“Resist the urge to broadcast every M365 incident to your clients. Save it for the ones that actually affect them. Cry-wolf fatigue is real — when you do need their attention, you want to have it.”
May 2026 Patch Tuesday: 120+ CVEs Fixed, No Zero-Days — First Clean Month Since June 2024
Microsoft's May 2026 Patch Tuesday addressed 120+ CVEs across Windows, Office, and Azure, with 16 rated Critical and — notably — zero actively exploited or publicly disclosed zero-days, the first such clean release in nearly two years. Standout critical flaws include CVE-2026-41096 (Windows DNS Client RCE, CVSS 9.8) exploitable via a rogue DNS server with no auth required, CVE-2026-41089 (Windows Netlogon RCE, CVSS 9.8) targeting domain controllers, and CVE-2026-40402 (Hyper-V EoP, CVSS 9.3) allowing guest-to-host escape. Apply Windows Updates immediately; as a workaround for Netlogon, restrict Netlogon traffic at the network layer so domain controllers do not accept connections from arbitrary segments.
Read more →CVE-2026-42826: CVSS 10.0 Azure DevOps Info Disclosure — Patched Silently by Microsoft
A perfect-10 CVSS vulnerability in Azure DevOps (CVE-2026-42826) allowed unauthenticated remote attackers to disclose sensitive information over a network via an information exposure flaw (CWE-200). Microsoft has proactively remediated this vulnerability within the cloud infrastructure without requiring any customer intervention — no customer action is needed, but teams should audit DevOps pipeline secrets and tokens as a precaution.
Read more →CVE-2026-42898: CVSS 9.9 RCE in Microsoft Dynamics 365 On-Premises — Patch Immediately
A code injection flaw in Dynamics 365 On-Premises (CVE-2026-42898, CVSS 9.9) allows any authenticated remote attacker to execute arbitrary code with a scope change, meaning exploitation can break out beyond the vulnerable component itself. Zero Day Initiative flagged this as a top-priority patch for any organisation running Dynamics 365 on-prem. Apply the May 2026 Patch Tuesday update immediately; no workaround is available for this flaw.
Read more →Critical June 26, 2026 Secure Boot Certificate Expiration Deadline — 32 Days Away
Organisations have approximately 32 days remaining until the June 26, 2026 Secure Boot certificate expiration deadline. Failure to update Secure Boot certificates before this date may cause boot failures on patched systems. MSPs should audit all managed endpoints and servers for Secure Boot compliance and complete certificate validation steps now, well ahead of the deadline.
Read more →Microsoft Exchange Server CVE-2026-42897 Added to CISA KEV — Emergency Mitigation Service Invoked
CISA added a Microsoft Exchange Server vulnerability (CVE-2026-42897) to its Known Exploited Vulnerabilities catalog with a reference to Microsoft's Exchange Emergency Mitigation Service (EEMS), indicating active exploitation. MSPs managing on-premises Exchange deployments should apply the May 2026 Patch Tuesday update immediately and verify that the EEMS automatic mitigation service is active as an interim control.
Read more →CVE-2026-41103: Critical SSO EoP in Microsoft Plugin for Jira & Confluence (CVSS 9.1) — 'Exploitation More Likely'
May Patch Tuesday included CVE-2026-41103, a critical elevation of privilege flaw (CVSS 9.1) in the Microsoft SSO Plugin for Jira and Confluence, rated 'Exploitation More Likely' by Microsoft's Exploitability Index. Successful exploitation allows an attacker to sign in using a forged identity without Entra ID authentication, gaining the ability to access or modify data in Jira and Confluence. MSPs managing Atlassian environments should apply the plugin update immediately; as an interim measure, restrict Jira and Confluence access to trusted networks only.
Read more →May 2026 Patch Tuesday: Microsoft Word Preview Pane RCE CVEs Rated 'Exploitation More Likely'
Four critical RCE bugs in Microsoft Word were patched in May 2026, with CVE-2026-40361 and CVE-2026-40364 assessed by Microsoft as more likely to be exploited within 30 days. Crucially, exploitation does not require opening a document — viewing a malicious file in the Outlook or Explorer Preview Pane is sufficient to trigger code execution. MSPs should prioritise Microsoft Office updates across all managed endpoints and advise clients to disable the Preview Pane as a temporary workaround until patched.
Read more →CISA KEV: Palo Alto PAN-OS Out-of-Bounds Write (CVE-2026-0300) Actively Exploited — Patches Now Available
CISA added CVE-2026-0300, a PAN-OS out-of-bounds write vulnerability in the User-ID Authentication Portal (Captive Portal), to its Known Exploited Vulnerabilities catalog after confirmed active exploitation allowing unauthenticated RCE with root privileges on PA-Series and VM-Series firewalls. Palo Alto released patches on 13 May 2026. Workaround: restrict User-ID Authentication Portal access to trusted zones only, or disable it if not required. Apply vendor patches immediately.
Read more →CISA Emergency Directive 26-03: Cisco Catalyst SD-WAN Authentication Bypass (CVE-2026-20182) Actively Exploited
CISA issued Emergency Directive 26-03 for CVE-2026-20182, an authentication bypass in Cisco Catalyst SD-WAN Controller and Manager that allows an unauthenticated remote attacker to bypass authentication and obtain full administrative privileges. CISA has also published supplemental Hunt & Hardening Guidance for Cisco SD-WAN devices. Federal and enterprise customers should apply Cisco's patch immediately and follow CISA's hardening guide; isolate SD-WAN management interfaces from the internet as an interim measure.
Read more →Fortinet Releases Critical Patches for FortiSandbox and FortiAuthenticator in May 2026
Fortinet released security updates in May 2026 addressing two critical flaws in FortiSandbox and FortiAuthenticator. While active exploitation has not been confirmed, Fortinet products have historically been rapidly weaponised after patch disclosure — with over 20 CVEs currently on CISA's KEV catalog for Fortinet products. MSPs should apply the FortiSandbox and FortiAuthenticator updates immediately and consult FortiGuard for affected version details.
Read more →SonicWall SMA1000 SQL Injection CVE-2026-4112 and Three Additional Flaws Patched
SonicWall patched four vulnerabilities in the SMA1000 series firewalls, including high-severity SQL injection bug CVE-2026-4112 which could allow an attacker with read-only admin rights to escalate to primary admin. Three additional flaws enable SSL VPN credential enumeration and TOTP authentication bypass. SonicWall reports no confirmed exploitation in the wild but urges immediate firmware updates; no workaround is available beyond applying the patch.
Read more →Kaseya Intelligence Launched at Kaseya Connect 2026 — AI Engine Trained on 1B+ Help Desk Tickets
Kaseya announced Kaseya Intelligence at its Connect Global event in April 2026, an AI engine trained on over 1 billion help desk tickets, 3 exabytes of backup data, and 17 million managed endpoints powering the Kaseya 365 platform. The engine closes the loop between detection and action — autonomously executing fixes rather than surfacing recommendations — positioning it as a direct competitor to rule-based RMM automation. According to Kaseya's 2026 State of the MSP Report, 48% of MSPs cite AI and automation as the top client IT need this year, but only 13% currently generate meaningful revenue from it.
Read more →AI Agent Platforms Emerge as New MSP Automation Category — Neo Agent and SuperOps Lead Agentic Tier
The 2026 MSP automation market has split into three distinct tiers: rule-based RPA (Rewst, Power Automate), bundled RMM/PSA automation (Atera, NinjaOne, ConnectWise), and AI agent platforms that handle judgement-based L1 work without workflow mapping (Neo Agent, SuperOps). Neo Agent operates in reactive mode (triage, L1 resolution, RMM remediation) and scheduled mode (M365 compliance audits, SLA reviews, QBR generation), configured in plain English. MSPs evaluating this category should note that AI agent platforms show value within days versus weeks for rule-based tools.
Read more →Microsoft AI CEO Predicts 'Most White-Collar Tasks' Automated Within 12–18 Months — MSP Opportunity Signal
Microsoft AI CEO Mustafa Suleyman publicly forecast that 'most, if not all' white-collar tasks could be automated within 12–18 months, citing AI-assisted coding as current evidence of the trend. For MSPs, this represents a significant service expansion signal: AI-integration consulting, workflow redesign, and automation enablement are emerging as high-margin differentiators beyond traditional managed services. MSPs should begin packaging AI advisory services and governance frameworks for client conversations now.
Read more →Have I Been Pwned Now Officially Supports MSPs with Multi-Domain Pro and High RPM Tiers
Troy Hunt's Have I Been Pwned (HIBP) has updated its terms and pricing to formally allow MSPs, offering Pro and High RPM subscription tiers with hard domain caps to prevent abuse. New MSP features include automated domain verification and auto-verification of subdomains, with agentic AI integrations in development to turn breach data into client-ready intelligence reports. Australian-based Microsoft Regional Director Troy Hunt confirmed plans to make HIBP data accessible to AI agents to help MSPs generate meaningful client reports.
Read more →US MSP Integris Acquires Australian MSP First Focus in Major ANZ Channel Consolidation Deal
US-based MSP Integris has acquired prominent Australian MSP First Focus, with First Focus CEO Ross Sardi becoming Integris' global Chief Innovation Officer focused on AI solutions for SMB clients. Integris CEO Rashaad Bajwa cited Australia's regulatory environment — including moves toward mandatory cybersecurity insurance — as a key driver, and noted Australian MSP market consolidation is approximately three to five years behind the US. First Focus staff and ANZ service delivery remain unchanged, with access to 800 additional global Integris resources.
Read more →Coastal Cyber Launches in Australia to Help MSPs Build Essential Eight GRC Frameworks
Coastal Cyber, a new Australian cybersecurity advisory practice founded by 30-year industry veteran Daniel Johns (ex-CyberCX, MyCISO, ASI Solutions), has launched specifically to help MSPs build repeatable, priced, and documented security governance frameworks for SME clients. The practice delivers four components: a defined security service offering, a repeatable delivery process, a pricing model, and staff training — all aligned to the ACSC Essential Eight and covering incident response, third-party risk, and disaster recovery. MSPs in financial services, healthcare, and technology verticals are the primary target market.
Read more →CRN Australia Channel Awards 2026 — Entries Close Friday 29 May
The 2026 CRN Channel Awards Australia entries close this Friday, 29 May — just four days away. Australian MSPs and channel partners should finalise submissions immediately, ensuring client testimonials are included as missing testimonials may cost a spot on the shortlist. Categories cover a broad range of partner and vendor excellence recognitions across the Australian IT channel.
Read more →Elastic Repositions MSPs as Strategic Partners Globally from May 2026 — APAC Model Goes Worldwide
Elastic has shifted its global partner strategy, reclassifying MSPs from customers to strategic partners effective May 1, 2026, rolling out the APAC-proven model globally. Elastic ANZ VP Andrew Habgood confirmed the change is also being extended to MSSPs, with a focus on enabling MSPs to scale Elastic's SIEM and observability capabilities to their client base. MSPs currently using Elastic on a transactional basis should engage their Elastic account team to transition to the new partner model.
Read more →This is what you get — every weekday, free.
Subscribers get the full “From the Floor” take with every issue — not just the news summary you just read.
Written from 12 years on the helpdesk floor. Always free.