“Review your process for handling urgent out-of-band requests — password resets, access changes, anything unusual. If a verbal request alone is enough to action it, that's your gap. Add one verification step.”
CVE-2026-42897: Exchange Server OWA XSS Active Exploitation Ongoing
Microsoft disclosed CVE-2026-42897 on May 14, affecting Exchange Server OWA. An attacker can send a specially crafted email; if opened in OWA with certain conditions met, arbitrary JavaScript executes in browser context. Exchange Online is not impacted; on-premises servers require mitigation or upcoming patches.
Read more →CVE-2026-41089: Windows Netlogon Stack Overflow Pre-Auth RCE
Critical RCE (CVSS 9.8) in Windows Netlogon on domain controllers. Unauthenticated attacker sends crafted network request triggering stack overflow; no user interaction needed. Grants immediate code execution on DC, collapsing forest trust boundary. Requires priority patching.
Read more →CVE-2026-41103: Microsoft SSO Plugin for Jira/Confluence Bypass Critical
Critical EoP (CVSS 9.1) in Microsoft Confluence/JIRA SAML SSO plugins. Incorrect authentication algorithm implementation allows unauthenticated attacker to bypass authentication and sign in as valid user. Microsoft marked as 'Exploitation More Likely' in first 30 days post-release.
Read more →Windows DNS Client RCE CVE-2026-41096 (CVSS 9.8) Unauthenticated
Critical pre-auth RCE in Windows DNS Client (CVSS 9.8). Unauthenticated attacker sends crafted request over network; no user interaction required. Part of May Patch Tuesday. Requires priority patching of domain controllers and DNS servers.
Read more →May 2026 Patch Tuesday: 118-132 Critical CVEs Patched, No Zero-Days
Microsoft released patches for 118-132 CVEs on May 12 with 16-29 rated critical. Key critical flaws include CVE-2026-41089 (Windows Netlogon RCE 9.8 CVSS) and CVE-2026-41103 (SSO Plugin EoP 9.1 CVSS). No zero-days exploited in the wild; lowest monthly count since June 2024.
Read more →Ivanti EPMM RCE Requires Admin Access (CVE-2026-6973) Exploited
Ivanti Endpoint Manager Mobile (EPMM) improper input validation allows remotely authenticated admin user to achieve RCE. Active exploitation confirmed; CISA KEV catalog entry with May 10 federal deadline. Patch or discontinue product immediately.
Read more →Palo Alto PAN-OS Captive Portal Out-of-Bounds Write RCE Active Exploitation
Palo Alto PAN-OS User-ID Authentication Portal (Captive Portal) contains out-of-bounds write allowing unauthenticated RCE with root privileges on PA/VM firewalls. Active exploitation confirmed. Restrict portal access to trusted zones or disable until patches applied (released May 13).
Read more →Cisco SD-WAN Controller Authentication Bypass Under Active Exploitation
Cisco Catalyst SD-WAN Controller & Manager contain authentication bypass allowing unauthenticated remote attacker to obtain administrative privileges. Active exploitation confirmed. CISA Emergency Directive 26-03 requires federal agencies to mitigate immediately.
Read more →RMM Market Consolidation: NinjaOne, ConnectWise, Datto Architecture Divergence
2026 RMM landscape shows three architectural models: NinjaOne unified cloud-native SaaS, ConnectWise modular multi-product ecosystem, Datto integrated with Kaseya/Autotask. Pricing models shifting from per-endpoint to bundled modules; Australian MSPs evaluating consolidation vs specialization.
Read more →This is what you get — every weekday, free.
Subscribers get the full “From the Floor” take with every issue — not just the news summary you just read.
Written from 12 years on the helpdesk floor. Always free.