An Expanding Patch Tuesday: 137 CVEs and 30 Rated Critical
This month’s Patch Tuesday brings 137 Microsoft security updates, signalling another growth spike in vulnerability volume. None are known to be under active attack, but 30 are rated critical, and 14 carry a CVSS score of 9.0 or higher, including one perfect 10. Microsoft has also confirmed what many suspected: it is heavily using AI to uncover more flaws, via its MDASH bug-hunting system, which alone identified 16 vulnerabilities in this cycle. While this is good for long‑term security, it significantly increases near‑term patching workloads, especially when combined with 133 separate browser fixes outside the main Patch Tuesday tally. For IT administrators, the implication is clear: broader attack surface coverage, but also more testing, change management, and maintenance windows. A risk‑based approach to these Microsoft security updates is essential to avoid patch fatigue while still addressing the most dangerous issues promptly.
Netlogon Vulnerability: A 9.8 Risk to Domain Controllers
At the top of the Patch Tuesday critical CVEs list is CVE-2026-41089, a stack-based buffer overflow in Windows Netlogon with a 9.8 CVSS score. This bug is particularly alarming for domain controller security because exploitation requires no privileges, no user interaction, and has low attack complexity. A remote attacker can send a specially crafted network request to the Netlogon service and, if successful, gain code execution with SYSTEM privileges on a domain controller. Security researchers have drawn parallels with the infamous ZeroLogon issue, highlighting that once a penetration tester reaches this point, compromise of the environment is often a foregone conclusion. Although Microsoft currently rates exploitation as less likely and reports no active attacks, defenders should not be complacent. Patches are available for Windows Server 2012 and later, and organisations should prioritise testing and deploying this Netlogon vulnerability patch across all domain controllers without delay.
Windows DNS Client and Dynamics 365: Enterprise-Wide Blast Radius
CVE-2026-41096, a 9.8-rated remote code execution flaw in the Windows DNS client, presents another high-risk scenario. The bug stems from a heap-based buffer overflow triggered by a malicious DNS response, requiring neither authentication nor user interaction. Because the DNS client runs on virtually every Windows endpoint, an attacker who can influence DNS traffic—via a rogue server or man‑in‑the‑middle position—could potentially execute code across large swaths of an enterprise. While mitigations like heap randomisation and encrypted DNS channels raise the bar, experts still recommend immediate patching to reduce the chance of ransomware deployment or mass endpoint compromise. Another standout is CVE-2026-42898 in Microsoft Dynamics 365 on-premises, rated 9.9. Any authenticated user can modify process session state data so that the server unintentionally runs malicious code, potentially causing a scope change beyond the Dynamics component. Organisations running on‑prem Dynamics should test and deploy this fix as a high priority.
Entra ID Plugin Risk: Jira and Confluence Integration Under Scrutiny
Beyond core Windows components, administrators must also address CVE-2026-41103, a critical elevation of privilege vulnerability in the Microsoft Entra ID authentication plugin used with Atlassian Jira and Confluence. This flaw allows an unauthorised attacker to impersonate an existing user by presenting forged credentials, effectively bypassing Entra ID authentication flows. Microsoft expects exploitation to be more likely for this bug, which elevates its priority for teams still self‑hosting Jira or Confluence and relying on the affected plugin. One complication: current advisory links appear to reference plugin builds from 2024, raising validation challenges for security teams trying to confirm they have the correct fixed version deployed. Admins should closely review vendor guidance, verify plugin versions directly within their Atlassian instances, and coordinate with both identity and application owners. Treat this as an identity-layer risk: a successful exploit could enable quiet, high‑impact abuse of existing user accounts and access rights.
Practical Triage and Deployment Strategy for IT Administrators
Given the size and severity of this Patch Tuesday, IT teams need a clear triage plan rather than a simple “patch everything now” approach. First, prioritise systems that, if compromised, grant broad control: domain controllers (Netlogon), DNS-reliant infrastructure, on‑prem Dynamics 365 servers, and Jira/Confluence instances using the Entra ID plugin. Next, segment rollout: patch a small, representative pilot group, validate stability and key business workflows, then expand to broader production waves. Integrate these Microsoft security updates into existing change windows but consider emergency changes for CVEs that affect core identity and name resolution. Throughout, maintain robust backups and test restore procedures in case regression forces a rollback. Finally, update vulnerability management tooling and asset inventories so that all Windows Server and client builds, along with relevant plugins, are tracked against these specific CVEs. With AI-driven discovery increasing patch volumes, disciplined, risk-based patch governance is now essential.