Security & IT News

Security teams have never had better visibility into their environments and never been worse at confirming what they fix stays fixed. Mandiant's M-Trends 2026 report puts the mean time to exploit at an estimated negative seven days. The Verizon 2025 DBIR puts median time to remediate edge device vulnerabilities at 32 days. These numbers have understandably driven the industry toward a clear

Microsoft on Tuesday released patches for 138 security vulnerabilities spanning its product portfolio, although none of them have been listed as publicly known or under active attack. Of the 138 flaws, 30 are rated Critical, 104 are rated Important, three are rated Moderate, and one is rated Low in severity. As many as 61 vulnerabilities are classified as privilege escalation bugs, followed by

Microsoft has patched 120 vulnerabilities in this month’s security update round

Microsoft is publishing 137 vulnerabilities on May 2026 Patch Tuesday . Microsoft is not aware of exploitation in the wild or public disclosure for any of these vulnerabilities. So far this month, Microsoft has provided patches to address 133 browser vulnerabilities, which are not included in the Patch Tuesday count above. Windows Netlogon: critical RCE Anyone responsible for securing a domain controller should prioritize remediation of CVE-2026-41089 , which is a critical stack-based buffer overflow in Windows Netlogon with a CVSS v3 base score of 9.8. Exploitation leads to execution in the context of the Netlogon service, so that’s SYSTEM privileges on the domain controller. For most pentesters, that’s the point at which the customer report more or less writes itself. No privileges or user interaction are required, and attack complexity is low, which suggests that creation of a reliable exploit might not be especially difficult for anyone with knowledge of the specific mechanism. Microsoft assesses exploitation as less likely, but since those exploitability assessments are provided without an accompanying explanation, it’s not clear how much reassurance defenders should take. Anyone who remembers the much-discussed CVE-2020-1472 (aka ZeroLogon) back in 2020 will note that CVE-2026-41089 offers an attacker more immediate control of a domain controller. Patches are available for all versions of Windows Server from 2012 onwards. Windows DNS Client: critical RCE An attacker looking for a master key for Windows assets will pay attention to CVE-2026-41096 , a critical RCE in the Windows DNS client implementation. A modern computer talks to DNS the way a child in the back of a car asks “are we there yet?” The variable and complex structure of DNS responses means that DNS client implementations are also complex and thus prone to flaws. Microsoft assesses exploitation as less likely, and we can hope that modern mitigations such as heap address randomization and optional-but-recommended encrypted channel DNS will make weaponization significantly more challenging by putting barriers across specific paths to exploitation. The DNS client on Windows runs as the NetworkService role, rather than SYSTEM, but a foothold is a foothold, and skilled attackers expect to chain exploits together. JIRA/Confluence Entra ID auth plugin: critical EoP If you’re still self-hosting Atlassian JIRA or Confluence and relying on the Microsoft Entra ID authentication plugin, you’ll want to know about CVE-2026-41103 . This critical elevation of privilege vulnerability allows an unauthorized attacker to impersonate an existing user by presenting forged credentials, thus bypassing Entra ID. Microsoft expects that exploitation is more likely. Even if you can’t always find what you want on the corporate Confluence, a motivated attacker probably will. Curiously, the patch links on the advisory lead to older versions of the plugins published in 2024. Microsoft WARP team Microsoft’s WARP

In this article Core Idea: From TTPs to Logs Approaches for Synthetic Attack Log Generation Evaluation Datasets References Learn more Logs and telemetry are the foundation of modern cybersecurity. They enable threat detection, incident response, forensic investigation, and compliance across endpoints, networks, and cloud environments. Yet, despite their importance, high‑quality security attack logs are notoriously difficult to collect, especially at scale. Real‑world security telemetry is often composed of repeated benign activity occurring across environments and with very rare malicious activity. Gathering, labeling, and maintaining datasets with real attack logs is costly and operationally challenging. It requires not only labeling malicious activities, but also fully reconstructing attack scenarios. These challenges significantly slow detection engineering and limit the quality of both the rule-based detection authoring and anomaly-detection approaches. In this post, we explore a different path: using AI to generate realistic, high‑fidelity synthetic security attack logs. By translating attacker behaviors, expressed as tactics, techniques, and procedures (TTPs)—directly into structured telemetry, we aim to accelerate detection development while preserving realism and security. Why is this work important for Microsoft Defender customers? For Microsoft Defender customers, this work is crucial because it directly addresses the challenge of obtaining high-quality, realistic security attack logs needed for effective threat detection and response. By leveraging AI-driven synthetic log generation, organizations can accelerate the development of detection rules and AI-based automation approaches, while ensuring privacy and reducing operational overhead. Synthetic logs enable customers to simulate a broader range of attack scenarios—including rare and emerging threats—without exposing sensitive data or relying on costly lab-based simulations. Ultimately, this approach enhances the agility and effectiveness of Microsoft Defender detection and response capabilities, helping customers stay ahead of evolving cyber threats. Why Synthetic Security Logs in addition to Lab Simulations? Synthetic data has been widely adopted in various fields as a privacy-conscious substitute for real data, and it offers even greater advantages in cybersecurity. It enables the creation of safe, shareable datasets that avoid exposure of sensitive customer information, allows simulation of rare or emerging attacks that are challenging to observe in real environments, accelerates the process of detection engineering and testing, and supports reproducible experiments for benchmarking and evaluation. While synthetic logs are not a replacement for all lab-based validation, they can complement lab simulations by speeding up early-stage detection design, testing, and coverage expansion. Traditionally, generating realistic attack telemetry requires executing real attacks in controlled

In this article AI-powered vulnerability discovery at hyper-scale Codename: MDASH—Microsoft Security’s new multi-model agentic scanning harness Using codename MDASH for security research The 5.12.2026 Patch Tuesday cohort Two deep dives CVE-2026-33827—Remote unauthenticated UAF in tcpip.sys via SSRR CVE-2026-33824: Unauthenticated IKEv2 SA_INIT + fragmentation → double-free → LocalSystem RCE How capable is codename MDASH? What this all means Conclusion Today Microsoft announced a major step forward in AI-powered cyber defense: our new agentic security system helped researchers find 16 new vulnerabilities across the Windows networking and authentication stack—including four Critical remote code execution flaws in components such as the Windows kernel TCP/IP stack and the IKEv2 service. They used the new Microsoft Security m ulti-mo d el a gentic s canning h arness (codename MDASH) which was built by Microsoft’s Autonomous Code Security team. Unlike single-model approaches, the harness orchestrates more than 100 specialized AI agents across an ensemble of frontier and distilled models to discover, debate, and prove exploitable bugs end-to-end. Learn more and sign up to join the preview The results speak for themselves: 21 of 21 planted vulnerabilities found with zero false positives on a private test driver; 96% recall against five years of confirmed Microsoft Security Response Center (MSRC) cases in clfs.sys and 100% in tcpip.sys; and an industry-leading 88.45% score on the public CyberGym benchmark of 1,507 real-world vulnerabilities—the top score on the leaderboard, roughly five points ahead of the next entry. The strategic implication is clear: AI vulnerability discovery has crossed from research curiosity into production-grade defense at enterprise scale, and the durable advantage lies in the agentic system around the model rather than any single model itself. Codename MDASH is being used by Microsoft security engineering teams and tested by a small set of customers as part of a limited private preview. This post explains how codename MDASH works, what we shipped today, what we learned along the way, and how you can sign up for the private preview. AI-powered vulnerability discovery at hyper-scale The Microsoft Autonomous Code Security (ACS) team was assembled to take AI-powered vulnerability research from a research curiosity to production engineering at enterprise scale. Several members of this team came to Microsoft from Team Atlanta, the team that won the $20 million DARPA AI Cyber Challenge by building an autonomous cyber-reasoning system that found and patched real bugs in complex open-source projects. The lessons from that work, especially the level of engineering required to make the frontier language models perform professional-level security auditing, are what our new multi-model agentic scanning harness (codename MDASH) is built around. Microsoft’s code base is challenging for security auditing for a few reasons: Massive propr

Artificial intelligence platforms may be just as susceptible to social engineering as human beings, but they are proving remarkably good at finding security vulnerabilities in human-made computer code. That reality is on full display this month with some of the more widely-used software makers — including Apple , Google , Microsoft , Mozilla and Oracle — fixing near record volumes of security bugs, and/or quickening the tempo of their patch releases. As it does on the second Tuesday of every month, Microsoft today released software updates to address at least 118 security vulnerabilities in its various Windows operating systems and other products. Remarkably, this is the first Patch Tuesday in nearly two years that Microsoft is not shipping any fixes to deal with emergency zero-day flaws that are already being exploited. Nor have any of the flaws fixed today been previously disclosed (potentially giving attackers a heads up in how to exploit the weakness). Sixteen of the vulnerabilities earned Microsoft’s most-dire “critical” label, meaning malware or miscreants could abuse these bugs to seize remote control over a vulnerable Windows device with little or no help from the user. Rapid7 has done much of the heavy lifting in identifying some of the more concerning critical weaknesses this month, including: CVE-2026-41089 : A critical stack-based buffer overflow in Windows Netlogon that offers an attacker SYSTEM privileges on the domain controller. No privileges or user interaction are required, and attack complexity is low. Patches are available for all versions of Windows Server from 2012 onwards. CVE-2026-41096 : A critical RCE in the Windows DNS client implementation worthy of attention despite Microsoft assessing exploitation as less likely. CVE-2026-41103 : A critical elevation of privilege vulnerability that allows an unauthorized attacker to impersonate an existing user by presenting forged credentials, thus bypassing Entra ID. Microsoft expects that exploitation is more likely. May’s Patch Tuesday is a welcome respite from April, which saw Microsoft fix a near-record 167 security flaws . Microsoft was among a few dozen tech giants given access to a “ Project Glasswing ,” a much-hyped AI capability developed by Anthropic that appears quite effective at unearthing security vulnerabilities in code. Apple, another early participant in Project Glasswing, typically fixes an average of 20 vulnerabilities each time it ships a security update for iOS devices, said Chris Goettl , vice president of product management at Ivanti . On May 11, Apple shipped updates to address at least 52 vulnerabilities and backported the changes all the way to iPhone 6s and iOS 15. Last month, Mozilla released Firefox 150 , which resolved a whopping 271 vulnerabilities that were reportedly discovered during the Glasswing evaluation. “Since Firefox 150.0.0 released, they have been on a more aggressive weekly cadence for

IT teams often struggle to quickly coordinate responses across disparate systems during network incidents. This upcoming webinar explores how automation and AI-assisted workflows can reduce response times and help prevent outages. [...]

Microsoft has released the Windows 10 KB5087544 extended security update to fix the May 2026 Patch Tuesday vulnerabilities and resolve an issue with the new Remote Desktop warnings. [...]

Today's Microsoft patch Tuesday fixes 137 different vulnerabilities. In addition, the update addresses 137 Chromium-related issues affecting Microsoft Edge. There are no already disclosed or already exploited vulnerabilities included in today's patches. I removed the Chromium issues from the table below and included only the 137 Microsoft issues to make it more readable. Note that issues related to Microsoft Azure are labeled as no customer action required. Significant Vulnerabilities of interest: CVE-2026-41103: This vulnerability affects the Microsoft SSO Plugin for Jira Confluence. Exploitation could lead to an elevation of privileges. With ongoing supply chain attacks, development and CI/CD tools like Jira and Confluence are popular targets. CVE-2026-41089: A preauthentication remote code execution vulnerability in the Netlogon service will always be a juicy target, worth some AI tokens to write an exploit for. Other critical vulnerabilities include the usual Word and Microsoft Office issues. Description CVE Disclosed Exploited Exploitability (old versions) current version Severity CVSS Base (AVG) CVSS Temporal (AVG) .NET Core Tampering Vulnerability %%cve:2026-32175%% No No - - Important 4.3 3.8 .NET Elevation of Privilege Vulnerability %%cve:2026-32177%% No No - - Important 7.3 6.4 %%cve:2026-35433%% No No - - Important 7.3 6.4 ASP.NET Core Denial of Service Vulnerability %%cve:2026-42899%% No No - - Important 7.5 6.5 Azure AI Foundry Elevation of Privilege Vulnerability (no customer action required) %%cve:2026-35435%% No No - - Critical 8.6 7.5 Azure Cloud Shell Spoofing Vulnerability (no customer action required) %%cve:2026-35428%% No No - - Critical 9.6 8.3 Azure Connected Machine Agent Elevation of Privilege Vulnerability %%cve:2026-40381%% No No - - Important 7.8 6.8 Azure DevOps Information Disclosure Vulnerability (no customer action required) %%cve:2026-42826%% No No - - Critical 10.0 8.7 Azure Logic Apps Elevation of Privilege Vulnerability %%cve:2026-42823%% No No - - Important 9.9 8.6 Azure Machine Learning Notebook Spoofing Vulnerability (no customer action required) %%cve:2026-32207%% No No - - Critical 8.8 7.7 %%cve:2026-33833%% No No - - Important 8.2 7.1 Azure Managed Instance for Apache Cassandra Remote Code Execution Vulnerability (no customer action required) %%cve:2026-33109%% No No - - Critical 9.9 8.6 %%cve:2026-33844%% No No - - Critical 9.0 7.8 Azure Monitor Action Group Notification System Elevation of Privilege Vulnerability (no customer action required) %%cve:2026-41105%% No No - - Critical 8.1 7.1 Azure Monitor Agent Elevation of Privilege Vulnerability %%cve:2026-32204%% No No - - Important 7.8 6.8 Azure Monitor Agent Metrics Extension Elevation of Privilege Vulnerability %%cve:2026-42830%% No No - - Important 6.5 5.7 Azure SDK for Java Security Feature Bypass Vulnerability %%cve:2026-33117%% No No - - Important 9.1 7.9 Copilot Chat (Microsoft Edge) Information Disclosure Vulnerability (no customer actio

Microsoft has released Windows 11 KB5089549 and KB5087420 cumulative updates for versions 25H2/24H2 and 23H2 to fix security vulnerabilities, bugs, and add new features. [...]

If you own, create, or maintain online services and web portals, you’re probably aware of the dramatic upswing in DDoS attacks on your domains. AI has democratized tooling not just for us but for threat actors as well. DDoS in this era has extended from simple bandwidth saturation to sophisticated, application-layer abuse. Defending against this activity now requires system-level design, beyond just the typical network-level filtering. As botnets continue to expand their footprint and evade identification, it is important for us to take a step back, assess the situation, and take a defense-in-depth approach to increase our resilience against this class of disruption. Protect your cloud workloads with Azure Cloud Security DDoS activity across Bing and other online services at Microsoft has seen a large uptick in the past five to six years. As reported in the Microsoft Digital Defense Report 2025 , Microsoft now processes more than 100 trillion security signals , blocks approximately 4.5 million new malware attempts , analyzes 38 million identity risk detections , and screens 5 billion emails for malicious content each day. This helps illustrate both the breadth of modern attack surfaces and the automation cyberattackers can now wield at industrial scale. When we narrow in specifically on DDoS, an even clearer trend emerges: beginning in mid-March of 2024 , Microsoft observed a rise in network DDoS attacks that eventually reached approximately 4,500 cyberattacks per day by June 2024. And this persistent volume was paired with a shift toward more stealthy application-layer techniques. In my role as Vice President, Intelligent Conversation and Communications Cloud Platform at Microsoft, I focus on helping the Microsoft AI and Bing teams build systems that are safe, resilient, and worthy of user trust, even under the sustained pressure we’re receiving from today’s cyberattackers. Whether you are responsible for a single public website or a large portfolio of consumer-facing applications, defending against modern DDoS attacks means more than just absorbing traffic. It means building defense-in-depth robust enough that, even if some attack traffic gets through, your service stays usable for the people who rely on it. The nature of modern DDoS attacks Early DDoS attacks were largely about volume. Cyberattackers would flood a target with traffic in an attempt to saturate network capacity and force an outage. While volumetric attacks still happen, most large services now have baseline protections that make this approach less effective on its own. Get always-on monitoring with Azure DDoS Protection Modern DDoS attacks are more nuanced. They are often multi-vector, with a single campaign potentially including network-layer floods and application-layer abuse at the same time. Along with the exponential increase in the scale of these cyberattacks, they are also getting more tailored to stress specific applications and user flows. Application-layer attacks are

In this article Abuse of trusted relationships as an attack delivery mechanism Methods, tools, and access strategies Campaign conclusion Microsoft Defender detection and hunting guidance In recent years, many sophisticated intrusions have increasingly avoided using noisy exploits, obvious malware, or custom tooling, instead leveraging systems that organizations already trust within their environments. By operating through legitimate and trusted administrative mechanisms, threat actors could more easily blend seamlessly into routine operations and remain undetected. Microsoft Incident Response investigated an intrusion that followed this pattern. What initially appeared as routine administrative activity was instead found to be a coordinated campaign abusing trusted operational relationships and authentication processes to establish durable access. The threat actor in this incident leveraged a compromised third-party IT services provider and legitimate IT management tools to conduct a stealthy campaign focusing on long-term access, credential theft, and establishing a persistent foothold. Microsoft Incident Response Address incidents and build resilience ↗ This blog walks through how the intrusion unfolded, why it was difficult to detect, and how trusted systems, including identity infrastructure, operational tooling, and third-party management relationships were leveraged to sustain access. By examining the investigation end to end, we highlight how modern intrusions succeed without reliance on malware-heavy techniques and what defenders can learn from identifying abuse in environments where trust is implicit. We also provide mitigation and protection recommendations, as well as Microsoft Defender detection and hunting guidance to help identify and investigate related activity. Abuse of trusted relationships as an attack delivery mechanism Rather than relying on exploits or malware-based delivery, this attack leveraged an existing trusted operational relationship for malicious activity across the environment. The investigation identified HPE Operations Agent (OA), an approved and signed enterprise management tool commonly used for monitoring and administrative automation, as the primary delivery mechanism. Importantly, this did not involve any vulnerability or flaw in HPE OA itself. Analysis during the incident response process revealed that management of this operational platform had been delegated to a third-party IT services provider, expanding the trust boundary beyond the organization itself. While such arrangements are operationally common, they introduce implicit trust paths that, if compromised, could be leveraged by threat actors to move within the environment using legitimate access and tooling. By operating through the HPE OA framework, the threat actor executed scripts and binaries in a manner indistinguishable from normal operations, allowing malicious activity to blend seamlessly into expected behavior and delaying detection. This t

Exploitation of open-source tools allows attackers to maintain persistent access after initial social engineering, warn ReliaQuest researchers

SAP has released the May 2026 security updates addressing 15 vulnerabilities across multiple products, including two critical flaws in the Commerce Cloud enterprise-grade e-commerce platform and the S/4HANA ERP suite. [...]

OpenAI has launched Daybreak, a new cybersecurity initiative that brings together frontier artificial intelligence (AI) model capabilities and Codex Security to help organizations identify and patch vulnerabilities before attackers find a way in using the same issues. "Daybreak combines the intelligence of OpenAI models, the extensibility of Codex as an agentic harness, and our partners across

Apple today released its typical feature update across it's operating systems (iOS, iPadOS, macOS, tvOS, watchOS, vision OS). With this update, Apple patched 84 different vulnerabilities. Updates are available for the 26 series of operating systems, as well as for the previous 18 version of iOS/iPadOS, and two versions back for macOS (version 14 and 15). None of the vulnerabilities has been exploited. The number of addressed vulnerabilities is about average compared to similar Apple updates. Figure: Number of Vulnerabilities patched for each security update. Last one in red at the end. iOS 26.5 and iPadOS 26.5 iOS 18.7.9 and iPadOS 18.7.9 macOS Tahoe 26.5 macOS Sequoia 15.7.7 macOS Sonoma 14.8.7 tvOS 26.5 watchOS 26.5 visionOS 26.5 CVE-2025-43524: An app may be able to break out of its sandbox. Affects Icons x x CVE-2026-28819: An app may be able to execute arbitrary code with kernel privileges. Affects Wi-Fi x x x x CVE-2026-28840: An app may be able to gain root privileges. Affects PackageKit x x CVE-2026-28846: A remote attacker may be able to cause unexpected app termination. Affects SceneKit x x x x x x x x CVE-2026-28848: A remote attacker may be able to cause unexpected system termination. Affects SMB x x CVE-2026-28870: An app may be able to access sensitive user data. Affects GeoServices x CVE-2026-28872: A remote attacker may be able to cause a denial-of-service. Affects Calendar x CVE-2026-28873: An app may be able to circumvent App Privacy Report logging. Affects Privacy x CVE-2026-28877: An app may be able to access sensitive user data. Affects Accounts x CVE-2026-28878: An app may be able to enumerate a user's installed apps. Affects Crash Reporter x CVE-2026-28882: An app may be able to enumerate a user's installed apps. Affects libxpc x CVE-2026-28883: Processing maliciously crafted web content may lead to an unexpected process crash. Affects WebKit x x x x x CVE-2026-28894: A remote attacker may be able to cause a denial-of-service. Affects Calling Framework x CVE-2026-28897: A local user may be able to cause unexpected system termination or read kernel memory. Affects Kernel x x x x x x x x CVE-2026-28901: Processing maliciously crafted web content may lead to an unexpected process crash. Affects WebKit x CVE-2026-28906: An attacker may be able to track users through their IP address. Affects Networking x x x x x x CVE-2026-28907: Processing maliciously crafted web content may prevent Content Security Policy from being enforced. Affects WebKit x x x x x x CVE-2026-28908: An app may be able to modify protected parts of the file system. Affects Kernel x x x CVE-2026-28913: Processing maliciously crafted web content may lead to an unexpected process crash. Affects WebKit x x x x CVE-2026-28914: A maliciously crafted ZIP archive may bypass Gatekeeper checks. Affects zip x CVE-2026-28915: An app may be able to gain root privileges. Affects CUPS x x x CVE-2026-28917: Processing maliciously crafted web content may lead to a

Two new high-severity vulnerabilities, dubbed ’Dirty Frag’ when chained, have been found in the Linux kernel, affecting most Linux distributions

The same extension applies to security updates shipped to US-based users of foreign-made drones

World Passkey Day is a chance to reflect on progress toward a shared goal: reducing our reliance on passwords and other phishable authentication methods by accelerating passkey adoption. As cyberattacks become more automated and AI-powered, each account is only as secure as its weakest credential. Real progress requires more than adding stronger sign-in options—it requires removing phishable credentials and strengthening common attack paths like recovery flows. In partnership with the FIDO Alliance, Microsoft is committed to advancing passkey adoption through ongoing standards work, active participation in working groups, and other contributions to a passwordless future. Explore Microsoft Entra identity and access solutions Passwords remain a major source of risk; they’re difficult to manage and easy to steal. Along with weaker forms of multifactor authentication, they’re also highly vulnerable to phishing: AI-powered campaigns drive click-through rates as high as 54%. 1 In response, Microsoft is expanding passkey adoption across our ecosystem. We’re reducing reliance on legacy authentication and strengthening account recovery so it won’t become a backdoor for cyberattackers. “Instead of vulnerable secrets or potentially identifiable personal information, a passkey uses a private key stored safely on the user’s device. It only works on the website or app for which the user created it, and only if that same user unlocks it with their biometrics or PIN. This means passkey users can’t be tricked into signing in to a malicious lookalike website, and a passkey is unusable unless the user is present and consenting. These are some qualities that make passkeys a ‘phishing-resistant’ form of authentication.” From Microsoft Digital Defense Report . Passkey adoption continues to grow industry wide Passkey adoption is accelerating: FIDO Alliance estimates 5 billion passkeys already in use worldwide. 2 Across Microsoft’s consumer services, including OneDrive, Xbox, and Copilot, hundreds of millions of users sign in with passkeys every day. There are many reasons to choose passkeys as the standard authentication method over passwords. Sign-in success rates are significantly higher than with passwords, and exposure to credential-based attacks is significantly lower. 3 Organizations and individual users alike prefer the simpler, more secure sign-in experience passkeys offer. 4 Inside Microsoft, we’ve eliminated weaker authentication methods and rolled out phishing-resistant authentication, covering 99.6% of users and devices in our environment. 5 It’s made signing in a lot simpler: no codes to enter, no extra prompts to manage, just a straightforward experience for everyone. Product updates across sign-in and recovery Across Microsoft, we’ve been steadily building passkey support into every layer of the identity experience from consumer accounts to enterprise access with Microsoft Entra , and from device-based authentication like Windows