MICROSOFT has issued security updates for May Patch Tuesday fixing 120 CVEs, 17 of which are classified as critical vulnerabilities. Of these, 14 are remote code execution (RCE) flaws, two are elevation of privilege (EoP) issues and one is an information disclosure vulnerability. The article notes a new multi-model agentic security system discovered 16 CVEs in this month’s Patch Tuesday.
Notable vulnerabilities highlighted include CVE-2026-41089, a critical, stack-based Netlogon RCE with a CVSS v3 base score of 9.8, and CVE-2026-41096, another critical RCE in the Windows DNS client with a CVSS of 9.8. A third significant entry is CVE-2026-42898, a critical RCE in Microsoft Dynamics 365 On-Premises that could allow an authenticated attacker with low privileges to execute code over the network.
According to Infosecurity Magazine, Rapid7’s Adam Barnett emphasised the risk to domain controllers and the need to prioritise remediation, while Action1’s Jack Bicer warned that exploitation could rapidly impact a large number of systems.