Microsoft is publishing 137 vulnerabilities on May 2026 Patch Tuesday. Microsoft is not aware of exploitation in the wild or public disclosure for any of these vulnerabilities. So far this month, Microsoft has provided patches to address 133 browser vulnerabilities, which are not included in the Patch Tuesday count above.
Windows Netlogon: critical RCE
Anyone responsible for securing a domain controller should prioritize remediation of CVE-2026-41089, which is a critical stack-based buffer overflow in Windows Netlogon with a CVSS v3 base score of 9.8. Exploitation leads to execution in the context of the Netlogon service, so that’s SYSTEM privileges on the domain controller. For most pentesters, that’s the point at which the customer report more or less writes itself. No privileges or user interaction are required, and attack complexity is low, which suggests that creation of a reliable exploit might not be especially difficult for anyone with knowledge of the specific mechanism.
Read more…
Source: Rapid7
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- US Air Force admits SharePoint privacy issue as reports trickle out of possible breach
October 1, 2025
The US Air Force is reportedly investigating a potential data breach caused by a Microsoft SharePoint issue. A report from The Register revealed the Air Force Personnel Center Directorate of Technology and Information issued a data breach notification shared on social media. “This message is to inform you of a critical Personally Identifiable Information (PII) and ...
- TOTOLINK X6000R: Three New Vulnerabilities Uncovered
October 1, 2025
Palo Alto security researchers have uncovered three vulnerabilities in the firmware of the TOTOLINK X6000R router, version V9.4.0cu.1360_B20241207, released on March 28, 2025: TOTOLINK is a manufacturer of networking products, including routers and other Internet of Things (IoT) devices used by consumers worldwide. The widespread adoption of these products makes their security a critical area of ...
- Apple fixes critical font processing bug – update now
September 30, 2025
Apple has released important security updates to address a critical vulnerability in FontParser—the part of MacOS/iOS/iPadOS that processes fonts. Identified as CVE-2025-43400, the flaw was discovered internally by Apple and allows an attacker to craft a malicious font that can cause apps to crash or corrupt process memory, potentially leading to arbitrary code execution. While Apple ...
- Microsoft SharePoint Zero-Day Exploitation: What Public Sector Leaders Should Know
September 30, 2025
The Rapid7 September 2025 Threat Report highlights active exploitation of a critical Microsoft SharePoint vulnerability, CVE-2025-53770. This zero-day is being used by threat actors to gain initial access to victim networks, with exploitation observed in government as well as multiple other industries. SharePoint remains a widely deployed collaboration platform in federal, state, and local agencies, resulting ...
- Broadcom Releases Security Updates for VMware Aria Operations, Tools, and Cloud Foundation
September 30, 2025
Broadcom has released security updates to address vulnerabilities in VMware Aria Operations, Tools, and Cloud Foundation components of VMware products. The updates address 2 high severity and 1 medium severity vulnerabilities. CVE-2025-41244 – “Privilege defined with unsafe actions” vulnerability – CVSSv3 score of 7.8 Read more… Source: NHS Digital Sign up for the Cyber Security Review Newsletter The latest cyber ...
- CISA Directs Federal Agencies to Identify and Mitigate Potential Compromise of Cisco Devices
September 25, 2025
Today, CISA issued Emergency Directive ED 25-03: Identify and Mitigate Potential Compromise of Cisco Devices to address vulnerabilities in Cisco Adaptive Security Appliances (ASA) and Cisco Firepower devices. CISA has added vulnerabilities CVE-2025-20333 and CVE-2025-20362 to the Known Exploited Vulnerabilities Catalog. The Emergency Directive requires federal agencies to identify, analyze, and mitigate potential compromises immediately. Agencies ...