Microsoft is publishing 137 vulnerabilities on May 2026 Patch Tuesday. Microsoft is not aware of exploitation in the wild or public disclosure for any of these vulnerabilities. So far this month, Microsoft has provided patches to address 133 browser vulnerabilities, which are not included in the Patch Tuesday count above.
Windows Netlogon: critical RCE
Anyone responsible for securing a domain controller should prioritize remediation of CVE-2026-41089, which is a critical stack-based buffer overflow in Windows Netlogon with a CVSS v3 base score of 9.8. Exploitation leads to execution in the context of the Netlogon service, so that’s SYSTEM privileges on the domain controller. For most pentesters, that’s the point at which the customer report more or less writes itself. No privileges or user interaction are required, and attack complexity is low, which suggests that creation of a reliable exploit might not be especially difficult for anyone with knowledge of the specific mechanism.
Read more…
Source: Rapid7
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- McAfee Bug Can Be Exploited to Gain Windows SYSTEM Privileges
January 21, 2022
McAfee has patched two high-severity vulnerabilities in a component of its McAfee Enterprise product that attackers can use to escalate privileges, including up to SYSTEM. According to McAfee’s bulletin, the bugs are in versions prior to 5.7.5 of McAfee Agent, which is used in McAfee Endpoint Security, among other McAfee products. The Agent is the piece of ...
- Critical Cisco Contact Center Bug Threatens Customer-Service Havoc
January 14, 2022
Cisco UCCE is an on-premises customer-service platform capable of supporting up to 24,000 customer-service agents using channels that include inbound voice, outbound voice, outbound interactive voice response (IVR) and digital channels. It also offers a feedback loop via post-call IVR, email and web intercept surveys; and various reporting options to gather information on agent performance ...
- Analyzing an Old Bug and Discovering CVE-2021-30995
January 14, 2022
On April 26, 2021 Apple patched CVE-2021-1740, which was a vulnerable function inside the system daemon process cfprefsd (these types of processes usually run in the background and handle system tasks). The bug could have been exploited to read arbitrary files, write arbitrary files, and get root privilege escalation. It was addressed in Apple’s Security ...
- Microsoft starts 2022 with big bundle fixes for 96 security bugs in its software
January 12, 2022
The new year brings the same old chore of shoring up Microsoft software. For its first Patch Tuesday of 2022, Redmond has bestowed 96 new CVEs affecting its Windows products. If you include 24 Chromium CVEs published earlier this month and now addressed in Microsoft’s Edge browser, in addition to two CVEs in open source projects ...
- noPac Exploit: Latest Microsoft AD Flaw May Lead to Total Domain Compromise in Seconds
January 11, 2022
Microsoft recently published two critical CVEs related to Active Directory (CVE-2021-42278 and CVE-2021-42287), which when combined by a malicious actor could lead to privilege escalation with a direct path to a compromised domain. In mid-December 2021, a public exploit that combined these two Microsoft Active Directory design flaws (referred also as “noPac”) was released. The exploit ...
- Millions of Routers Exposed to RCE by USB Kernel Bug
January 11, 2022
Millions of popular end-user routers are at risk of remote code execution (RCE) due to a high-severity flaw in the KCodes NetUSB kernel module. The module enables remote devices to connect to routers over IP and access any USB devices (such as printers, speakers, webcams, flash drives and other peripherals) that are plugged into them. This ...