Three Critical RCE Vulnerabilities in Microsoft Software Identified Autonomously by XBOW

On the offensive side of security, Tuesdays were always an exciting time for researchers: the moment Microsoft would release its patches, and part of my work, or a colleague's, would finally become public. Sometimes after months of waiting. It was, in large measure, a way to gauge the state of the art in exploitation.

This month’s Patch Tuesday was different.

For the very first time in history, an autonomous AI found critical vulnerabilities in Microsoft Cloud. Not simple bugs in isolated products, but complex vulnerabilities in large-scale production systems, found without source code access. The kind of findings that take experienced researchers weeks to develop.

This is exactly the kind of result the XBOW autonomous offensive security platform is built to deliver: identifying deep, non-obvious security weaknesses in real-world environments, with real impact and real CVEs, at a speed never seen before.

XBOW was credited in the March 2026 Patch Tuesday release with CVE-2026-21536,  a critical remote code execution vulnerability in the Microsoft Devices Pricing Program, flagged as one of the most severe issues in the release. Two more followed: CVE-2026-32194 and CVE-2026-32191, both critical RCEs in Bing with potential for SYSTEM-level privileges.

It's no secret that attackers are already leveraging AI. Defenders now need to move just as fast. The industry is noticing. Journalist Aminu Abdullahi wrote in TechRepublic that the findings mark a shift in the arms race between researchers and hackers, as AI can now find complex software vulnerabilities entirely on its own. Ben McCarthy, lead cybersecurity engineer at Immersive, told Krebs on Security that while Microsoft has already patched the issues, the real signal is the speed: AI-driven discovery of complex vulnerabilities is accelerating, and it's not going away.

We want to thank the Microsoft security team, who handled these issues the way a security-mature organization should. The MSRC has continued to emphasize protecting customers through coordinated vulnerability disclosure and transparent guidance, and in these cases, the company moved quickly to investigate and remediate.

As is often the case with serious vulnerabilities, we are not sharing technical details at this time. That was the right call for customer protection, and we respect Microsoft's request to keep those specifics private until the risk window is fully behind us. We hope to share more about the research in the future.