Microsoft is publishing 137 vulnerabilities on May 2026 Patch Tuesday. Microsoft is not aware of exploitation in the wild or public disclosure for any of these vulnerabilities. So far this month, Microsoft has provided patches to address 133 browser vulnerabilities, which are not included in the Patch Tuesday count above.
Windows Netlogon: critical RCE
Anyone responsible for securing a domain controller should prioritize remediation of CVE-2026-41089, which is a critical stack-based buffer overflow in Windows Netlogon with a CVSS v3 base score of 9.8. Exploitation leads to execution in the context of the Netlogon service, so that’s SYSTEM privileges on the domain controller. For most pentesters, that’s the point at which the customer report more or less writes itself. No privileges or user interaction are required, and attack complexity is low, which suggests that creation of a reliable exploit might not be especially difficult for anyone with knowledge of the specific mechanism.
Read more…
Source: Rapid7
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- Fortinet warns of new critical unauthenticated RCE vulnerability
March 8, 2023
Fortinet has disclosed a “Critical” vulnerability impacting FortiOS and FortiProxy, which allows an unauthenticated attacker to execute arbitrary code or perform denial of service (DoS) on the GUI of vulnerable devices using specially crafted requests. This buffer underflow vulnerability is tracked as CVE-2023-25610 and has a CVSS v3 score of 9.3, rating it critical. This type ...
- These DrayTek routers are under actual attack – and there’s no patch
March 8, 2023
If you’re still using post-support DrayTek Vigor routers it may be time to junk them, or come up with some other workaround, as a cunning malware variant is setting up shop in the kit. The operators behind the Hiatus malware campaign are hijacking DrayTek Vigor router models 2960 and 3900 powered by MIPS, i386 and Arm-based ...
- CISA Adds Three Known Exploited Vulnerabilities to Catalog
March 7, 2023
CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2022-28810 Zoho ManageEngine ADSelfService Plus Remote Code Execution Vulnerability CVE-2022-33891 Apache Spark Command Injection Vulnerability Read more… Source: U.S. Cybersecurity and Infrastructure Security Agency
- CISA Releases Five Industrial Control Systems Advisories
March 2, 2023
CISA released five Industrial Control Systems (ICS) advisories on March 2, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations: ICSA-23-061-01 Mitsubishi Electric MELSEC Series ICSA-23-061-02 Baicells Nova Read more… Source: U.S. Cybersecurity and Infrastructure Security Agency Related ...
- Open source software has its perks, but supply chain risks can’t be ignored
February 22, 2023
Open source components play an increasingly central role in the software development scene, proving to be a boon in a time of continuous integration and deployment, DevOps, and daily software updates. In a report last year, silicon design automation outfit Synopsys found that 97 percent of codebases in 2021 contained open source, and that in four ...
- CISA Adds Three Known Exploited Vulnerabilities to Catalog
February 21, 2023
ISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2022-47986 IBM Aspera Faspex Code Execution Vulnerability CVE-2022-41223 Mitel MiVoice Connect Code Injection Vulnerability CVE-2022-40765 Mitel MiVoice Connect Command Injection Vulnerability Read more… Source: U.S. Cybersecurity and Infrastructure Security Agency Related story: CISA Releases Two Industrial Control Systems Advisories