Live Threats
[STRUTS]Apache Struts zero-day (CVE-2026-3101) under mass exploitation — ransomware groups deploying web shells on Java web apps. Patch immediately.|
[LAZARUS]North Korean Lazarus Group targets SMB defense contractors via fake LinkedIn recruiter profiles delivering trojanized job documents.|
[DEEPFAKE]Deepfake CEO video call fraud stole $3.2M in a single transaction. AI voice and face synthesis now indistinguishable — targeting US SMBs.|
[CHROME]CVE-2026-2356 Chrome zero-day actively exploited to deliver spyware. Update to 136.0.7103.92 immediately on all devices.|
[HIPAA]HHS finalized major HIPAA Security Rule updates — mandatory encryption at rest, MFA, and annual pen testing effective December 31, 2026.|
[CISA KEV]CISA added 15 new KEV entries this week — six are priority patches for internet-facing systems including Struts, Chrome, Cisco, Fortinet, Ivanti, and VMware.|
[STRUTS]Apache Struts zero-day (CVE-2026-3101) under mass exploitation — ransomware groups deploying web shells on Java web apps. Patch immediately.|
[LAZARUS]North Korean Lazarus Group targets SMB defense contractors via fake LinkedIn recruiter profiles delivering trojanized job documents.|
[DEEPFAKE]Deepfake CEO video call fraud stole $3.2M in a single transaction. AI voice and face synthesis now indistinguishable — targeting US SMBs.|
[CHROME]CVE-2026-2356 Chrome zero-day actively exploited to deliver spyware. Update to 136.0.7103.92 immediately on all devices.|
[HIPAA]HHS finalized major HIPAA Security Rule updates — mandatory encryption at rest, MFA, and annual pen testing effective December 31, 2026.|
[CISA KEV]CISA added 15 new KEV entries this week — six are priority patches for internet-facing systems including Struts, Chrome, Cisco, Fortinet, Ivanti, and VMware.|
View All
Microsoft May 2026 Patch Tuesday: 72 CVEs, 5 Zero-Days Actively Exploited — Patch Before Friday
Security News/Issue #23 — May 15 – 21, 2026
PATCH UPDATECRITICALCVE-2026-30400CVE-2026-32701CVE-2026-32706CVE-2026-30397CVE-2026-32719
CISA KEV

Microsoft May 2026 Patch Tuesday: 72 CVEs, 5 Zero-Days Actively Exploited — Patch Before Friday

Published May 15, 2026
Current as of May 15, 2026
5 min read
Source: Microsoft Security Response Center / CISA KEV
CISA KEV Listed
SHARE:
Affected Systems
Windows 10 (all supported versions)Windows 11 (all supported versions)Windows Server 2019, 2022, 2025Microsoft Edge (all versions)Microsoft Office 365 and Office 2021
CISA Known Exploited Vulnerabilities CatalogCONFIRMED EXPLOITED

CVE-2026-30400, CVE-2026-32701, CVE-2026-32706, CVE-2026-30397, CVE-2026-32719 have been added to the CISA KEV catalog, confirming active exploitation in the wild. Federal agencies are required to remediate. All organizations should treat this with equal urgency.

Executive Summary

Microsoft's May 2026 Patch Tuesday addressed 72 vulnerabilities including five confirmed zero-days already exploited in the wild. Two Windows CLFS driver flaws are being chained by ransomware groups for privilege escalation. Patch all Windows systems immediately.

May Patch Tuesday Overview

Microsoft released its May 2026 Patch Tuesday security updates on May 13, 2026, addressing 72 CVEs across Windows, Office, Edge, and Azure products. Of the 72 vulnerabilities, 18 are rated Critical and 49 are rated Important. Five vulnerabilities are confirmed zero-days exploited in the wild before Microsoft released the patch. Remote code execution flaws account for 40% of this month's patches. CISA has added all five actively exploited zero-days to its Known Exploited Vulnerabilities catalog, triggering mandatory remediation timelines for federal agencies and strong recommendation for immediate patching across all organizations.

Zero-Day #1 and #2: Windows CLFS Driver Privilege Escalation (CVE-2026-32701 & CVE-2026-32706)

The two highest-priority zero-days this month are CVE-2026-32701 and CVE-2026-32706, both Elevation of Privilege vulnerabilities in the Windows Common Log File System (CLFS) Driver. Ransomware groups are chaining these two flaws together in post-exploitation attacks: after gaining initial access through phishing or a separate vulnerability, attackers exploit the CLFS flaws to escalate from a low-privileged user account to SYSTEM level. With SYSTEM privileges, attackers can disable security software, move laterally across the network, exfiltrate data, and deploy ransomware. The CLFS driver has been a persistent source of privilege escalation vulnerabilities that ransomware operators favor because it exists on virtually every Windows system.

Zero-Day #3: Windows Desktop Window Manager Use-After-Free (CVE-2026-30400)

CVE-2026-30400 is a Use-After-Free vulnerability in the Windows Desktop Window Manager (DWM), the Windows component responsible for rendering the visual desktop. This local privilege escalation flaw allows an authenticated user to gain SYSTEM privileges by exploiting a memory management issue in DWM. Microsoft's Threat Intelligence Center (MSTIC) confirmed active exploitation in targeted attacks, with the flaw being used as part of sophisticated attack chains that begin with phishing or web-based exploits and use DWM as the final privilege escalation step before ransomware deployment.

Zero-Day #4: Microsoft Edge Scripting Engine Vulnerability (CVE-2026-30397)

CVE-2026-30397 is a critical scripting engine vulnerability affecting Microsoft Edge when running in Internet Explorer mode. The vulnerability allows an attacker to execute arbitrary code by convincing a user to visit a specially crafted website while IE mode is enabled. Many enterprise environments still use IE mode for compatibility with legacy internal web applications, making this a significant risk for businesses that have not yet migrated away from legacy web applications. Disable IE mode in Edge where not required, and apply the May patch immediately.

Deployment Recommendations

Deploy the May 2026 Patch Tuesday updates to all Windows systems as your top IT priority this week. For organizations using WSUS, SCCM, or Intune, approve and deploy the May updates immediately — prioritize internet-facing systems and servers running the CLFS driver and DWM. For individual systems, enable Windows Update and allow it to download and install the May updates. After patching, verify that CVE-2026-32701, CVE-2026-32706, CVE-2026-30400, CVE-2026-30397, and CVE-2026-32719 are all listed as installed. Segler.Net can assist with emergency patch deployment across your Windows environment through our managed patching service.

Intel last verified: May 15, 2026 — Threat status, patch availability, and affected systems are current as of this date. CISA KEV listing confirmed active exploitation.
CISA KEV
Key Takeaways & Action Items
  • Deploy May 2026 Patch Tuesday updates to all Windows systems before end of week — five zero-days are confirmed exploited
  • CVE-2026-32701 and CVE-2026-32706 in Windows CLFS are being chained by ransomware groups for privilege escalation — highest priority
  • CVE-2026-30400 in Windows DWM (Desktop Window Manager) is actively exploited for local privilege escalation
  • CISA added all five zero-days to its KEV catalog — federal agencies must patch within 14 days
  • Enable automatic updates on all Windows endpoints if not already managed through WSUS, SCCM, or Intune
Share This
LinkedInX / TwitterEmail

Need Help With This Threat?

Our San Antonio security team can assess your exposure, apply patches, and protect your business before attackers strike.

Schedule a Security ReviewCall (210) 496-7313

Stay ahead of the next threat

Get weekly security alerts — breaches, patch updates, compliance news, and threat intel — delivered free to your inbox every week.

Breach alerts
Patch roundups
Compliance news
No spam, ever
Back to Issue #23: May 15 – 21, 2026
PREVIOUS ARTICLE
Fortinet FortiVoice Zero-Day (CVE-2026-32756) Exploited in the Wild — Attackers Wiping Logs and Stealing SSH Credentials
NEXT ARTICLE
Marks & Spencer Ransomware: $400M Loss, Supply Chain Collapse & the SMB Lessons That Could Save You