my photo

John Z Black

Brunswick, ME • (207) 245-1010 • contact@johnzblack.com

Patch Week From Hell: Microsoft, Adobe, SAP, and HPE All Drop Critical Fixes at Once

John Z Black Mar 11, 2026 Vulnerability Management #patch-tuesday #microsoft #adobe #sap #hpe #zero-day #vulnerability-management

Somewhere around 3 PM on Tuesday, the patch notifications started stacking up like unpaid parking tickets.

Microsoft: 83 vulnerabilities, two actively exploited zero-days. Adobe: 80 patches across eight products. SAP: critical fixes for NetWeaver. And HPE quietly disclosed a flaw in its network switch firmware that lets an unauthenticated attacker reset the admin password. Just… reset it. No credentials needed.

All in roughly the same 48-hour window. If you run a patch management program, you already know what this means. Everything’s critical, nothing can wait, and you don’t have enough people.

Microsoft’s Two Zero-Days

Two zero-days confirmed exploited in the wild. Attackers had access before the patch existed. These aren’t theoretical risks.

There’s also a buried milestone: KB5078885 is the first Extended Security Update patch for Windows 10. If your org still has Win10 machines in production (statistically, you almost certainly do), welcome to the paid-patching era. That clock is ticking.

Adobe: 80 Patches Nobody’s Talking About

Adobe’s 80 patches across eight products would normally be the week’s top story. This week they’re a footnote. That’s the problem.

Prioritize Acrobat and Reader. Malicious PDFs are still one of the most reliable delivery mechanisms in enterprise phishing, and critical code execution bugs in Reader get weaponized fast. The other seven products add volume but lower urgency.

HPE: The One That Should Scare You

A critical vulnerability in AOS-CX, the OS running HPE Aruba network switches, allows an unauthenticated attacker to reset the administrator password. That’s not “gain limited access under certain conditions.” That’s walk in, take the keys, own the switch.

In campus and enterprise environments where Aruba switches handle core traffic, this is a network takeover vulnerability. Patch it before you do anything else on this list.

SAP and pac4j

SAP’s patches hit NetWeaver, the platform running ERP systems at some of the biggest organizations on the planet. If you’re an SAP shop, your admins already know the drill.

Buried under everything else: a maximum-severity vulnerability in pac4j, an open-source Java security library. pac4j handles authentication logic. When the lock itself is broken, every door it protects is open. If your dev teams use Java web frameworks, have them check their dependency trees this week.

What to Patch First

For the “just tell me what to do” crowd:

  1. HPE AOS-CX switches. Unauthenticated admin takeover. Now.
  2. Microsoft zero-days. Actively exploited. Push updates today.
  3. Adobe Acrobat/Reader. Critical code execution. High phishing risk.
  4. SAP NetWeaver. Critical severity, core enterprise platform.
  5. pac4j. Check Java app dependencies. Patch if present.

Everything else can wait until the weekend. These five can’t.

And if you’re still running monthly patch meetings where someone reviews a spreadsheet and assigns tickets? This is the week that model breaks.

Read the full post on gNerdSEC