Microsoft addressed 137 vulnerabilities in its May Patch Tuesday release, yet said none of them were known to be actively exploited at the time of disclosure.
Microsoft's May Patch Tuesday: scope and severity
The company disclosed 137 distinct vulnerabilities across its enterprise products, components and underlying systems. Of those, 13 were assigned critical CVSS ratings. Microsoft designated 13 vulnerabilities as “more likely to be exploited” and categorized the remaining 113 defects as less likely or unlikely to be exploited. The full inventory is posted in Microsoft’s Security Response Center.
Critical flaws in Azure and Dynamics 365
Among the 13 critical defects, two affect Azure — CVE-2026-33109 and CVE-2026-42823 — while CVE-2026-42898 in Microsoft Dynamics 365 received a 9.9 CVSS score. Jack Bicer, director of vulnerability research at Action1, called out CVE-2026-42898 for its enterprise risk profile. “With no user interaction required, and the potential to impact systems beyond the vulnerable component’s original security scope, this vulnerability poses serious enterprise risk: an attacker with only basic access could turn a business application server into a remote execution platform,” Bicer wrote in a blog post.
Bicer added that compromise of Dynamics 365 infrastructure could have cascading effects: “Compromise of Dynamics 365 infrastructure can expose customer records, operational workflows, financial information, and integrated business systems. Since CRM environments often connect with identity services, databases, and enterprise applications, successful exploitation could lead to broader organizational compromise and operational disruption.”
Windows DNS and Netlogon emerge as highest-impact targets
Security researchers highlighted two Windows flaws as among the most consequential in this batch. Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, described CVE-2026-41096, a Microsoft Windows DNS defect, as a “nasty-looking bug” that allows unauthorized attackers to run code remotely. Childs warned: “No authentication or user interaction needed, and since the DNS Client runs on virtually every Windows machine, the attack surface is enormous. An attacker with a position to influence DNS responses could achieve unauthenticated remote-code execution across your enterprise.”
Childs also singled out CVE-2026-41089, a Windows Netlogon defect that enables unauthenticated remote code execution, calling it the “highest-impact bug that requires immediate patching,” and adding that a “compromised domain controller is a compromised domain.” Both descriptions underscore the potential for high-impact, unauthenticated attacks affecting broad populations of Windows systems.
AI and vulnerability discovery: a shaping influence, per Trend Micro
The unusually high tally of 137 vulnerabilities arrived against a backdrop of rising attention to artificial intelligence in security research. Dustin Childs observed that researchers had been anticipating an uptick in disclosed defects as AI models are used to find previously uncovered bugs. “While not all of these bugs were found by AI, it’s likely they had an AI-related component — even if it was just AI writing the submission,” Childs wrote in his blog post.
What this means for technologists, enterprises, and adversaries
- Technologists and security teams: The Windows Netlogon defect (CVE-2026-41089) was explicitly called by Childs the “highest-impact bug that requires immediate patching,” signaling a priority for patch rollouts where Netlogon and domain controllers are present. The Windows DNS defect (CVE-2026-41096) also demands attention because of its wide client footprint and unauthenticated remote-code execution characteristics.
- Affected enterprises and procurement leaders: Action1’s assessment of CVE-2026-42898 highlights Dynamics 365 environments as high-value targets because compromise can expose customer records, operational workflows, financial information and integrated systems. Organizations that host or integrate CRM services should weigh the risk to connected identity services, databases and enterprise applications.
- Adversaries and threat actors: Microsoft’s bulletin reported no known active exploitation at the time of disclosure, but researchers’ descriptions—especially of unauthenticated remote-code execution and large attack surfaces—illustrate why these flaws may be attractive targets if weaponized.
Microsoft’s monthly security update again illustrates a tension: a large volume of disclosed defects, some of them critical and some enabling unauthenticated remote code execution, but no confirmed active exploitation at disclosure. Researchers’ commentary highlights both specific priorities for patching and a broader trend in how vulnerabilities are being found. The company’s Security Response Center hosts the complete list of fixes for teams that must triage and remediate.




