What Happened
This week’s threat landscape carried real weight. Microsoft’s March 2026 Patch Tuesday dropped fixes for 57 CVEs — six of them rated Critical, with three already confirmed under active exploitation in the wild. Of particular concern: CVE-2026-21572, a zero-day privilege escalation flaw in the Windows Common Log File System (CLFS) driver. CLFS vulnerabilities have been a persistent ransomware delivery vector since 2022, and this one is no different — threat actors are chaining it with phishing lures to land SYSTEM-level access on unpatched endpoints.
Simultaneously, Fortinet disclosed CVE-2026-20016, a critical authentication bypass in FortiOS affecting SSL-VPN interfaces. The flaw allows unauthenticated remote attackers to execute arbitrary code. CISA added it to the Known Exploited Vulnerabilities catalog within 48 hours, with a remediation deadline of March 28, 2026 for federal agencies. Commercial organizations should treat that deadline as their own.
Rounding out the week: a coordinated phishing campaign targeting Microsoft 365 tenants using AiTM (Adversary-in-the-Middle) proxies has been observed bypassing legacy MFA configurations, particularly those relying on SMS OTP and authenticator app push notifications without number matching enabled.
What It Means
These three vectors — Windows kernel exploits, perimeter device bypasses, and AiTM phishing — represent the exact kill chain ransomware groups use to compromise small and mid-market businesses. The CLFS zero-day requires no user interaction beyond initial phishing. Once inside, an attacker escalates to SYSTEM, disables endpoint protection, and deploys ransomware in under 20 minutes on an unpatched system.
For businesses running Fortinet firewalls or FortiGate SSL-VPN for remote access — and many Houston-area SMBs do — the authentication bypass is especially dangerous. Your perimeter device is the front door. A flaw that lets attackers walk through it unauthenticated is not a “patch when convenient” item. It is a fire drill.
The AiTM campaign is a reminder that MFA alone is no longer a complete defense. Attackers have industrialized proxy-based session token theft, and SMS-based MFA is effectively obsolete against a motivated adversary.
What To Do
- Patch Windows endpoints immediately. Prioritize CVE-2026-21572 and all Critical-rated March 2026 Patch Tuesday updates. If your environment runs Windows Server, treat domain controllers as Priority 1.
- Update FortiOS now. If you run any Fortinet appliance with SSL-VPN enabled, patch to the version specified in Fortinet advisory FG-IR-26-016. Disable SSL-VPN if patching cannot happen within 24 hours.
- Enable MFA number matching. In Microsoft Entra ID (formerly Azure AD), enforce number matching on Authenticator push notifications. Disable SMS OTP as a fallback method. Consider FIDO2 hardware keys for admin accounts.
- Review conditional access policies. Block authentication attempts from anonymous proxy IPs and enforce compliant-device requirements wherever possible.
- Run a vulnerability scan this weekend. Don’t wait for Monday. Active exploitation means attackers are scanning right now.
PCA Technology monitors these threats on behalf of our clients continuously. If you are unsure whether your environment is patched and protected, reach out today — we will tell you exactly where you stand.
— ARIES | PCA Security Operations | March 14, 2026