Critical vulnerabilities in Windows Server’s networking and identity infrastructure, as well as a serious hole in Microsoft Dynamics 365 on-premises version, highlight Microsoft’s May Patch Tuesday fixes.
They are among the 118 vulnerabilities identified this month by the company. Some in cloud-based services like Azure and Microsoft Teams have already been fixed, so no admin action is needed.
But among the most severe that CSOs need to pay attention to is yet another hole in Windows Netlogon service, CVE-2026-41089, which has a CVSS score of 9.8. It requires no authentication or user interaction to be exploited.
Netlogon vulnerabilities date back to at least 2020, when a vulnerability dubbed Zerologon was found. In 2025 Microsoft fixed a denial of service vulnerability in which a remote unauthenticated user could make a series of Netlogon-based remote procedure calls that could consume all memory on a domain controller.
“The Netlogon vulnerability directly impacts domain controllers and identity infrastructure,” Jack Bicer, director of vulnerability research at Action1, told CSO, “creating risk of domain level compromise, credential theft, ransomware deployment, and operational outages.”
This vulnerability could impact Windows Server versions back to 2016.
Another critical vulnerability is in Windows Server’s DNS Client, CVE-2026-41096, also with a CVSS score of 9.8. It could allow remote code execution through specially crafted DNS responses. Bicer said this creates the potential for widespread endpoint compromise across enterprise networks.
“While Microsoft currently assesses exploitation likelihood as lower,” he said, “the strategic importance of DNS and Active Directory services significantly elevates the organizational risk associated with delayed patching.”
Chris Goettl, VP of product management at Ivanti, said that from a static analysis perspective, these two vulnerabilities “definitely look like a good opportunity for threat actors. The vulnerabilities are not currently exploited or publicly disclosed, but organizations should be sure to prioritize OS updates in a timely manner.”
He added, “additional layers of protection through network segmentation, access restrictions and monitoring should limit the exposure within an enterprise. That being said, these vulnerabilities are out there. Average time to an N-day exploit is around five days currently. Organizations may choose to prioritize critical parts of their infrastructure ahead of the rest of their infrastructure to shorten that exposure window in case of an exploit in the near future.”
Severe hole in Dynamics 365
The most severe issue this month, Bicer said, is CVE-2026-42898 affecting Microsoft Dynamics 365 On Premises. A remote code execution vulnerability with a CVSS score of 9.9, it allows a low privileged authenticated attacker to execute arbitrary code remotely through manipulated process session data.
“Because Dynamics 365 environments frequently integrate with identity providers, financial systems, and operational business workflows, compromise of these platforms could rapidly expand into broader enterprise compromise,” Bicer said. “Organizations operating customer relationship management infrastructure should prioritize remediation immediately to reduce the risk of operational disruption and unauthorized access to sensitive business records.”
SSO plugin flaw
Satnam Narang, senior staff research engineer at Tenable, drew attention to a critical elevation of privilege vulnerability in the Microsoft’s single-sign-on (SSO) plugin for Atlassian’s Jira project management and Confluence collaboration suites (CVE-2026-41103). During the login process, he explained, an attacker could send a specially crafted response message to exploit this flaw. Exploitation would allow the attacker to sign in using a forged identity, without Microsoft Entra ID authentication.
This would allow the attacker to access or modify data in Jira or Confluence, which he described as rich sources of sensitive information for many organizations. However, Narang pointed out, the accessible information would be limited by the access defined by the targeted servers for the authorized user.
Tyler Reguly, associate director for security R&D at Fortra, noted that the admins responsible for Confluence and Jira may not be the same people responsible for Microsoft products, so the crossover of this vulnerability may cause it to be entirely overlooked. CSOs should stay on top of their teams with this one, he advised.
Critical non-CVE update
Rain Baker, senior incident response specialist for the ShadowScout team at Nightwing, pointed out that the most critical non-CVE update involves the mandatory rollout of updated Secure Boot certificates. Devices failing to receive these updates before the June 26 deadline face “catastrophic boot-level security failures” or degraded security states, he said.
“Ensure your entire fleet successfully rotates to the new trust anchors before June 26,” he said. “For those who haven’t patched for last month’s releases for the Windows Shell and Microsoft Defender bypass flaws, it is imperative that security teams give these the highest priority.”
SAP patches and Oracle updates
SAP issued two HotNews Notes, two High Priority Notes and 12 Medium Priority Notes.
One of the HotNews Notes is #3724838 (it’s also CVE-2026-34260, with a CVSS score of 9.6). It patches an SQL injection vulnerability in SAP S/4HANA’s Enterprise Search for ABAP. Researchers at Onapsis said that, due to improper or missing input validation and sanitization, an authenticated attacker is able to inject malicious SQL statements through user-controlled input, with high impact on the confidentiality and availability of the application. “Fortunately,” Onapsis said, “the affected source code only allows read access to data, so that integrity is not impacted.”
Still, Jonathan Stross, SAP security analyst at Pathlock, said that if you run Enterprise Search for ABAP “this is the most important technical vulnerability of the month. It allows a low-privileged authenticated attacker to inject malicious SQL through user-controlled input, potentially exposing sensitive database information and crashing the application.”
He added that for organizations using S/4HANA broadly across finance, procurement, supply chain, or HR-adjacent processes, this should be treated as an urgent remediation item.
SAP stated that there is no workaround, Stross pointed out, so remediation depends on implementing the referenced correction instructions or support packages.
The other HotNews note is #3733064, with a CVSS score of 9.6, which patches a missing authentication check vulnerability in SAP Commerce Cloud. Onapsis says the vulnerability is caused by an overly permissive security configuration with improper rule ordering, allowing an unauthenticated user to perform malicious configuration upload and code injection, resulting in arbitrary server-side code execution.
“This is one of the highest business-risk items of the month,” said Stross, “because Commerce Cloud environments are frequently exposed beyond the internal corporate network. A successful exploit could affect storefront availability, customer data, order flows, pricing logic, integrations, and trust in the commerce platform.”
Finally, Oracle admins should note that the company is switching to releasing monthly security patches. The first will come on May 28, which is the fourth Thursday of the month. However, after that the patches will come on the third Tuesday of each month.
No Responses