Microsoft is publishing 137 vulnerabilities on May 2026 Patch Tuesday. Microsoft is not aware of exploitation in the wild or public disclosure for any of these vulnerabilities. So far this month, Microsoft has provided patches to address 133 browser vulnerabilities, which are not included in the Patch Tuesday count above.
Windows Netlogon: critical RCE
Anyone responsible for securing a domain controller should prioritize remediation of CVE-2026-41089, which is a critical stack-based buffer overflow in Windows Netlogon with a CVSS v3 base score of 9.8. Exploitation leads to execution in the context of the Netlogon service, so that’s SYSTEM privileges on the domain controller. For most pentesters, that’s the point at which the customer report more or less writes itself. No privileges or user interaction are required, and attack complexity is low, which suggests that creation of a reliable exploit might not be especially difficult for anyone with knowledge of the specific mechanism.
Read more…
Source: Rapid7
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- An American Company Fears Its Windows Hacks Helped India Spy On China And Pakistan
September 17, 2021
Earlier this year, researchers at Russian cybersecurity firm Kaspersky witnessed a cyberespionage campaign targeting Microsoft Windows PCs at government and telecom entities in China and Pakistan. They began in June 2020 and continued through to April 2021. What piqued the researchers’ interest was the hacking software used by the digital spies, whom Kaspersky had dubbed ...
- Exploitation of the CVE-2021-40444 vulnerability in MSHTML
September 16, 2021
Last week, Microsoft reported the remote code execution vulnerability CVE-2021-40444 in the MSHTML browser engine. According to the company, this vulnerability has already been used in targeted attacks against Microsoft Office users. In attempt to exploit this vulnerability, attackers create a document with a specially-crafted object. If a user opens the document, MS Office will ...
- Azure Zero-Day Flaws Highlight Lurking Supply-Chain Risk
September 16, 2021
Four Microsoft zero-day vulnerabilities in the Azure cloud platform’s Open Management Infrastructure (OMI) — a software that many don’t know is embedded in a host of services — show that OMI represents a significant security blind spot, researchers said. Collectively dubbed “OMIGOD” because of the name and the reaction of the researchers who discovered them, the ...
- APT Actors Exploiting Newly Identified Vulnerability in ManageEngine ADSelfService Plus
September 16, 2021
This joint advisory is the result of analytic efforts between the Federal Bureau of Investigation (FBI), United States Coast Guard Cyber Command (CGCYBER), and the Cybersecurity and Infrastructure Security Agency (CISA) to highlight the cyber threat associated with active exploitation of a newly identified vulnerability (CVE-2021-40539) in ManageEngine ADSelfService Plus—a self-service password management and single ...
- Hacker-made Linux Cobalt Strike beacon used in ongoing attacks
September 14, 2021
An unofficial Cobalt Strike Beacon Linux version made by unknown threat actors from scratch has been spotted by security researchers while actively used in attacks targeting organizations worldwide. Cobalt Strike is a legitimate penetration testing tool designed as an attack framework for red teams (groups of security professionals who act as attackers on their own org’s ...
- Pair of Google Chrome Zero-Day Bugs Actively Exploited
September 14, 2021
Google has addressed two zero-day security bugs that are being actively exploited in the wild. As part of the internet giant’s latest stable channel release (version 93.0.4577.82 for Windows, Mac and Linux), it fixed 11 total vulnerabilities, all of them rated high-severity. The two zero days are tracked as CVE-2021-30632 and CVE-2021-30633. “Google is aware that exploits ...