Patch Tuesday Vulnerabilities Put Domain Controllers in the Crosshairs
Microsoft’s May Patch Tuesday delivers fixes for well over 120 CVE-listed vulnerabilities, including 137 core flaws plus 133 separate browser issues. None are known to be actively exploited, but several present serious RCE exploitation risks that demand rapid attention. Security teams should first prioritize Windows Netlogon CVE-2026-41089, a critical stack-based buffer overflow with a CVSS 9.8 score. A specially crafted network request to a domain controller can yield code execution as the Netlogon service, effectively granting SYSTEM-level access with no privileges or user interaction required and low attack complexity. This makes it highly attractive once exploit details emerge, with clear parallels to the historic ZeroLogon weakness. Microsoft has also shipped critical fixes for the Windows DNS client and Hyper-V privilege escalation, and experts stress patching all domain controllers within the same maintenance window to avoid half-patched forests that attackers can easily target.
Ivanti EPMM RCE Under Active Exploitation and CISA-Driven Deadlines
Ivanti Endpoint Manager Mobile (EPMM) is facing active exploitation of CVE-2026-6973, a high-severity improper input validation bug (CVSS 7.2) that enables remote code execution. The flaw affects EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1, and allows a remotely authenticated user with administrative access to execute arbitrary code. Although Ivanti reports only a very limited number of customers exploited so far, the vulnerability has been added to the Known Exploited Vulnerabilities catalog, mandating that certain agencies apply fixes by May 10, 2026. Organizations previously hit by CVE-2026-1281 or CVE-2026-1340 were advised to rotate credentials, which may reduce risk but does not replace patching. Additional critical security patches address multiple EPMM weaknesses, including improper access control that can grant admin access, certificate validation flaws enabling host impersonation, and unauthenticated method invocation. Together, these bugs can translate into admin-level access and a broad compromise of device management infrastructure.
Enterprise Software Flaws: Ivanti, Fortinet, SAP, VMware and n8n
Beyond Patch Tuesday vulnerabilities, multiple vendors have released critical security patches for enterprise software flaws that could enable RCE, SQL injection, and privilege escalation. Ivanti Xtraction suffers from CVE-2026-8043 (CVSS 9.6), where external control of file names lets an authenticated attacker read sensitive files and write arbitrary HTML into web directories, exposing users to information disclosure and client-side attacks. Fortinet has patched two critical issues (CVE-2026-44277 and CVE-2026-26083, both CVSS 9.1) in FortiAuthenticator and FortiSandbox products, where missing or improper access control allows unauthenticated code execution via crafted HTTP requests. SAP has fixed two CVSS 9.6 bugs: CVE-2026-34260, an SQL injection in S/4HANA, and CVE-2026-34263, a missing authentication check in SAP Commerce cloud configuration that can lead to arbitrary server-side code execution. Broadcom also addressed CVE-2026-41702, a local privilege escalation issue in VMware Fusion stemming from a TOCTOU flaw, reinforcing the need for prompt desktop virtualization updates.
What IT Teams Should Do Now: Practical Remediation Priorities
IT administrators should treat these critical security patches as a coordinated emergency, with domain controllers and core enterprise platforms at the top of the queue. For Microsoft, schedule an immediate maintenance window to update all supported Windows Server domain controllers against CVE-2026-41089 and related patch Tuesday vulnerabilities, and restrict Netlogon traffic at the network layer to trusted segments only. In parallel, patch Windows DNS client and Hyper-V components to reduce RCE exploitation risks across infrastructure. For Ivanti EPMM and Xtraction, apply the latest releases, verify that all admin credentials have been rotated where prior compromise is suspected, and tighten access control and certificate management. Fortinet and SAP deployments should be updated to the vendor-specified fixed versions, with web interfaces and management planes placed behind strong authentication and network segmentation. Finally, update VMware Fusion on managed endpoints and review privilege escalation monitoring to catch any residual exploitation attempts post-remediation.