Back to blog
Patch TuesdayCVE-2026-41089CVE-2026-41096CVE-2026-42898CVE-2026-42823WindowsAzureDynamics 365CVE

Microsoft Patch Tuesday May 2026: 4 CRITICAL CVEs (Netlogon, DNS, Dynamics, Azure)

May 2026 Patch Tuesday — 4 CRITICAL CVEs: Windows Netlogon RCE (9.8), Windows DNS RCE (9.8), Dynamics 365 code injection (9.9), Azure Logic Apps EoP (9.9).

May 12, 20265 min read

The May 2026 Microsoft Patch Tuesday dropped on May 12 with a batch of CRITICAL vulnerabilities that warrant immediate attention. Four CVEs stand out by severity (CVSS 9.8 to 9.9) and attack surface: two unauthenticated RCEs in ubiquitous Windows Server components (Netlogon and DNS), one code injection in Dynamics 365 on-premises, and an elevation of privilege in Azure Logic Apps. This article walks through each one, exploitation conditions, and a recommended patching order.

If you operate a Windows Server fleet or Azure/Dynamics workloads, the next few maintenance windows must include these fixes.

The 4 CVEs at a glance

CVEComponentCVSSTypeAuthentication
CVE-2026-41089Windows Netlogon9.8Stack buffer overflow → RCENone
CVE-2026-41096Microsoft Windows DNS9.8Heap buffer overflow → RCENone
CVE-2026-42898Dynamics 365 (on-premises)9.9Code injection → RCELow (standard account)
CVE-2026-42823Azure Logic Apps9.9Improper access control → EoPLow

CVE-2026-41089 — Windows Netlogon: stack overflow → unauthenticated RCE

The Netlogon service is central to Active Directory authentication: it handles communication between domain controllers and clients for credential validation, domain machine joins, and directory replication. An unauthenticated Netlogon RCE has historical impact comparable to Zerologon (CVE-2020-1472): full domain compromise within seconds.

Attack vector

  • AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H — network access, low complexity, no auth, no user interaction
  • An attacker who can reach a domain controller's Netlogon ports (typically RPC on TCP 135 + ephemeral ports, or MS-NRPC ports) can trigger the overflow

Impact

Arbitrary code as SYSTEM on the domain controller = de facto domain admin. NTLM/Kerberos hash theft, account tampering, persistence, full AD exfiltration.

Patch priority: CRITICAL — patch within 24-48h on DCs exposed to untrusted networks (DMZ, VPN, corporate Wi-Fi).

CVE-2026-41096 — Windows DNS Server: heap overflow → unauthenticated RCE

The Windows DNS Server service runs on nearly every domain controller (DNS and AD have historically been co-located). A remotely exploitable heap buffer overflow without authentication echoes SIGRed (CVE-2020-1350), which Microsoft itself flagged as "wormable".

Attack vector

  • AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H — network RCE, no auth required
  • Likely exploitation through a forged DNS response to a server-initiated query, or via a malicious DDNS update depending on configuration
  • The service runs as SYSTEM → arbitrary SYSTEM code on the DC

Why it's critical

  • Windows DNS servers are frequently internet-exposed to serve public zones
  • The Windows DNS + AD coupling means any DNS compromise = AD compromise
  • Past patches in this class (SIGRed) were exploited in the wild within weeks

Patch priority: CRITICAL — immediate on all Windows DNS servers.

CVE-2026-42898 — Dynamics 365 (on-premises): authenticated code injection

Dynamics 365 on-premises is still in use by many mid-market companies and regulated sectors (finance, healthcare) that haven't migrated to cloud. This CVE lets an attacker with a standard authenticated account inject code and execute it on the server.

Attack vector

  • AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H — network access, low complexity, low privileges sufficient
  • S:C (Changed) scope: the attacker compromises a component different from the one containing the flaw — typically injected code running with Dynamics service privileges

Impact

A standard account (a salesperson, an external consultant with Dynamics access) can potentially gain RCE and pivot to other server resources — Dynamics admin accounts, database, customer data, integrations.

Patch priority: HIGH — patch within 7 days, especially for deployments with external/partner access.

CVE-2026-42823 — Azure Logic Apps: privilege escalation

Azure Logic Apps is Azure's workflow orchestration service (the enterprise low-code equivalent of Power Automate). This CVE lets an attacker holding a low-privilege account elevate their permissions within the tenant.

Attack vector

  • AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H — low privileges suffice
  • Changed scope → escalation impacts components beyond Logic Apps (other Azure services in the tenant?)

Impact

Typical attack scenario: initial compromise of a user account (phishing, credential leak), then using Logic Apps to pivot toward subscription- or tenant-level permissions. Theft of Key Vault secrets, storage account access, cloud configuration tampering.

Patch priority

On the Azure side, Microsoft applies fixes automatically (managed service). User action: review Azure Activity logs of Logic Apps usage over the last 30 days to detect possible exploitation prior to disclosure.

Recommended patching order

  1. CVE-2026-41089 (Netlogon RCE) + CVE-2026-41096 (DNS RCE) — top priority on every domain controller, within 24-48h
  2. CVE-2026-42898 (Dynamics 365) — within 7 days, especially with external access
  3. CVE-2026-42823 (Azure Logic Apps) — Azure log audit; no user-side patch needed

Deployment procedure on DCs

# Check update status on a DC
Get-WindowsUpdate -Verbose

# Queue Critical security updates for install
Install-WindowsUpdate -Category SecurityUpdates -AcceptAll -AutoReboot

# Verify post-patch version
Get-HotFix | Where-Object { $_.InstalledOn -gt (Get-Date).AddDays(-7) }

For production environments with planned maintenance, treat this patch window as non-negotiable — an unpatched Netlogon or DNS on an internet- or DMZ-exposed DC is compromised within days.

Post-exploitation detection

On domain controllers

  • Repeated crashes of the Netlogon or DNS service (Event Viewer → System log)
  • Unusual admin account creation (regular whoami /priv audit)
  • Unusual outbound traffic from the DC (DCs should only initiate connections to other DCs and well-identified services)

On Dynamics 365

  • Application audit log: plugin executions, workflow modifications, sensitive entity access from atypical accounts
  • Review configuration changes and registered plugin history

On Azure

  • Azure Sentinel / Activity logs: look for unusual privilege escalations, unsolicited Logic Apps modifications, Key Vault accesses

Why Continuous Monitoring of Microsoft Stacks Matters

Monthly Patch Tuesday regularly brings 5 to 15 CRITICAL CVEs in the Microsoft ecosystem — Windows Server, SQL Server, Exchange, Office, Azure, Dynamics. Keeping up-to-date visibility on the exact versions of each component running in your fleet is the only way to deploy fixes within the required windows — especially for unauthenticated RCEs that warrant an emergency patch window.

With cveo.tech, inventory your Windows servers, Azure workloads, and on-premises Microsoft deployments (Exchange, SharePoint, Dynamics) and receive an automatic email every Patch Tuesday with the CVEs that hit your exact versions — so you stop manually correlating Microsoft's bulletin with your inventory.

Monitor CVEs with AI

AI-powered search, CVSS scoring, asset monitoring and automatic alerts.

Try AI search →Create free account

Related articles

PHP 8.x: 3 CRITICAL CVEs at once (PDO Firebird SQLi + 2 SOAP UAFs)

PHP 8.2.31 / 8.3.31 / 8.4.21 / 8.5.6 fix 3 CRITICAL CVEs (CVSS 9.8): PDO Firebird NUL-byte SQL injection + 2 SOAP use-after-free flaws exploitable for RCE.

OpenClaw: 3 Critical Auth Bypass CVEs in the Browser Sandbox

OpenClaw < 2026.4.15 stacks 3 CRITICAL CVEs (CVSS 9.6-9.8): exposed noVNC, Feishu webhook without validation, CDP relay on 0.0.0.0. Patch and hardening guide.

Gotenberg CVE-2026-40281: PDF API Takeover via ExifTool Injection (CVSS 10.0)

Gotenberg ≤ 8.30.1: a newline in PDF metadata values injects ExifTool pseudo-tags — arbitrary file overwrite/symlinks in the container. CVSS 10.0, patch 8.31.0.