May: Microsoft Patches 55 Security Vulnerabilities

Microsoft patched 55 unique security vulnerabilities this May. We analyzed all 55  weaknesses and spotlighted the most important vulnerabilities that ought to be patched on priority.

 

Microsoft’s May Patches Overview

This May, Microsoft patched 55 vulnerabilities that were discovered in early 2021, including three publicly disclosed bugs.

Of these 55, Microsoft has fixed key vulnerabilities, such as:

  • 22 CVEs classified under RCE bugs

  • 11 CVEs with Privilege Escalation capabilities

  • 1 CVE linked to Denial of Service

It must be noted that none of these vulnerabilities had been under active attack before the patch was issued. However, a week after the patches were issued, an exploit code was released for the wormable Windows IIS server (CVE-2021-31166) vulnerability, which has been allocated a CVSS V3 score of 9.8.

Microsoft also continued the issue of a patch for its exchange server vulnerabilities, which have recently become high-profile targets to Hafnium threat actors.

The “Proxy Logon” vulnerabilities that were exploited in the wild were CVE-2021-31198, CVE-2021-31207, CVE-2021-31209, and CVE-2021-31195.

Zero-Day Vulnerabilities:  Microsoft released patches for three zero-days: CVE-2021-31207,  CVE-2021-31200,  and CVE-2021-31204. However, these zero-days have not yet been exploited despite having been made public. Patching these vulnerabilities should be undertaken immediately and considered a top priority.

Product Analysis

In this round-up, patches were issued for 19 products. Windows’ Server accounted for 22 vulnerabilities, of which ten were categorized with privilege escalation capabilities.

Severity Scores

This month’s patch release fixed four critical vulnerabilities in the Windows Server and Internet Explorer, which posed a significant risk to organizations. On account of their severity rating, prioritizing these CVEs for patching is essential to ensure functionality and security.

Table: Microsoft May Patches 2021

The Exchange Server Team recently published a blog detailing all the issues that an administrator might face while deploying these patches. Although no active attacks leveraging these vulnerabilities have surfaced, we recommend that users update all Microsoft software to the latest versions and strategically defend their cyber ecosystem.

 

Protect your organization with Attack Surface Management as a Service. Talk to us.

Share This Post On