Microsoft is publishing 137 vulnerabilities on May 2026 Patch Tuesday. Microsoft is not aware of exploitation in the wild or public disclosure for any of these vulnerabilities. So far this month, Microsoft has provided patches to address 133 browser vulnerabilities, which are not included in the Patch Tuesday count above.
Windows Netlogon: critical RCE
Anyone responsible for securing a domain controller should prioritize remediation of CVE-2026-41089, which is a critical stack-based buffer overflow in Windows Netlogon with a CVSS v3 base score of 9.8. Exploitation leads to execution in the context of the Netlogon service, so that’s SYSTEM privileges on the domain controller. For most pentesters, that’s the point at which the customer report more or less writes itself. No privileges or user interaction are required, and attack complexity is low, which suggests that creation of a reliable exploit might not be especially difficult for anyone with knowledge of the specific mechanism.
Read more…
Source: Rapid7
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- South Korea cyber crisis deepens as Coupang data leak exposes national vulnerabilities
December 1, 2025
An investigation is under way into the cause of the breach. The leak raised concerns about phishing attempts targeting customers. Telecom, payments and crypto firms also reported recent breaches. A major data breach at South Korea’s biggest e-retailer has intensified concerns about the country’s digital preparedness, with the latest incident now seen as part of a ...
- Bug in jury systems used by several US states exposed sensitive personal data
November 26, 2025
Several public websites designed to allow courts across the United States and Canada to manage the personal information of potential jurors had a simple security flaw that easily exposed their sensitive data, including names and home addresses, TechCrunch has exclusively learned. A security researcher, who asked not to be named for this story, contacted TechCrunch with ...
- CISA orders feds to patch Oracle Identity Manager zero-day after signs of abuse
November 24, 2025
CISA has ordered US federal agencies to patch against an actively exploited Oracle Identity Manager (OIM) flaw within three weeks – a scramble made more urgent by evidence that attackers may have been abusing the bug months before a fix was released. The flaw, tracked as CVE-2025-61757 and now sitting in CISA’s Known Exploited Vulnerabilities catalog, ...
- WhatsApp security flaw lets experts scrape 3.5 billion user numbers
November 21, 2025
WhatsApp users may need to take extra steps to protect their account information following a potentially concerning discovery. A study by researchers at the University of Vienna revealed the app’s contact-discovery system enabled the collection of extensive WhatsApp user data at an unprecedented scale due to insufficient rate-limiting across global endpoints. The researchers were able to ...
- Google says hackers stole data from 200 companies following Gainsight breach
November 21, 2025
Google has confirmed that hackers have stolen the Salesforce-stored data of more than 200 companies in a large-scale supply chain hack. On Thursday, Salesforce disclosed a breach of “certain customers’ Salesforce data” — without naming affected companies — that was stolen via apps published by Gainsight, which provides a customer support platform to other companies. Read more… Source: ...
- European Union Agency for Cybersecurity (ENISA) becomes a Common Vulnerabilities and Exposures (CVE) Program-Root
November 20, 2025
As a Common Vulnerability and Exposure (CVE) Numbering Authority (CNA), ENISA is authorised to assign CVE Identifiers (CVE IDs) and to publish CVE Records for vulnerabilities discovered by or reported to EU CSIRTs, in line with their dedicated coordinator roles since January 2024. As Root CNA, ENISA is now expanding its role within the CVE ...