers
- 93 vulnerabilities addressed, including 9 in Chromium affecting Microsoft Edge.
- 8 classified as critical, 2 previously disclosed, but none known to be actively exploited at release.
- Quote [01:07]:
  
  “Among the vulnerabilities we had eight critical vulnerabilities and two that were disclosed prior to today. But this time we had no vulnerability that was actually already exploited.” — Johannes B. Ullrich
Notable Vulnerabilities:
- Denial of Service in .NET:
  - Disclosed prior, exploitation unlikely, does not require authentication, but generally not a top priority for most organizations.
  - Quote [01:28]:
    
    “Denial of service vulnerabilities—while this one doesn't require authentication... still not usually sort of at the top of the priority.” — Johannes B. Ullrich
- SQL Server Privilege Escalation:
  - Requires authentication, allows escalation to sysadmin.
  - Concern if a web application with a low-privileged account connects to SQL Server, but the advisory lacks detail.
  - Quote [02:02]:
    
    “The scenario that I envision here is where, for example, you have a web application or something... Maybe there's a chance here to exploit that, but that's not really clear from the advisory.” — Johannes B. Ullrich
- Cloud Product Vulnerabilities:
  - Multiple critical vulnerabilities patched in cloud services (Microsoft Payment Orchestrator, ACI Confidential Containers).
  - No customer action required; disclosed for transparency.
  - Quote [02:27]:
    
    “They have started doing that in the last few months... tell you what they patched in the cloud. So those are nothing where you have to do anything.” — Johannes B. Ullrich
- Excel and Office Remote Code Execution:
  - Several RCE vulnerabilities in Office products—high-priority for patching.
- AI-driven Vulnerability Discovery:
  - One critical vulnerability reported by Expo, an AI company gaining attention in security circles.
  - Quote [03:04]:
    
    “Also interesting that one of the critical vulnerabilities was reported by Expo, which is a famous AI company that basically finds vulnerabilities.” — Johannes B. Ullrich

2. Fortinet Patches

Two High Severity Bugs:
- Both are buffer overflows.
  - FortiSwitch (AX):
    - LLDP issue, requires network-adjacent access to exploit.
  - FortiManager (FGT Update Service):
    - Might be remotely exploitable.
Critical OpenSSL Patch:
- Recently released OpenSSL code execution vulnerability, already discussed in prior episodes.
- Multiple Fortinet products affected.
- Rated critical, but real-world exploitability depends on product configurations.
Quote [04:13]:

“There’s one critical vulnerability that was patched yesterday and that vulnerability is really just the OpenSSL patch... potential code execution vulnerability in OpenSSL.” — Johannes B. Ullrich

3. Adobe Patches

80 vulnerabilities across 8 products.
Adobe Commerce:
- Remote code execution via XSS, notable because of product prevalence and public exposure.
Adobe Acrobat Reader:
- 3 patched vulnerabilities, 2 critical (RCE).
- Both products should be patched promptly due to high usage and potential attack surface.
- Quote [05:03]:
  
  “Acrobat Reader [is] probably the most popular product here from Adobe today.” — Johannes B. Ullrich

4. Zoom Workplace for Windows

Critical Patch:
- Addresses a vulnerability with CVSS score of 9.6.
- Issue: External control of file name or path when using Zoom’s mail feature.
- Risk: Attacker could control the saved file’s location, possibly leading to code execution if stored where it might be executed.
- Quote [05:41]:
  
  “They describe it as an external control of file name or path... I assume it's some kind of attachment or such... attacker controls where the particular file is being saved to.” — Johannes B. Ullrich

5. Other Mentions

SAP:
- Couple of new patches, worth reviewing for affected organizations.
- [06:15]: Brief mention, no technical details given.

Notable Quotes & Memorable Moments

[01:07] “But this time we had no vulnerability that was actually already exploited.”
— Johannes B. Ullrich
[02:02] “Maybe there's a chance here to exploit that, but that's not really clear from the advisory.”
— Johannes B. Ullrich
[03:04] “One of the critical vulnerabilities was reported by Expo, which is a famous AI company that basically finds vulnerabilities.”
— Johannes B. Ullrich
[05:41] “I assume it's some kind of attachment or such ... the attacker controls where the particular file is being saved to and that of course can always then lead to remote code execution.”
— Johannes B. Ullrich

Timestamps for Key Segments

[00:04–01:07] — Introduction and Microsoft Patch Tuesday Summary
[01:07–03:09] — Critical and disclosed Microsoft vulnerabilities, cloud product transparency, noteworthy findings
[03:09–04:13] — Fortinet’s new patches: buffer overflows and OpenSSL
[04:13–05:03] — Adobe patches for Commerce and Acrobat Reader
[05:03–05:56] — Zoom critical patch explanation
[06:15] — SAP patches short mention

Summary Takeaways

Microsoft released a significant batch of updates; urgent attention should be paid especially to Office product vulnerabilities.
Fortinet: Buffer overflows and OpenSSL-related code execution issue—review affected devices and patch promptly.
Adobe: Adobe Commerce (public-facing) and Acrobat Reader (widely used) both see dangerous new flaws—patch ASAP.
Zoom: A rare Patch Tuesday appearance with a critical file handling bug on Windows—critical for organizations using Zoom’s mail functionality.
SAP: New patches released, but details not covered; relevant only to organizations with SAP deployments.

Listeners are encouraged to review their environments for exposure to the mentioned vulnerabilities and to prioritize patching accordingly. The focus throughout is practical, concise, and rooted in actionable security advice.

Loading summary

Transcript1 lines

[00:05]
A
Hello and welcome to the Wednesday, March 11, 2026 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ulrich recording today from Jacksonville, Florida and this episode is brought to you by the Sans Edu credit certificate program in cloud security. Well, and today of course, Microsoft's patch Tuesday leaked the news. Microsoft did release updates fix 93 vulnerabilities, 9 vulnerabilities in chromium that affect Microsoft Edge. Now among the vulnerabilities we had eight critical vulnerabilities and two that were disclosed prior to today. But this time we had no vulnerability that was actually already exploited. Now when it comes to disclosed vulnerabilities, the first one is a denial of service vulnerability in. Net. Microsoft considers exploitation unlikely and denial of service or vulnerabilities, while this one doesn't require authentication, it could be exploited across the network. It's still not usually sort of at the top of the priority. The second one is probably even a little bit more interesting. It's a privilege escalation in SQL Server. Now you need to be authenticated in this case to then escalate privileges to sysadmin. But the scenario that I envision here is where for example, you have a web application or something like this that has access to a SQL Server using a lower privileged account. Maybe there's a chance here to exploit that, but that's not really clear from the advisory. The advisory is usually is fairly sparse then among the critical vulnerabilities. Well, there are a couple of them that are included in the list here, but they're actually in Microsoft's cloud products and that's, you know, they have started doing that in the last few months sort of for transparency where they tell you what they patched in the cloud. So those are nothing where you have to do anything. Like there's a Microsoft payment orchestrator. There's also Microsoft ACI confidential containers. These four vulnerabilities between those two products are all cloud based. So nothing that you need to do. Probably sort of most interesting from exploit point of view are a number of Excel and Office remote code execution vulnerabilities. That's definitely stuff that you need to patch. Also interesting that one of the cradle vulnerabilities was reported by Expo, which is a famous AI company that basically finds vulnerability. That made quite a bit of news lately. So that's it for Microsoft. But Microsoft wasn't alone today when it comes to patches. And then continuing with patches, we got patches from Fortinet for a number of their products. I'll focus here on the high and the one critical vulnerability they're about talking two high vulnerabilities in Fortinet's ranking they're both buffer overflows, one affecting the 40 switch ax fixed and that's an LLDP issue. So that's something where you need sort of network adjacent traffic in order to exploit that. The second one affects 40 manager and here in particular the FGT updates service. So this is possibly a little bit more remote exploitable. There's one critical vulnerability that was patched yesterday and that vulnerability is really just the OpenSSL patch that was released a week or so ago. I think I mentioned the vulnerability here. It's also a potential code execution vulnerability in OpenSL. A lot of dependencies on whether or not that's exploitable. But Fortinet did rate it as critical and a couple different products are affected by this vulnerability. And of course we got Adobe 80 vulnerabilities across eight different products. And well if you have been listening to this podcast for a while, of course there are always a couple Adobe products I'm particularly interested in Adobe Commerce. Here is in the list again with some remote code execution vulnerabilities that are exploitable via cross site scripting. And then we also have Adobe Acrobat Reader which suffers from three vulnerabilities. Two of them are critical and do allow remote code execution. So Alexa is usually the products that I worry about because Commerce fairly popular and sort of often exposed to the public and of course Acrobat Reader probably the most popular product here from Adobe today. And Zoom or recent updates. Zoom usually not so much participant of patch Tuesday but we got an update for Zoom Workplace for Windows fixing one critical vulnerability, CVSS score of 9.6. They describe it as an external control of file name or path and apparently if you're using the mail feature of Zoom Workplace that could be exploited. I assume it's some kind of attachment or such where as you're saving it, the attacker controls where the particular file is being saved to and that of course can always then lead to remote code execution if you're able to direct the file into some folder or such where it's then being executed well. And that's it for today. One patch sort of I didn't cover was SAP, had a couple of them. So if you're running that, double check if there's anything in the patch but it's one of the more complex areas and thanks for listening. Thanks for anybody who is leaving good comments or subscribing or liking and as always talk to you again tomorrow. Bye.