Microsoft addressed another triple-digit batch of vulnerabilities cutting across its various enterprise products, components and underlying systems. Yet despite the high number of defects, the vendor reported no actively exploited zero-days in this month’s Patch Tuesday update.

Thirteen of the 137 vulnerabilities Microsoft disclosed were assigned critical CVSS ratings, including a pair of vulnerabilities affecting Azure — CVE-2026-33109 and CVE-2026-42823 — and CVE-2026-42898 in Microsoft Dynamics 365 with 9.9 CVSS scores. 

The company designated 13 vulnerabilities as more likely to be exploited, and 113 defects as less likely or unlikely to be exploited.

The high volume of vulnerabilities reflects a growing trend researchers have been anticipating as artificial intelligence models are deployed to find previously uncovered defects in code. 

While not all of these bugs were found by AI, it’s likely they had an AI-related component — even if it was just AI writing the submission,” Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, wrote in a blog post Tuesday.

Childs was especially intrigued by CVE-2026-41096, which he described as a “nasty-looking bug” in Microsoft Windows DNS that allows unauthorized attackers to run code remotely. 

“No authentication or user interaction needed, and since the DNS Client runs on virtually every Windows machine, the attack surface is enormous. An attacker with a position to influence DNS responses could achieve unauthenticated remote-code execution across your enterprise,” he added. 

Childs also described CVE-2026-41089, a Windows Netlogon defect that allows unauthenticated remote attackers to run code, as the “highest-impact bug that requires immediate patching,” adding that a “compromised domain controller is a compromised domain.”

Jack Bicer, director of vulnerability research at Action1, called out CVE-2026-42898, the critical vulnerability affecting Microsoft Dynamics 365. 

“With no user interaction required, and the potential to impact systems beyond the vulnerable component’s original security scope, this vulnerability poses serious enterprise risk: an attacker with only basic access could turn a business application server into a remote execution platform,” he said in a blog post.

“Compromise of Dynamics 365 infrastructure can expose customer records, operational workflows, financial information, and integrated business systems. Since CRM environments often connect with identity services, databases, and enterprise applications, successful exploitation could lead to broader organizational compromise and operational disruption,” Bicer added.

The full list of vulnerabilities addressed this month is available in Microsoft’s Security Response Center.

The post Microsoft addresses 137 vulnerabilities in May’s Patch Tuesday, including 13 rated critical appeared first on CyberScoop.

Microsoft addressed 83 vulnerabilities that cut across its broad portfolio of enterprise software and underlying services in its latest security update. The company’s Patch Tuesday release contained no actively exploited zero-day vulnerabilities and six defects it described as more likely to be exploited. 

The vendor’s batch of patches marks the first monthly update without an actively exploited zero-day in six months.

The “lack of bugs under active attack is a nice change from last month,” when Microsoft reported six actively exploited vulnerabilities, Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, said in a blog post Tuesday. 

Two vulnerabilities addressed this month — CVE-2026-21262 and CVE-2026-26127 — were listed as publicly known at the time of release. “These bugs are more bark than bite,” said Satnam Narang, senior staff research engineer at Tenable. 

More than half of the defects in this month’s update can trigger escalated privileges, and six of those vulnerabilities — CVE-2026-23668, CVE-2026-24289, CVE-2026-24291, CVE-2026-24294, CVE-2026-25187 and CVE-2026-26132 — were rated as more likely to be exploited, Narang added.

An information-disclosure defect in Microsoft Excel — CVE-2026-26144 — showcases an attack scenario that’s likely to occur more often, according to Childs. “An attacker could use it to cause the Copilot Agent to exfiltrate data off the target,” essentially making it a zero-click operation, he wrote.

Researchers also focused on a pair of defects in Microsoft Office with CVSS ratings of 8.4 — CVE-2026-26110 and CVE-2026-26113 — that attackers can trigger to execute arbitrary code. The preview plane in Microsoft Office can serve as the attack vector for both vulnerabilities.

“Remote-code execution vulnerabilities in Office applications pose significant risks for organizations, as documents are widely shared via email, file shares, and collaboration platforms,” Mike Walters, president and co-founder of Action1, said in an email. 

“If exploited, attackers could gain control of user systems, deploy ransomware, steal corporate data, or move laterally across internal networks,” he added. “Even a single malicious document could compromise an endpoint and give attackers a foothold inside the organization.”

The full list of vulnerabilities addressed this month is available in Microsoft’s Security Response Center.

The post Microsoft’s monthly Patch Tuesday is first in 6 months with no actively exploited zero-days appeared first on CyberScoop.