By Tyler Reguly, Associate Director, Security R&D, Fortra
Microsoft decided to welcome May with 137 vulnerabilities (not to mention the 128 Edge CVEs) and the content couldn’t be more varied. We have all the usual suspects as well as a few rarely seen items like Microsoft Data Formulator and Data Deduplication, which I don’t believe I’ve ever seen mentioned before. I think, this month, the interesting thing to talk about is the numbers. AI related vulnerabilities are hard to ignore this month with 7 CVEs referencing Copilot plus Azure AI Foundry appearing as well, that is sure to get some attention. There are also 13 vulnerabilities that Microsoft is reporting as ‘no customer action required’, This means that they’ve already been mitigated and/or resolved by Microsoft and they’re raising them for informational purposes. Finally, we have 14 vulnerabilities (some overlap exists with the other two counts) that are in cloud or cloud adjacent applications. Depending on how heavily you rely on the Azure ecosystem, you may have a lot of digging around to do this month.
Interestingly, the CVEs that stood out to me the most are in the no customer action required bucket. CVEs like CVE-2026-33109, a remote code execution vulnerability in Azure Managed Instances for Apache Cassandra, and CVE-2026-33823, Microsoft Team Events Portal Information Disclosure Vulnerability. Since these have been both resolved by Microsoft, there’s no action to take, otherwise these would be the CVEs that I’d be discussing this month.
If I were the CSO and looking at this patch drop, there would be two questions on my mind.
- Are we aware of all our uses of AI?
- ~6% of the CVEs this month were AI based and we know that number is only going to grow from here. What other instances of AI might be in use in your organization that are not backed by a company with a regular update schedule like Microsoft?
- Do we use Confluence or Jira with SSO Integration?
- CVE-2026-41103 is an elevation of privilege in the Microsoft SSO Plugin for both Confluence and Jira. This is common software, deployed at a lot of organizations, and I suspect that most organizations have it tied to their Microsoft SSO.
- The interesting thing here is that the individuals responsible for Confluence and Jira may not be the same individuals responsible for Microsoft products, so the crossover that this vulnerability entails may cause it to be entirely overlooked, so definitely stay on top of your teams with this one.
Related
This entry was posted on May 12, 2026 at 3:43 pm and is filed under Commentary with tags Fortra. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
May Patch Tuesday Commentary From Fortra
By Tyler Reguly, Associate Director, Security R&D, Fortra
Microsoft decided to welcome May with 137 vulnerabilities (not to mention the 128 Edge CVEs) and the content couldn’t be more varied. We have all the usual suspects as well as a few rarely seen items like Microsoft Data Formulator and Data Deduplication, which I don’t believe I’ve ever seen mentioned before. I think, this month, the interesting thing to talk about is the numbers. AI related vulnerabilities are hard to ignore this month with 7 CVEs referencing Copilot plus Azure AI Foundry appearing as well, that is sure to get some attention. There are also 13 vulnerabilities that Microsoft is reporting as ‘no customer action required’, This means that they’ve already been mitigated and/or resolved by Microsoft and they’re raising them for informational purposes. Finally, we have 14 vulnerabilities (some overlap exists with the other two counts) that are in cloud or cloud adjacent applications. Depending on how heavily you rely on the Azure ecosystem, you may have a lot of digging around to do this month.
Interestingly, the CVEs that stood out to me the most are in the no customer action required bucket. CVEs like CVE-2026-33109, a remote code execution vulnerability in Azure Managed Instances for Apache Cassandra, and CVE-2026-33823, Microsoft Team Events Portal Information Disclosure Vulnerability. Since these have been both resolved by Microsoft, there’s no action to take, otherwise these would be the CVEs that I’d be discussing this month.
If I were the CSO and looking at this patch drop, there would be two questions on my mind.
Share this:
Like this:
Related
This entry was posted on May 12, 2026 at 3:43 pm and is filed under Commentary with tags Fortra. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.