May Patch Tuesday: Four critical bugs worth acting on this week

Yesterday was Microsoft’s May Patch Tuesday. One hundred and thirty-seven CVEs announced, thirty flagged as critical — and, for the first time since June 2024, no zero-days actively being exploited in the wild. That’s a genuine relief. It means you can run this month’s patching as a calm, structured process rather than a fire drill.

Here’s what actually needs your attention, in the order it needs it.

The four bugs worth prioritising

Windows Netlogon (CVE-2026-41089, CVSS 9.8) — If you run an on-premises server acting as a domain controller (the machine that manages all your staff logins), patch this within 48 hours. An attacker who reaches it over the network can take full control without needing a password. Once they’re in, they have everything: all user accounts, password records, persistent admin access. If you think you’re fully cloud-based, double-check — a surprising number of businesses have old servers still running in a cupboard somewhere.

Windows DNS Client (CVE-2026-41096, CVSS 9.8) — This one affects every Windows machine in your building. DNS is the bit of your network that translates website names into addresses; a flaw here lets a well-positioned attacker push malicious code to any machine without needing a login. Test the update on one or two machines first, then roll it out to the rest by end of Friday.

Dynamics 365 on-premises (CVE-2026-42898, CVSS 9.9) — Remote code execution on Dynamics servers. Most businesses use the cloud-hosted version and aren’t affected. If you run Dynamics on your own servers, patch this week.

Microsoft SSO Plugin for Jira and Confluence (CVE-2026-41103, CVSS 9.1) — This is the one businesses most often miss. If you self-host Atlassian’s project management tools (Jira or Confluence) and use Microsoft Entra ID for single sign-on, an attacker can forge login credentials and bypass your identity checks entirely. Microsoft have rated this “exploitation more likely”. The fix comes from Atlassian, not just Windows Update — it needs to be patched separately, not as part of your normal monthly cycle.

The deployment sequence that avoids Monday morning headaches

1. Today — domain controller first. Patch it, reboot, verify everything comes back cleanly before moving on.
2. Tomorrow — test a small group. Deploy the standard Windows update to a handful of machines and watch for 24-48 hours. Specifically: confirm nobody gets locked out of BitLocker (see below).
3. End of the week — full rollout. Push to the rest of your fleet by Friday close, so any awkward surprises surface before staff are at their desks on Monday.
4. Separately — Atlassian plugin. If you self-host Jira or Confluence, this needs its own update from Atlassian outside the normal Windows patch run.
5. Audit your backlog. If any machines in your business are more than three months behind on patches, that’s the more pressing problem. This month’s Patch Tuesday is routine; the patches you skipped last autumn are what tend to cause real trouble.

One gotcha: BitLocker recovery key prompts

After installing this update, some Windows machines will ask for a BitLocker recovery key on first restart. BitLocker is the encryption that protects your data if a laptop gets stolen; the update changes something in the startup process that BitLocker uses to verify the machine hasn’t been tampered with, which can trigger a recovery prompt.

For most businesses with standard settings, it won’t happen. But if it does and nobody knows where the recovery keys are, your staff can’t log in.

Three things to check before you deploy:

• Confirm your BitLocker recovery keys are stored somewhere you can reach them: in Entra ID, Active Directory, or a documented key store.
• If you’re running custom security settings on your machines, set the Group Policy item “Configure TPM platform validation profile for native UEFI firmware configurations” to “Not Configured” before the update.
• After deployment is stable, reapply the policy if your setup requires it. Patch Tuesdays land on the second Tuesday of every month, every month, without fail. Having a documented process — test ring, 48-hour window, rollout, key check — turns it from an occasional scramble into something that quietly ticks along in the background. Dragon Digital handles patch management and security deployment for businesses across North Wales. If your current setup doesn’t have a tested rollback process for something like the BitLocker scenario above, that’s worth sorting before the next one drops.