May's Patch Tuesday Fallout: Exchange, Defender, BitLocker Under Fire

While May's Patch Tuesday brought no zero-day vulnerabilities, the aftermath has been turbulent. Attackers have been exploiting a critical Exchange Server spoofing flaw, Microsoft Defender has multiple vulnerabilities, and a new BitLocker bypass exploit has emerged.

Exchange Server Spoofing Flaw Exploited

A critical spoofing vulnerability (CVE-2026-42897) in Microsoft Exchange Server 2016, 2019, and Subscription Edition is being actively exploited. According to recent reports, Microsoft has not yet released a patch. The Exchange Emergency Mitigation (EM) service can provide temporary relief if enabled. Enterprise administrators are advised to follow Microsoft's guidance to minimize the attack surface, though some side effects may occur.

BitLocker Bypass via YellowKey

Security researcher Nightmare-Eclipse has published a proof-of-concept exploit called YellowKey for a BitLocker vulnerability (CVE-2026-45585). This exploit allows an attacker with physical access to a BitLocker-encrypted PC using TPM-only mode (without a PIN) to bypass protection using a USB flash drive. Microsoft has rated this vulnerability as high risk and released updates for Windows 11 and Server 2025.

Edge and Authenticator Flaws

Microsoft Edge now handles passwords more securely after version 148.0.3967.70, released on May 15th, addressed the plaintext password storage issue. The Edge for Android update followed on May 21st.

Microsoft Authenticator apps for Android and iOS had a critical vulnerability (CVE-2026-41615) that could allow attackers to access files, services, and information with the logged-in user's permissions. Fixed versions have been released.

Microsoft Defender Vulnerabilities

Three vulnerabilities were found in Microsoft's Malware Protection Engine (up to version 1.1.26030.3008). An elevation-of-privilege flaw (CVE-2026-41091) has publicly known exploit code, granting system privileges. A DoS vulnerability (CVE-2026-45498) is also being exploited. An RCE flaw (CVE-2026-45584) is not yet exploited but could allow code execution. Patched versions (1.1.26040.8 and later) have been distributed via automatic Defender updates. Users can verify their engine version in Windows Security under Virus & threat protection settings.

To stay protected, ensure Windows is up to date and consider using reputable antivirus and VPN solutions.