Microsoft shipped its May 2026 security updates on Tuesday, fixing roughly 120 vulnerabilities across Windows, Office, SharePoint, Dynamics 365, and Azure. There are no actively exploited zero-days this month — the first quiet month in nearly two years — but several of the bugs are critical, and a handful of Word and Office flaws can be triggered by simply previewing an attachment in Outlook. For a York County small business where staff open dozens of emailed invoices, resumes, and PDFs a day, that's the kind of detail that turns one careless click into a network-wide problem.
What Microsoft actually patched
Microsoft's May 2026 Patch Tuesday includes security updates for 120 flaws and no zero-days, with 17 "Critical" vulnerabilities — 14 of them remote code execution, two elevation of privilege, and one information disclosure. For the first time in nearly two years, Microsoft's monthly security update featured no actively exploited zero-day vulnerabilities or previously disclosed flaws, but the update still contained fixes for 137 CVEs, 13 of which Microsoft considers likely candidates for exploitation and nine of which the company rated as critical.
A few standouts your IT provider should already be looking at:
- CVE-2026-40361 and CVE-2026-40364 are Word vulnerabilities with the Preview Pane as an attack vector, allowing a remote attacker to execute code with no user interaction — an attacker can trigger the flaws by simply sending a maliciously crafted document.
- CVE-2026-41096, a critical Windows DNS Client remote code execution flaw that could enable an unauthenticated actor to take over the target system by sending it a malicious DNS response.
- A Netlogon flaw (CVE-2026-41089) carrying a CVSS score of 9.8, with a path that can let an unauthenticated attacker remotely execute code on a domain controller.
- CVE-2026-42898, a remote code execution vulnerability affecting on-premises Microsoft Dynamics 365 with a CVSS severity score of 9.9 that requires no user interaction.
Why the Office Preview Pane bugs matter most for small businesses
Most York County small businesses don't run on-prem Dynamics 365 or domain controllers exposed to the internet. They do run Microsoft 365, Outlook, and Word — on every desk. That's why the Preview Pane bugs are the part of this update we'd flag first.
As one researcher put it, Outlook's reading pane has long been a common attack vector; a single incoming email can trigger exploitation without the user ever opening it. An employee doesn't have to click anything. They don't have to open the attachment. The malicious document just needs to land in the inbox and get auto-previewed.
This is why business cybersecurity in York can't depend on "don't click suspicious links" training alone. The attack here doesn't need a click. It needs an unpatched copy of Word — and there are still a lot of those in small offices.
What your managed-IT provider should be doing this week
If you're paying for managed IT, here's the short list to expect from your provider in the next several days:
1. **Push the May updates to every Windows endpoint and server.** Not just laptops in the office — remote workers, the receptionist's tower, the conference-room PC nobody logs into. This is bread-and-butter patching and endpoint security work. 2. **Confirm Microsoft 365 apps are updating.** Office on the desktop pulls its own patches separately from Windows Update. A workstation can be fully patched at the OS level and still have a vulnerable copy of Word. 3. **Prioritize internet-facing and identity systems first.** Organizations should prioritize updates for Microsoft Office, SharePoint Server, and systems processing externally sourced image or document content; security teams should also review DNS infrastructure exposure and monitor vendor advisories from Palo Alto Networks, Ivanti, Fortinet, and Cisco, particularly where active exploitation is occurring.
4. **Verify the patches actually landed.** A patch that failed to install is worse than no patch, because it shows up green on a report. Real patch monitoring means checking the result, not just the deployment job.
If nobody is doing items 1 through 4 for your business, that's the gap an outsourced IT operation is supposed to fill.
Beyond Microsoft: other vendors patched the same week
Microsoft wasn't alone. Cisco released security updates for numerous products, Fortinet released security updates for two critical flaws in FortiSandbox and FortiAuthenticator, and Ivanti released security updates for a high-severity Endpoint Manager Mobile remote code execution vulnerability that was exploited in zero-day attacks. Palo Alto Networks warned of a critical PAN-OS User-ID Authentication Portal flaw that was exploited in attacks as a zero-day — patches have still not been released, but mitigations are available.
If your office uses any of those products at the firewall or VPN layer, those advisories belong in this week's work queue too. That's the kind of cross-vendor patch sweep network and firewall support exists to handle so business owners don't have to track ten different vendor portals.
What York Businesses Should Do
If your York County business uses Outlook, Word, or Excel daily — which is essentially every small office in the county — confirm with whoever runs your IT that the May 2026 Microsoft updates are deployed and verified on every device by the end of this week. York Computer clients are already covered as part of standard patch cycles.
Sources
- Microsoft May 2026 Patch Tuesday fixes 120 flaws, no zero-days — BleepingComputer
- It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight — Dark Reading
- May 2026 Patch Tuesday: no zero-days but plenty to fix — Malwarebytes
- Microsoft releases rare zero-day free Patch Tuesday update — Computer Weekly
- Microsoft May 2026 Patch Tuesday Fixes 120 Flaws — The Cyber Express
- Microsoft May 2026 Patch Tuesday Fixes 120 Flaws, No Zero-Days — WinBuzzer
- Microsoft May 2026 Patch Tuesday Fixes 120 Flaws, No Zero Days — Netizen