Skip to content
Auto-CTI
Back to all deep dives
RAPID7 CYBERSECURITY BLOG

Patch Tuesday - May 2026

KEV CRITICAL Microsoft patch-tuesday netlogon domain-controller rce
Patch Tuesday - May 2026

Strategic summary

Microsoft's May 2026 Patch Tuesday addresses 137 vulnerabilities, including critical remote code execution (RCE) flaws in Windows Netlogon and DNS Client. The most severe, CVE-2026-41089, is a stack buffer overflow in Netlogon that grants SYSTEM privileges on domain controllers. Another critical RCE in the DNS Client (CVE-2026-41096) provides a network foothold, while a critical elevation of privilege in an Atlassian plugin (CVE-2026-41103) bypasses Entra ID authentication. No active exploitation is currently reported, but immediate patching is strongly recommended.

Key findings

  • CVE-2026-41089 in Windows Netlogon: Critical stack buffer overflow with CVSS 9.8, allowing remote code execution as SYSTEM on domain controllers.
  • CVE-2026-41096 in Windows DNS Client: Critical RCE that can provide an attacker an initial foothold in the network.
  • CVE-2026-41103 in JIRA/Confluence Entra ID authentication plugin: Critical elevation of privilege enabling user impersonation via forged credentials.
  • A total of 137 vulnerabilities were patched, with no known active exploitation or public disclosure.
  • Additionally, 133 browser vulnerabilities were addressed this month, excluded from the Patch Tuesday count.

Relevance for you

Netlogon-RCE (CVE-2026-41089) kritisch für Active-Directory-Umgebungen; keine bekannte Ausnutzung in freier Wildbahn, aber sofortige Patching von Domain Controllern erforderlich.

Mentioned CVEs

Risk score

99
cvss base
98.00
kev bonus
20.00
epss bonus
10.00
poc bonus
15.00
raw before weight
143.00
industry weight
1.56
freshness factor
1.00
days old
0.00

Path: operational

MITRE ATT&CK mapping

5 TTPs
Recon
Resource Dev
Execution
Persistence
Def. Evasion
Discovery
Collection
Exfiltration
Impact
Conf.: high medium low

Procedure details

Technique Tactic Procedure Conf. Source
T1210
Exploitation of Remote Services
Lateral Movement CVE-2026-41089, a critical stack-based buffer overflow in Windows Netlogon (CVSS 9.8), enables remote code execution in the context of the Netlogon service, granting SYSTEM privileges on domain controllers when exploited remotely. high llm
T1068
Exploitation for Privilege Escalation
Privilege Escalation CVE-2026-41096 (JIRA/Confluence Entra ID auth plugin critical EoP) and multiple Microsoft Dynamics 365 elevation of privilege vulnerabilities (CVE-2026-33821, CVE-2026-40417) allow attackers to escalate privileges on affected systems. high llm
T1190
Exploit Public-Facing Application
Initial Access CVE-2026-42898 and CVE-2026-42833, critical RCE vulnerabilities in Microsoft Dynamics 365 On-Premises (CVSS 9.9 and 9.1 respectively), allow exploitation of the publicly accessible application to achieve remote code execution. high llm
T1557
Adversary-in-the-Middle
Credential Access CVE-2020-1472 (Zerologon), a critical Netlogon privilege escalation vulnerability, allows an unauthenticated attacker to establish a vulnerable Netlogon session to a domain controller, enabling credential compromise and domain takeover. high llm
T1071.004
DNS
Command and Control CVE-2026-41103, a critical RCE in the Windows DNS Client, can be exploited to execute arbitrary code via malicious DNS responses, potentially allowing attackers to leverage DNS communication for exploitation. medium llm
ESC