The May 2026 Microsoft Patch Tuesday dropped on May 12 with a batch of CRITICAL vulnerabilities that warrant immediate attention. Four CVEs stand out by severity (CVSS 9.8 to 9.9) and attack surface: two unauthenticated RCEs in ubiquitous Windows Server components (Netlogon and DNS), one code injection in Dynamics 365 on-premises, and an elevation of privilege in Azure Logic Apps. This article walks through each one, exploitation conditions, and a recommended patching order.
If you operate a Windows Server fleet or Azure/Dynamics workloads, the next few maintenance windows must include these fixes.
The 4 CVEs at a glance
| CVE | Component | CVSS | Type | Authentication |
|---|---|---|---|---|
| CVE-2026-41089 | Windows Netlogon | 9.8 | Stack buffer overflow → RCE | None |
| CVE-2026-41096 | Microsoft Windows DNS | 9.8 | Heap buffer overflow → RCE | None |
| CVE-2026-42898 | Dynamics 365 (on-premises) | 9.9 | Code injection → RCE | Low (standard account) |
| CVE-2026-42823 | Azure Logic Apps | 9.9 | Improper access control → EoP | Low |
CVE-2026-41089 — Windows Netlogon: stack overflow → unauthenticated RCE
The Netlogon service is central to Active Directory authentication: it handles communication between domain controllers and clients for credential validation, domain machine joins, and directory replication. An unauthenticated Netlogon RCE has historical impact comparable to Zerologon (CVE-2020-1472): full domain compromise within seconds.
Attack vector
- AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H — network access, low complexity, no auth, no user interaction
- An attacker who can reach a domain controller's Netlogon ports (typically RPC on TCP 135 + ephemeral ports, or MS-NRPC ports) can trigger the overflow
Impact
Arbitrary code as SYSTEM on the domain controller = de facto domain admin. NTLM/Kerberos hash theft, account tampering, persistence, full AD exfiltration.
Patch priority: CRITICAL — patch within 24-48h on DCs exposed to untrusted networks (DMZ, VPN, corporate Wi-Fi).
CVE-2026-41096 — Windows DNS Server: heap overflow → unauthenticated RCE
The Windows DNS Server service runs on nearly every domain controller (DNS and AD have historically been co-located). A remotely exploitable heap buffer overflow without authentication echoes SIGRed (CVE-2020-1350), which Microsoft itself flagged as "wormable".
Attack vector
- AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H — network RCE, no auth required
- Likely exploitation through a forged DNS response to a server-initiated query, or via a malicious DDNS update depending on configuration
- The service runs as
SYSTEM→ arbitrary SYSTEM code on the DC
Why it's critical
- Windows DNS servers are frequently internet-exposed to serve public zones
- The Windows DNS + AD coupling means any DNS compromise = AD compromise
- Past patches in this class (SIGRed) were exploited in the wild within weeks
Patch priority: CRITICAL — immediate on all Windows DNS servers.
CVE-2026-42898 — Dynamics 365 (on-premises): authenticated code injection
Dynamics 365 on-premises is still in use by many mid-market companies and regulated sectors (finance, healthcare) that haven't migrated to cloud. This CVE lets an attacker with a standard authenticated account inject code and execute it on the server.
Attack vector
- AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H — network access, low complexity, low privileges sufficient
S:C(Changed) scope: the attacker compromises a component different from the one containing the flaw — typically injected code running with Dynamics service privileges
Impact
A standard account (a salesperson, an external consultant with Dynamics access) can potentially gain RCE and pivot to other server resources — Dynamics admin accounts, database, customer data, integrations.
Patch priority: HIGH — patch within 7 days, especially for deployments with external/partner access.
CVE-2026-42823 — Azure Logic Apps: privilege escalation
Azure Logic Apps is Azure's workflow orchestration service (the enterprise low-code equivalent of Power Automate). This CVE lets an attacker holding a low-privilege account elevate their permissions within the tenant.
Attack vector
- AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H — low privileges suffice
- Changed scope → escalation impacts components beyond Logic Apps (other Azure services in the tenant?)
Impact
Typical attack scenario: initial compromise of a user account (phishing, credential leak), then using Logic Apps to pivot toward subscription- or tenant-level permissions. Theft of Key Vault secrets, storage account access, cloud configuration tampering.
Patch priority
On the Azure side, Microsoft applies fixes automatically (managed service). User action: review Azure Activity logs of Logic Apps usage over the last 30 days to detect possible exploitation prior to disclosure.
Recommended patching order
- CVE-2026-41089 (Netlogon RCE) + CVE-2026-41096 (DNS RCE) — top priority on every domain controller, within 24-48h
- CVE-2026-42898 (Dynamics 365) — within 7 days, especially with external access
- CVE-2026-42823 (Azure Logic Apps) — Azure log audit; no user-side patch needed
Deployment procedure on DCs
# Check update status on a DC
Get-WindowsUpdate -Verbose
# Queue Critical security updates for install
Install-WindowsUpdate -Category SecurityUpdates -AcceptAll -AutoReboot
# Verify post-patch version
Get-HotFix | Where-Object { $_.InstalledOn -gt (Get-Date).AddDays(-7) }
For production environments with planned maintenance, treat this patch window as non-negotiable — an unpatched Netlogon or DNS on an internet- or DMZ-exposed DC is compromised within days.
Post-exploitation detection
On domain controllers
- Repeated crashes of the
NetlogonorDNSservice (Event Viewer → System log) - Unusual admin account creation (regular
whoami /privaudit) - Unusual outbound traffic from the DC (DCs should only initiate connections to other DCs and well-identified services)
On Dynamics 365
- Application audit log: plugin executions, workflow modifications, sensitive entity access from atypical accounts
- Review configuration changes and registered plugin history
On Azure
- Azure Sentinel / Activity logs: look for unusual privilege escalations, unsolicited Logic Apps modifications, Key Vault accesses
Why Continuous Monitoring of Microsoft Stacks Matters
Monthly Patch Tuesday regularly brings 5 to 15 CRITICAL CVEs in the Microsoft ecosystem — Windows Server, SQL Server, Exchange, Office, Azure, Dynamics. Keeping up-to-date visibility on the exact versions of each component running in your fleet is the only way to deploy fixes within the required windows — especially for unauthenticated RCEs that warrant an emergency patch window.
With cveo.tech, inventory your Windows servers, Azure workloads, and on-premises Microsoft deployments (Exchange, SharePoint, Dynamics) and receive an automatic email every Patch Tuesday with the CVEs that hit your exact versions — so you stop manually correlating Microsoft's bulletin with your inventory.