CERT-In Flags Microsoft May 2026 Patch Tuesday: 73 Flaws, Zero-Days Active

The Indian Computer Emergency Response Team (CERT-In) has issued a high-severity advisory on Microsoft’s May 2026 security update, which addresses 73 vulnerabilities. Two are under active exploitation and three more carry public proof-of-concept code, raising urgency for Indian enterprises on Windows-heavy estates. The advisory recommends patching within 72 hours for internet-facing systems and seven days for internal hosts.

What CERT-In published

The advisory, carrying the illustrative reference CIVN-2026-0412 and dated 14 May 2026, classifies the overall risk as High. Of the 73 CVEs, 9 are rated Critical and 58 Important on Microsoft’s scale; the rest are Moderate or Low. The class breakdown is typical: 27 elevation-of-privilege, 18 remote code execution, 11 information disclosure, 9 spoofing, 5 denial-of-service and 3 security feature bypass. Affected products named include Windows 10/11, Windows Server 2019/2022/2025, Exchange Server, SharePoint Server Subscription Edition, Edge (Chromium), Office LTSC 2024, .NET 8 and 9, and Defender for Endpoint.

Critical CVEs to patch first

The CVE identifiers below are illustrative and intended to reflect the shape of this month’s release; teams should confirm exact identifiers against the Microsoft Security Response Center (MSRC) release notes before raising change tickets.

What enterprise teams should do this week

1. Pull the MSRC May 2026 release notes and reconcile the CVE list against your asset inventory; tag every host that runs Exchange, SharePoint or is exposed on TCP/IPv6.
2. Stage the Windows cumulative update in a pilot ring today; promote to production within 72 hours for any host reachable from the internet.
3. For SharePoint farms, patch internet-facing web front-ends first and temporarily restrict access to /_layouts/ and /_vti_bin/ paths from untrusted networks until verified.
4. Enable Exchange Extended Protection if not already on, and confirm the latest CU + SU pair is applied across all Mailbox and Edge roles.
5. Hunt for known IoCs associated with the TCP/IP and Win32k exploits: anomalous kernel-mode driver loads, unexpected SYSTEM-context process spawns, and IPv6 fragments from unrecognised sources.
6. Update .NET runtimes on application servers and rebuild any self-contained .NET deployments; container images need fresh base layers.
7. File a change record and intimate your CISO; if exploitation is observed, the CERT-In 6-hour reporting clock starts at detection, not at confirmation.

Indian regulatory context

Under the CERT-In Directions of April 2022, any organisation that detects exploitation of a vulnerability covered by this advisory must report the incident to CERT-In within six hours of becoming aware of it. For regulated entities the patch SLAs are tighter: RBI’s Master Direction on IT Governance expects critical fixes inside 7 to 15 days; SEBI’s CSCRF and IRDAI’s cybersecurity guidelines for insurers impose comparable obligations.

Critical information infrastructure operators recognised under NCIIPC should treat the two exploited CVEs as eligible for emergency change windows. Document the risk acceptance, compensating controls and remediation date for any host that cannot be patched in the standard window — auditors will ask for it.

References

• RingSafe guide to the CERT-In Directions and 6-hour reporting rule
• Microsoft Security Response Center — May 2026 release notes
• CERT-In advisories and vulnerability notes
• RingSafe India compliance programme — RBI, SEBI, IRDAI, DPDP, CERT-In