Industry observers note that while there weren’t any genuine zero-day vulnerabilities to patch in May’s Patch Tuesday patch, the fallout since then has been severe.

According to the latest update, the first attacks on Microsoft Exchange Server occurred as early as Patch Tuesday week, abusing a vulnerability that still hasn’t been fixed and continues to be exploited by hackers.

According to the latest update, plus, a security researcher dropped another proof-of-concept exploit, this time targeting a vulnerability in BitLocker security. Meanwhile, Microsoft has dropped security updates for its Malware Protection Engine to fix critical flaws, backtracked on its design decision to store passwords as plaintext in Edge, and more.

As part of the ongoing story, the next scheduled Patch Tuesday is June 9th, 2026.

In a fresh development, the spoofing vulnerability CVE-2026-42897 in Exchange Server (2016, 2019, and Subscription Edition), which is classified as critical by Microsoft, is being exploited for attacks in the wild.

The report highlights that the Exchange Emergency Mitigation (EM) service can provide automatic relief, provided it’s active. In a blog post, Microsoft’s Exchange team explains how enterprise admins can minimize the attack surface—and also what side effects this may have. Microsoft doesn’t yet have any updates ready to address this security flaw.

The report highlights that a security researcher known as Nightmare-Eclipse—previously responsible for his RedSun and MiniPlasma proof-of-concept exploits—has continued his dispute with Microsoft by publishing another proof-of-concept exploit for a BitLocker vulnerability.

Industry observers note that this works if BitLocker is used on the device in TPM-only mode without a PIN. Microsoft has assigned a high risk level to this vulnerability, listing it as CVE-2026-45585 (BitLocker Security Mechanic Bypass), and dropped updates for Windows 11 and Server 2025. This one is called YellowKey and it allows an attacker who has physical access to a BitLocker-encrypted PC to get around BitLocker protection using a USB flash drive.

Industry observers note that since the Edge patch on May 15th (version 148.0.3967.70), the browser has been handling passwords more carefully. As of May 21st, Edge for Android is also at this version. We previously reported that Microsoft’s Edge browser loads saved passwords into memory in plaintext so they’re immediately available as needed.

Industry observers note that microsoft classifies the vulnerability CVE-2026-41615 as critical and has dropped fixed versions of the apps. Microsoft’s Authenticator apps for Android and iOS have also been found to disclose sensitive information, allowing attackers to access everything—files, services, information—using the permissions of the currently logged-in user.

According to the latest update, attackers can exploit these flaws to sneak malicious code past Defender undetected. They appear to be doing just that, as Microsoft reports that elevation-of-privilege vulnerability CVE-2026-41091 has publicly known exploit code. Exploiting this security vulnerability grants the attacker system privileges. Microsoft’s malware defense for Windows PCs has three vulnerabilities that need patching.

As part of the ongoing story, the RCE vulnerability CVE-2026-45584, however, isn’t yet being exploited, although it could be used to execute code. The DoS vulnerability CVE-2026-45498 in Microsoft Defender is also being exploited.

In a fresh development, microsoft has already rolled out patched versions as part of the automatic daily updates for Defender. In version 1.1.26040.8 and later, all three vulnerabilities have been fixed. The vulnerabilities are present in Microsoft’s Malware Protection Engine up to and including version 1.1.26030.3008.

According to the latest update, the “Engine Version” is what you want to look at. To be on the safe side, check whether you have received this patched version by opening Windows Settings > Privacy & security → Windows Security → Virus & threat protection → Settings (⚙ icon bottom left) → About.

The report highlights that check out our picks for the best antivirus programs for Windows as well as best VPN services to stay ahead of security problems. Tip: Whether you keep your Windows up to date, you need proper antivirus protections if you want your PC to remain secure and private.

In a fresh development, this article originally appeared on our sister publication PC-WELT and was translated and localized from German.

In a fresh development, his main topics are IT security (malware, antivirus, security gaps) and Internet technology. Frank Ziemann has been working as a freelance author for sister site PC-WELT since 2005, writing news and test reports.