Microsoft shipped the May 2026 security update on May 12 with 137 Microsoft CVEs. Two of them are unauthenticated network remote-code-execution flaws in Windows domain infrastructure — and they are the patch list for this week.

• CVE-2026-41089 — Windows Netlogon stack-based buffer overflow. CVSS 9.8. Vector AV:N/AC:L/PR:N/UI:N. An unauthorized attacker can execute code over the network with no user interaction. Every domain controller in your estate is in scope.
• CVE-2026-41096 — Windows DNS Client heap-based buffer overflow. CVSS 9.8. Same vector profile, same unauth-network class. Every Windows host that resolves names through Microsoft DNS is in scope, which means every Windows host.

Microsoft rates both as Critical with no public disclosure and no observed exploitation at release time. Netlogon has prior history at this severity class: ZeroLogon (CVE-2020-1472) was a Critical Netlogon protocol flaw that drove emergency domain-controller patching across the industry. Treat the May patch with the same priority.

The rest of the release is heavy on cloud-service Critical-class items that ride the same Tuesday rollup:

• CVE-2026-42826 — Azure DevOps information disclosure. CVSS 10.0, the only perfect-10 of the month. Patched server-side; no customer action required for the Azure DevOps Services tenant.
• CVE-2026-40379 — Microsoft Enterprise Security Token Service spoofing, the Entra ID token-issuance layer. CVSS 9.3 with a S:C (Scope Changed) vector. Service-side patch; check the Entra service health blade for confirmation in your tenant.
• CVE-2026-42898 — Microsoft Dynamics 365 On-Premises RCE. CVSS 9.9. Applies only to customers running on-premises Dynamics — most MSP clients on Dynamics 365 are SaaS-hosted and unaffected.
• CVE-2026-40402 — Windows Hyper-V elevation of privilege. CVSS 9.3. Guest-to-host escape class. Patch Hyper-V hosts in the same maintenance window as your DCs if they share an estate.
• Four Critical-class items rated Exploitation More Likely: two Microsoft Word RCEs (CVE-2026-40364, CVE-2026-40361, CVSS 8.4 each), the Microsoft SSO Plugin for Jira and Confluence (CVE-2026-41103, CVSS 9.1), and Azure AI Foundry EoP (CVE-2026-35435, CVSS 8.6). See Brief 5.

What to do this week:

1. Domain controllers first. Push the May cumulative update to every DC ahead of the rest of the fleet. Netlogon and DNS Server roles are colocated on most DCs; CVE-2026-41089 is the one that turns an unpatched DC into a remote-execution target.
2. DNS Client across the fleet. CVE-2026-41096 triggers from a malicious DNS response — exploitation needs an on-path attacker or a compromised upstream resolver. Patching is the only durable fix; egress-filtering DNS to known resolvers reduces the attack surface in the meantime.
3. Hyper-V hosts on the same cycle. CVE-2026-40402 is local privilege escalation requiring a foothold on a guest — exactly what the Netlogon / DNS Client bugs provide.
4. Audit Entra ID for unfamiliar token-issuance anomalies. The ESTS spoofing CVE is patched server-side, but if your tenants saw unusual sign-in events between disclosure and patch they would not be obvious through normal sign-in logs. Review the Entra ID risk-detection blade for anomalous token-replay or impossible-travel signals in the May 5–12 window.
5. Treat the four "Exploitation More Likely" Criticals as same-cycle patches. Two Microsoft Word RCEs are in the cluster — Word is on every endpoint, so this is a fleet-wide concern, not a server-only one. Brief 5 has the full list.

Microsoft published no actively-exploited or publicly-disclosed CVEs in this release. The pressure is from the CVSS profile, not from in-the-wild reports — patch on the standard ring schedule, but compress the DC ring to this week.

Advisories

Brief 1 — Palo Alto PAN-OS unauth RCE CVE-2026-0300 added to KEV May 6 with limited exploitation reported

CISA added CVE-2026-0300 to the Known Exploited Vulnerabilities catalog on May 6 with a remediation due date of May 9 — three days. The vulnerability is a buffer overflow in the User-ID Authentication Portal (Captive Portal) service that "allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets" per the NVD entry. CVSS 9.8. The Palo Alto advisory dated May 5 states "Limited exploitation has been observed targeting Palo Alto Networks User-ID Authentication Portals that are exposed to untrusted IP addresses and/or the public internet." Affected branches include PAN-OS 12.1 (< 12.1.4-h5 and < 12.1.7), 11.2 (< 11.2.4-h17, < 11.2.7-h13, < 11.2.10-h6, < 11.2.12), 11.1, and 10.2. Prisma Access, Cloud NGFW, and Panorama are not affected.

Action: patch any PA-Series or VM-Series firewall with the User-ID Authentication Portal enabled and reachable from untrusted zones. If you cannot patch this week, follow PAN's mitigation: restrict the Authentication Portal to trusted zones, disable Response Pages in the Interface Management Profile on every L3 interface in untrusted zones, or disable the Authentication Portal if unused. The CISA due date has already passed; treat May 9 as a floor.

Brief 2 — Ivanti EPMM authenticated RCE CVE-2026-6973 added to KEV May 7

CISA added CVE-2026-6973 on May 7 with a due date of May 10. The vulnerability is described by NVD as: "An Improper Input Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remotely authenticated user with administrative access to achieve remote code execution." CVSS 7.2 with vector AV:N/AC:L/PR:H/UI:N — the high-privilege requirement is why the score is not higher despite being network-reachable. NVD entry.

Action: if you operate EPMM for clients, confirm the server is at 12.6.1.1, 12.7.0.1, or 12.8.0.1 for your support branch. The admin-credential requirement narrows the threat to attackers who already have an administrator session — typically through phishing or credential reuse — so combine the patch with an administrator-account audit and rotate any credentials valid against an unpatched server.

Brief 3 — BerriAI LiteLLM SQL injection CVE-2026-42208 added to KEV May 8 (AI gateway)

CISA added CVE-2026-42208 on May 8 with a due date of May 11. The CVE is in BerriAI LiteLLM, an open-source proxy that fronts LLM APIs in OpenAI format and is a common deployment shape for clients building internal AI gateways. NVD: "From version 1.81.16 to before version 1.83.7, a database query used during proxy API key checks mixed the caller-supplied key value into the query text instead of passing it as a separate parameter." CVSS 9.8, CWE-89 SQL injection. The proxy API key check sits in front of every request, so the injection point is unauthenticated. NVD entry.

Action: if any clients run LiteLLM as a self-hosted AI gateway (more common than it looks — internal-Copilot replacements, agent platforms, and LLM cost-management proxies all use it), upgrade to 1.83.7. KEV inclusion follows Marimo CVE-2026-39987 on April 23 — AI proxies and notebook servers are now on CISA's radar.

Brief 4 — Microsoft IR documents intrusion via compromised IT services provider abusing HPE Operations Manager

Microsoft Incident Response published an analysis on May 12 of a stealthy intrusion in which the initial access vector was a compromised IT services provider that managed the victim's HPE Operations Manager (HPOM) deployment. The attackers used the HPE Operations Agent (OA) to deploy VBScripts (abc003.vbs) and credential-harvesting components across servers and domain controllers. Persistence artifacts included web shells (Errors.aspx, ghost.inc), a malicious network provider DLL (mslogon.dll), a password filter DLL (passms.dll), msupdate.dll, and ngrok tunnels for encrypted remote access. Exfiltration staging used icon02.jpeg and C:\Users\Public\Music\abc123c.d. Microsoft did not name a threat actor.

Action: add the file-name indicators to your EDR custom-detection rules. The broader lesson for MSPs is the trust-boundary one — you are the third party in someone else's threat model. Enforce phishing-resistant MFA on every administrator account with tenant access, audit your RMM and monitoring agents' service accounts, and treat any management tool reachable across customer boundaries as privileged.

Brief 5 — Four Critical-class CVEs flagged "Exploitation More Likely" in the May release, including two Microsoft Word RCEs

The May 2026 CVRF flags four Critical-class CVEs with Microsoft's "Exploitation More Likely" rating:

• CVE-2026-40364 — Microsoft Word type-confusion RCE. CVSS 8.4. "Access of resource using incompatible type ('type confusion') in Microsoft Office Word allows an unauthorized attacker to execute code locally." Vector AV:L/AC:L/PR:N/UI:N — the no-user-interaction bit means the Outlook preview pane and email-attachment scanners are in play.
• CVE-2026-40361 — Microsoft Word use-after-free RCE. CVSS 8.4. Same UI:N vector. CWE-416.
• CVE-2026-41103 — Microsoft SSO Plugin for Atlassian Jira and Confluence elevation of privilege. CVSS 9.1. A Microsoft-published Marketplace app bridging Entra ID sign-on into Jira and Confluence Cloud.
• CVE-2026-35435 — Azure AI Foundry elevation of privilege. CVSS 8.6. Narrower customer surface than the other three.

Action: the two Word RCEs are the urgent ones for typical MSP fleets — push the May Microsoft 365 Apps update to every endpoint this week, since UI:N means preview-pane rendering of a malicious .docx is enough to trigger. For the SSO Plugin, check Apps > Manage apps on every Jira and Confluence instance (especially Data Center installs that don't auto-update from the Marketplace) and apply the May 12 plugin release. Azure AI Foundry administrators should review the MSRC entry for service-side guidance.

Product changes

Brief 6 — Defender XDR Take action wizard extends to email TLD and attachment-hash blocking

The May 2026 entry on the Defender XDR What's new page documents that in advanced hunting, "the Take action wizard now lets customers allow or block top-level domains and files attachment hashes in emails based on query results." Previously the wizard supported URL, sender, and file-hash actions for endpoint defense, but not email-channel TLD-level blocks driven from a hunting query.

Action: for tenants without a separate email-security gateway, write a saved hunting query that surfaces inbound email from low-reputation TLDs (.zip, .mov, .review, .country, fresh registrations on .de / .io). The wizard now promotes a hunt result to a Defender for Office 365 block rule in two clicks, closing the gap between detection and enforcement for the analyst running the query.

Brief 7 — ChromeOS LTS-144 144.0.7559.250 ships 10 High-severity fixes

Google promoted ChromeOS Long Term Support 144 to 144.0.7559.250 (Platform 16503.82.0) on May 11 with 10 High-severity security fixes. LTS-144 is the channel most managed-ChromeOS fleets run for stability — it lags Chrome stable by several major versions but receives backported security fixes.

Action: if you manage ChromeOS endpoints via Google Admin, the update flows automatically unless devices are pinned. Confirm in Devices > Chrome > Settings > Updates that the LTS channel is selected and the auto-update target version is current. Kiosk and signage devices locked to a specific version need an explicit bump.

Field notes

Brief 8 — MDASH agentic vulnerability discovery finds 16 Windows networking and authentication flaws

Microsoft published a write-up of MDASH on May 12, an internal agentic vulnerability-discovery system. The post claims an 88.45% success rate on the CyberGym benchmark of 1,507 real-world vulnerabilities, and identifies 16 new flaws in Windows networking and authentication components, "including four Critical remote code execution issues in tcpip.sys and ikeext.dll." The 16 flaws fed into the May 2026 cumulative; Microsoft did not publish CVE-to-system mapping in the post, so identifying which of the 137 May CVEs originated from MDASH is not possible from public data.

Action: treat this as forward-looking signal, not an immediate operator task. The practical implication is that 137 CVEs in a single Patch Tuesday is partly a function of Microsoft's internal AI tooling surfacing more bugs in the same components — plan ring-deployment cadence and test-fleet coverage for higher monthly volumes going forward.

Brief 9 — Microsoft details AI-assisted synthetic-log generation for detection engineering

Microsoft published a research post on May 12 describing methods for generating realistic security attack logs from attacker behaviors using LLMs, framed as a way to "accelerate detection development while preserving realism and security." The technique synthesizes log streams from threat-actor TTP descriptions, then tests detection-rule coverage against the synthetic output.

Action: if your SOC builds custom detections against Sentinel or Defender XDR, the post is a useful pattern for the test-data problem detection engineers always hit. Pair the technique with adversary-emulation tools you already run (Atomic Red Team, Caldera) to broaden coverage before a rule ships.