Source: Security.NL
On 13 May 2026, Microsoft released a large batch of security updates as part of its monthly Patch Tuesday release. According to Security.NL, the updates address over 130 vulnerabilities across Windows products, including one flaw serious enough to allow a self-spreading attack without any action from users.
According to Security.NL, the most urgent issue is a vulnerability in the Windows Netlogon component, tracked as CVE-2026-41089. This flaw allows an attacker to run code remotely on domain controllers, which are the servers that manage user accounts and access rights across a network. No login credentials or user interaction are needed to exploit it.
Security.NL also reports two other vulnerabilities worth noting. CVE-2026-41096 affects the Windows DNS Client in Windows 11 and Windows Server 2025, and CVE-2026-40415 sits in the Windows TCP/IP component. Both can reportedly be exploited without authentication or user interaction, meaning an attacker does not need to trick anyone into clicking a link or opening a file.
The Netlogon flaw and the TCP/IP flaw are described by Security.NL as "wormable," meaning malicious software could potentially spread from one machine to another on its own, without anyone doing anything wrong. That kind of vulnerability tends to move fast once it is in the wild.
For small businesses that rely on Windows servers or shared office computers, this is a good reminder that keeping software up to date is one of the most effective things you can do to stay protected. Microsoft's updates are reported to install automatically on most machines, but it is worth checking that automatic updates are actually switched on.
If your website runs on a Windows server, or if the computer you use to manage your website runs Windows, installing the latest Microsoft updates promptly is a sensible step. Outdated software is one of the most common ways attackers gain access to business systems and the data they hold. You can find practical steps in our security checklist for small businesses and our guide on vulnerable plugins.
Free website scan covering GDPR, copyright, accessibility, security, and more.
Start free checkLet's Encrypt stopped issuing certificates for over two hours on the evening of 8 May 2026 due to an incident involving non-compliance with CCADB Policy rules.
The NCSC-NL advisory page for NCSC-2026-0152 returned only a redirect message with no substantive content.
The primary maintainer of the Axios npm library was compromised via a social engineering (ClickFix) attack, allowing attackers to publish malicious versions containing a remote access trojan.