“Next time a client lands a last-minute request, send back a one-line risk note before you start. Not blocking the work — just documenting the trade-off. You'll be amazed how often 'urgent' becomes 'actually next week is fine.'”
Azure DevOps CVE-2026-42826: CVSS 10.0 Information Disclosure Silently Patched by Microsoft
A perfect-score CVSS 10.0 information disclosure vulnerability in Azure DevOps (CVE-2026-42826) was patched by Microsoft as part of May Patch Tuesday, allowing unauthenticated remote attackers to disclose sensitive information over the network. Microsoft proactively remediated this within cloud infrastructure, requiring no customer action for cloud-hosted DevOps. On-premises Azure DevOps Server customers should apply the May updates immediately.
Read more →Microsoft 365 Suite Outage Confirmed — Last Acknowledged Incident: 13 May 2026
StatusGator confirms the last officially acknowledged Microsoft 365 Suite outage occurred on 13 May 2026, with the service operational as of 25 May. This follows a pattern of five significant M365/Azure incidents in six months spanning Azure Front Door, Copilot, Teams, Outlook, and core M365 infrastructure. MSPs should ensure clients have an independent communication channel and a documented outage playbook to reduce blast radius during future incidents.
Read more →Purview Information Protection Label Features Disrupted for Some M365 Users
Microsoft's status history notes that some users were unable to use features or access files leveraging Microsoft Purview Information Protection labels. This affects compliance-sensitive workflows where sensitivity labels are enforced on SharePoint and OneDrive documents. Workaround: temporarily removing label enforcement requirements or accessing files via the desktop client may restore access until the fix is fully deployed.
Read more →Microsoft Azure East US Provisioning Outage (24 April 2026) — Post-Incident Review Published
Between 11:30 and 23:22 UTC on 24 April, customers experienced failures provisioning, scaling, or updating resources in Azure East US, including Virtual Machines and Azure Virtual Desktop sessions. The root cause was lock contention in a control plane partition, with automatic failover failing to complete successfully. MSPs with VMs or AVD in East US should review their BCDR posture and consider Azure Traffic Manager for failover routing.
Read more →SonicWall SMA1000 Series: High-Severity SQL Injection CVE-2026-4112 and Three Additional Flaws Patched
SonicWall patched four vulnerabilities in its SMA1000 series firewalls including CVE-2026-4112, a high-severity SQL injection bug that could allow a read-only admin to obtain primary admin rights. Three additional issues could enable remote enumeration of SSL VPN credentials or bypass TOTP authentication. SonicWall reports no known exploitation, but urges immediate firmware updates across all SMA1000 appliances.
Read more →This is what you get — every weekday, free.
Subscribers get the full “From the Floor” take with every issue — not just the news summary you just read.
Written from 12 years on the helpdesk floor. Always free.