Microsoft fixes critical Windows DNS, Netlogon, SharePoint, and Dynamics flaws
Microsoft’s May 2026 Patch Tuesday resolved between 120 and 137 vulnerabilities across Windows, Office, networking services, Hyper-V, SharePoint Server, and Microsoft Dynamics 365 on-premises, including 17 to 30 critical flaws. Microsoft said the release contained no publicly disclosed or actively exploited zero-days, but multiple high-risk issues affected core enterprise infrastructure. Notable vulnerabilities included unauthenticated remote code execution in Windows Netlogon (CVE-2026-41089) and the Windows DNS Client (CVE-2026-41096), a Hyper-V guest-to-host escape, a SharePoint Server RCE (CVE-2026-40365), and a Dynamics 365 on-premises RCE (CVE-2026-42898) rated CVSS 9.9.
The update also addressed Office and endpoint attack paths, including Microsoft Word flaws and CVE-2026-35421, which could allow code execution through malicious EMF files opened in Microsoft Paint via Windows GDI. Security researchers said organizations should prioritize patching domain controllers, DNS-exposed Windows systems, on-premises collaboration platforms, and user endpoints because of their exposure and likely exploitability. Alongside the security fixes, Microsoft issued mandatory Windows 11 cumulative updates KB5089549 and KB5087420 for versions 25H2, 24H2, and 23H2, adding platform changes such as File Explorer, accessibility, storage, printing, and secure batch file processing improvements.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Microsoft warns of June 2026 Secure Boot certificate rotation deadline
On 2026-05-13, Microsoft highlighted that systems must transition Secure Boot trust from the 2011 certificates to the 2023 certificates by June 26, 2026. The company warned that devices not updated could face serious boot-level security problems.
Microsoft releases Windows 10 KB5087544 update for LTSC and ESU systems
On 2026-05-13, Microsoft released Windows 10 update KB5087544 for Enterprise LTSC and Extended Security Updates participants, incorporating the May 2026 security fixes and correcting erroneous Remote Desktop security warnings on some multi-monitor setups. The update also improved Secure Boot reporting in Windows Security, and Microsoft warned that some devices could prompt for a BitLocker recovery key after installation under certain Group Policy settings.
Microsoft ships Windows 11 cumulative updates KB5089549 and KB5087420
As part of the May 2026 Patch Tuesday release on 2026-05-13, Microsoft published mandatory Windows 11 cumulative updates KB5089549 and KB5087420 for versions 25H2, 24H2, and 23H2. The updates also introduced platform and usability changes including File Explorer, accessibility, storage, printing, and secure batch file processing improvements.
Microsoft releases May 2026 Patch Tuesday security updates
On 2026-05-13, Microsoft issued its May 2026 Patch Tuesday updates, fixing roughly 120-137 vulnerabilities across Windows, Office, networking components, Hyper-V, SharePoint Server, and Dynamics 365. The release included numerous critical flaws but no vulnerabilities confirmed as publicly disclosed or exploited in the wild.
Microsoft says MDASH found 16 flaws fixed in May 2026 Patch Tuesday
On 2026-05-12, Microsoft announced that its AI-driven MDASH system had identified 16 vulnerabilities that were remediated in the May 2026 Patch Tuesday release. The disclosed findings spanned Windows networking and authentication components including TCP/IP, IKEEXT, HTTP.sys, Netlogon, DNS, and Telnet, with four rated Critical.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
16 references tracked. Mallory keeps watching after this page renders.
2026 年 5 月のセキュリティ更新プログラム (月例)
microsoft.com
Open sourceMicrosoft Patch Tuesday: May 2026 - Arctic Wolf
arcticwolf.com
Open sourceMicrosoft Patch Tuesday: May 2026 - Arctic Wolf
arcticwolf.com
Open sourceMicrosoft MDASH: When the Machine Becomes the Red Team - TheCyberThrone
thecyberthrone.in
Open sourceWarning: Microsoft Patch Tuesday May 2026 patches 118 vulnerabilities 16 Critical, 102 Important, patch immediately!! | CCB Belgium
ccb.belgium.be
Open sourceMay’s Patch Tuesday hauls out 132 CVEs | SOPHOS
sophos.com
Open sourceMicrosoft MDASH publishes 16 Windows networking and authentication CVEs - Bugflation
bugflation.com
Open sourceNo Zero-Days, but Plenty to Patch in Microsoft May Update -- Redmondmag.com
redmondmag.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft Fixes 137 Flaws Led by Netlogon, DNS Client, and Dynamics 365 RCEs
Microsoft released fixes for **137 vulnerabilities** across Windows, Azure, Microsoft 365, developer tools, and AI-related products, with no zero-days reported as exploited in the wild. The most urgent issues included a **wormable pre-auth remote code execution** flaw in **Windows Netlogon** (`CVE-2026-41089`), an **unauthenticated RCE** in the **Windows DNS Client** (`CVE-2026-41096`) that can be triggered through crafted DNS responses, and a **remote code execution** bug in **Microsoft Dynamics 365 on-premises** (`CVE-2026-42898`). Microsoft also patched an authenticated **SharePoint Server RCE** (`CVE-2026-40365`), multiple Microsoft Word Preview Pane RCEs, and a critical authentication bypass in the Microsoft SSO Plugin for Jira & Confluence (`CVE-2026-41103`). The release was notable for its severity, with reports citing **16 to 30 critical vulnerabilities** depending on classification, and **14 flaws scoring 9.0 or higher**, including an **Azure DevOps information disclosure** issue rated `CVSS 10.0` that Microsoft said had already been fully mitigated. Elevation-of-privilege bugs made up the largest share of fixes, spanning the Windows kernel, Win32k, TCP/IP, SMB Client, Print Spooler, and other core components; two locally exploitable issues, including **Windows Print Spooler** (`CVE-2026-34342`) and **Windows Message Queueing** (`CVE-2026-33838`), were publicly disclosed alongside patches. Microsoft said its AI-driven bug-finding system **MDASH** identified 16 of the vulnerabilities, and it separately warned enterprises to complete **Secure Boot certificate** updates before June 26, 2026, while noting a BitLocker Recovery issue on some Windows Server 2025 systems with an unrecommended Group Policy setting.
May 14, 2026
Microsoft Patches 137 Flaws, Highlighting Word Preview Pane and Netlogon RCE Risks
Microsoft released its May Patch Tuesday updates fixing 137 vulnerabilities across Windows, Office, Azure, Dynamics 365, SharePoint, Copilot, and other products, with no actively exploited zero-days or publicly disclosed flaws reported at release. The update included multiple high-severity remote code execution bugs, notably Microsoft Word flaws `CVE-2026-40361` and `CVE-2026-40364`, which can be triggered through the Preview Pane by sending a malicious document, as well as `CVE-2026-42898` in Microsoft Dynamics 365 On-Premises, `CVE-2026-42823` in Azure Logic Apps, and `CVE-2026-33109` in Azure Managed Instance for Apache Cassandra. Researchers also flagged `CVE-2026-41089` in Windows Netlogon and `CVE-2026-41096` in Windows DNS Client as especially urgent because they expose broadly deployed enterprise infrastructure to remote compromise. Microsoft’s Windows 11 cumulative updates, including `KB5089549` and `KB5087420`, delivered many of the security fixes alongside reliability and usability improvements, and Microsoft said it was not aware of new issues with the release. Coverage and advisories also showed the breadth of the month’s attack surface, with additional fixes for SharePoint Server remote code execution, Office Click-to-Run privilege escalation, Hyper-V guest-to-host escalation, Teams spoofing, Outlook for iOS tampering, and several Copilot and Visual Studio Code vulnerabilities. Security researchers said the growing volume of Microsoft disclosures may reflect increased AI-assisted vulnerability discovery, while defenders were urged to prioritize patching domain controllers, DNS-exposed Windows systems, Office deployments, and internet-facing enterprise applications.
May 25, 2026
Microsoft Patches 163 Flaws Including Exploited SharePoint Bug and Defender Zero-Day
Microsoft released fixes for **163 vulnerabilities** in its April Patch Tuesday update, marking one of its largest security releases on record. The bundle includes **8 Critical** flaws, **154 Important** issues, and **1 Moderate** bug, with seven of the Critical vulnerabilities enabling remote code execution across products and components including **Windows TCP/IP**, **Windows IKE Service Extensions**, **Active Directory**, **Remote Desktop Client**, **Microsoft Office**, and **Microsoft Word**. Belgian authorities urged organizations to apply the updates immediately. The most urgent issues include **`CVE-2026-32201`**, an actively exploited **Microsoft SharePoint Server** vulnerability that was added to CISA’s Known Exploited Vulnerabilities catalog, and **`CVE-2026-33825`** in **Microsoft Defender**, a publicly disclosed zero-day tied to proof-of-concept code associated with the **BlueHammer** exploit. Microsoft also shipped Windows 11 cumulative updates with security hardening changes, including safer handling of **`.rdp`** files and improved visibility into **Secure Boot** certificates, while the broader patch set addressed numerous elevation-of-privilege and security feature bypass flaws that could support post-compromise escalation.
Apr 22, 2026