TL;DR
- Microsoft’s May 2026 Patch Tuesday addresses 137 CVEs with no zero days this month.
- Prioritize patching CVE-2026-40398 (Windows RDS EoP), CVE-2026-40365 (SharePoint RCE), and CVE-2026-41096 (Windows DNS Client RCE) from this month’s release.
- We’re also spotlighting several Fortinet authentication bypass vulnerabilities, covering two disclosed this year and one we observed in an incident in the last month.
Spring is in full bloom, and if you’ve stepped outside recently, you know what that means. Itchy eyes, runny noses, and sneezes—in general the inexorable feeling that the world is out to get you. Thankfully we can manage our exposure with antihistamines, nasal sprays, and for some, an actual patch.
Speaking of which, it’s Patch Tuesday!
Patch Tuesday: May 12, 2026
This month’s release includes 137 CVEs. Thankfully there are no zero day vulnerabilities to address, though there are 16 labeled as ‘critical’ by Microsoft. We’ve reviewed this month’s list and here’s what we suggest you address first:
- Windows Remote Desktop Services Elevation of Privilege Vulnerability (CVE-2026-40398): This buffer overflow vulnerability in Windows Remote Desktop allows an attacker that’s already authenticated with low-level privileges to elevate those privileges to SYSTEM level. It’s worth noting the broad impact of this vulnerability: systems ranging from Windows Server 2012 through 2025 and Windows 10 through Windows 11 26H1 are impacted. User interaction is not required once an attacker has already gained a foothold on the vulnerable system, making this an enticing vulnerability for attackers looking to raise their permission level on a compromised system target.
- Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2026-40365): This SharePoint vulnerability allows authenticated attackers with at least Site Owner privileges to execute arbitrary code remotely. This Site Owner requirement may be why Microsoft has classified exploitation of this vulnerability as “less likely,” but organizations with policies that broadly assign this role should evaluate and treat this as a higher priority, given the possibility of remote code execution a successful attack has the potential to grant.
- Windows DNS Client Remote Code Execution Vulnerability (CVE-2026-41096): This buffer overflow vulnerability in the Windows DNS Client opens the door for an unauthenticated remote attacker to send specially crafted DNS responses leading to the execution of arbitrary code. This CVE has a CVSS score of 9.8; however, Microsoft labeling this as “exploitation unlikely” suggests that this heap buffer overflow could be technically difficult to successfully execute.
Exploit tales: Authentication bypass
Authentication is frequently the first line of defense. VPN gateways have login portals, network switches have management interfaces, and firewalls have management consoles. Each of these require authorized credentials to enter, but bypassing that barricade can provide an attacker with a direct path into a privileged position within an environment.
Authentication bypass vulnerabilities provide a foothold for successful exploits to skip the front door entirely. Sometimes this grants an attacker the ability to run arbitrary code, and other times it can grant them privileged access to the vulnerable system. Either way an attacker finds themselves in a prime position to advance their attack.
This is why CVE-2026-35616 drew immediate attention when Fortinet published an advisory for this vulnerability last month. There is proof of concept (PoC) code in the wild, and this vulnerability carries a CVSS score of 9.1 because it allows an attacker to bypass the API authentication process, executing arbitrary commands on endpoints administered by vulnerable FortiClient EMS systems.
This was actually the second authentication bypass vulnerability disclosed by Fortinet so far this year. The first was CVE-2026-24858, a FortiCloud SSO bypass that allowed for unauthorized configuration changes and account creation on vulnerable devices.
Both of these CVEs are worth keeping an eye on, but they’re not the only Fortinet authentication bypass vulnerabilities currently being used in the wild. Others are arguably just as dangerous, as attackers automate and leverage them in their standard exploitation processes.
In an incident that our SOC saw recently, attackers leveraged CVE-2024-55591 to take control of a vulnerable FortiGate device. This vulnerability in FortiOS allows an attacker to gain ‘super-administrator’ privileges on a device. We noticed the attacker had managed to create several super-admin accounts and a REST API user. They also modified the SSL VPN portal to allow full-tunnel mode and created a firewall policy with logging disabled to help facilitate backdoor traffic. Thankfully, the compromised asset resided on the guest wifi network at a single location. Due to network segmentation, the attackers didn’t have a direct path to the production network, which kept the attacker’s impact isolated. When they attempted to move laterally from the guest network to other devices beyond it, this activity was picked up by other security tools in the network environment, alerting us to the compromise. The attackers gained nothing of consequence as a result.
So as security practitioners continue to be bombarded by newly published CVEs, it’s essential to address residual risk by not overlooking older CVEs that threat actors are using in automated exploit stacks. In this incident, the logs indicated that the attacker had simply leveraged the publicly available PoC script—not even revising the username included in the PoC code. With this year-old vulnerability, applying the available patch would have closed the exposure window and avoided the incident altogether.
The lesson here is twofold:
- Patch your devices consistently
- Ensure that management interfaces aren’t exposed directly to the internet
Together, these two practices meaningfully reduce your attack surface against authentication bypass vulnerabilities like the ones discussed here.
That’s all we have for this month’s Patch Tuesday blog. If you have questions about the vulnerabilities discussed here, drop us a line.
