Microsoft Faces New Wave of Security Issues After May Patch Tuesday

Microsoft is facing mounting security concerns following May’s Patch Tuesday updates, as multiple newly disclosed vulnerabilities, proof-of-concept exploits and ongoing attacks continue affecting core Microsoft products and services.

Although Microsoft reported no actively exploited zero-day flaws during the original Patch Tuesday release itself, several serious security incidents have emerged in the weeks afterward.

Exchange Server Vulnerability Under Active Attack

One of the most concerning developments involves Microsoft Exchange Server.

Microsoft confirmed that attackers are actively exploiting CVE-2026-42897, a critical spoofing vulnerability affecting Exchange Server 2016, 2019 and Subscription Edition deployments.

At present, Microsoft has not yet released a full security patch for the issue.

Instead, the company is relying on its Exchange Emergency Mitigation service to automatically reduce exposure on systems where the feature is enabled. Microsoft has also published guidance for enterprise administrators on minimizing attack surfaces while a permanent fix remains in development.

Researcher Publishes New BitLocker Exploit

Security researcher Nightmare-Eclipse has also published a new proof-of-concept exploit named “YellowKey,” escalating an ongoing dispute with Microsoft over vulnerability handling.

The exploit targets BitLocker and reportedly allows attackers with physical access to bypass encryption protections using a USB flash drive under certain configurations.

The vulnerability specifically affects systems using TPM-only authentication without an additional PIN requirement.

Microsoft classified the flaw as CVE-2026-45585 and has already released security updates for affected Windows 11 and Server 2025 systems.

Microsoft Defender Vulnerabilities Raise Additional Concerns

Microsoft Defender is also dealing with several newly identified vulnerabilities affecting Microsoft’s Malware Protection Engine.

Among the issues is CVE-2026-41091, an elevation-of-privilege vulnerability for which public exploit code is already available. Attackers exploiting the flaw could potentially gain system-level privileges on affected devices.

Microsoft additionally confirmed active exploitation of CVE-2026-45498, a denial-of-service vulnerability impacting Defender systems.

Another flaw, CVE-2026-45584, allows potential remote code execution but is not yet known to be exploited in active attacks.

Microsoft says all three vulnerabilities are fixed in Malware Protection Engine version 1.1.26040.8 and later, distributed through Defender’s automatic update system.

Edge and Authenticator Also Receive Security Fixes

Microsoft also addressed concerns involving Microsoft Edge, which previously handled stored passwords in plaintext within memory.

Starting with Edge version 148.0.3967.70, Microsoft reportedly adjusted how the browser manages password storage and handling internally.

Meanwhile, vulnerabilities affecting Microsoft Authenticator on Android and iOS were also patched after researchers discovered flaws capable of exposing sensitive user information and account access.

Microsoft classified the Authenticator vulnerability CVE-2026-41615 as critical severity.

Security Pressure Continues Building Ahead of June Patch Tuesday

The growing number of post-update vulnerabilities highlights the increasing pressure facing major software vendors as security researchers, ransomware groups and state-backed attackers continue aggressively targeting widely deployed enterprise platforms.

Microsoft’s next scheduled Patch Tuesday release is set for June 9, 2026.