Impact statement: Microsoft’s May 2026 Patch Tuesday includes two critical Windows remote code execution vulnerabilities that server administrators should patch immediately: CVE-2026-41089 in Windows Netlogon and CVE-2026-41096 in Windows DNS Client. Both are listed by NVD with CVSS 9.8 Critical, network attack vector, no privileges required, and no user interaction required.
Microsoft’s Security Update Guide lists both as not publicly disclosed and not known exploited at release time, but that does not make them slow-roll items. Netlogon and DNS sit close to identity, domain services, name resolution, hosting operations, and administrator workstations. Patch domain controllers, DNS servers, IIS hosting machines, RDS hosts, Hyper-V hosts, backup servers, file servers, and support workstations in a controlled but fast window.
Who Should Care
- Windows Server administrators, especially domain-controller and DNS teams.
- IIS hosting providers and Windows-based web-hosting control panel operators.
- RDS and terminal server administrators.
- Hyper-V hosts and virtualization management machines.
- Backup, file, monitoring, and management servers joined to Active Directory.
- Admin and support workstations that handle customer files, credentials, remote tools, or server consoles.
The Two Critical Items
| CVE | Component | Impact | Fix priority |
|---|---|---|---|
| CVE-2026-41089 | Windows Netlogon | Remote code execution over the network. | Patch domain controllers and domain-joined servers first. |
| CVE-2026-41096 | Windows DNS Client | Remote code execution over the network. | Patch DNS servers, Windows hosting servers, and admin machines quickly. |
Use Microsoft’s update guide for the exact KBs for each Windows version and SKU. In mixed fleets, assume supported Windows Server and Windows client systems need review until your patch inventory proves otherwise.
Patch Path 1: Windows Update
For smaller fleets and standalone servers, use Windows Update or Server Manager, install the May 2026 cumulative update, reboot, and confirm the machine reports the expected build and hotfix state.
# Start an update scan from an elevated prompt.
UsoClient StartScan
UsoClient StartDownload
UsoClient StartInstall
# After the reboot, review recent hotfixes from PowerShell.
Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 10On Server Core, use sconfig or your normal RMM/PowerShell workflow. The important part is not the button you click; it is that the May 2026 security update installs, the server reboots cleanly, and post-reboot verification is captured.
Patch Path 2: WSUS, Intune, Or RMM
- Approve the May 2026 cumulative updates in WSUS for the affected Windows versions.
- Use rings: domain controllers and DNS servers first in a watched maintenance window, then hosting/RDS/Hyper-V, then general servers and workstations.
- For Intune or RMM, push the May 2026 quality update and enforce a reboot deadline that matches customer maintenance windows.
- Track failed installs separately from pending-reboot systems. Both are still unpatched from an operations standpoint.
Patch Path 3: Offline Or Catalog Install
For isolated servers, download the correct update from the Microsoft Update Catalog, transfer it through your approved change-control process, and install it locally. Match the KB to the operating system, architecture, and servicing baseline.
# Example offline install pattern. Replace the path with your approved KB file.
wusa.exe C:Patcheswindows-may-2026-security-update.msu /quiet /norestartSchedule the reboot. Do not leave critical Windows security updates waiting on a reboot and then mark the system complete.
Post-Reboot Verification
# Confirm Windows version/build context.
Get-ComputerInfo | Select-Object OsName, OsVersion, OsBuildNumber
# Confirm recent hotfixes.
Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 10
# Classic command prompt fallback.
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"Hotfix"For domain controllers, also confirm replication, authentication, DNS resolution, and event-log health after the reboot. For hosting servers, confirm IIS, application pools, control-panel services, scheduled tasks, backups, and RMM agents.
Role-Specific Notes
- Domain controllers: patch all DCs, avoid leaving a forgotten DC on the old build, and monitor authentication and replication after each reboot.
- DNS servers: patch DNS servers and Windows machines that rely on DNS Client behavior, then test internal and external name resolution.
- IIS hosting servers: patch, reboot, and confirm sites, application pools, TLS bindings, scheduled tasks, and customer panels.
- RDS servers: drain users before rebooting, patch connection brokers and session hosts, and watch logon behavior after maintenance.
- Hyper-V hosts: live-migrate or schedule VM downtime, patch hosts one at a time, and verify VM networking afterward.
- Backup servers: patch quickly because backup systems touch broad file sets and often have elevated credentials.
- Admin workstations: patch support machines because they reach into customer environments and server consoles.
What To Review
- System and Application event logs around update and reboot time.
- DNS Server logs on DNS-role machines.
- Directory Service and DFS Replication logs on domain controllers.
- Authentication anomalies, service crashes, repeated restarts, or name-resolution failures.
- RMM/WSUS/Intune reports for failed installs or pending reboots.
CDN And WAF Note
A web WAF cannot patch Windows Netlogon or Windows DNS Client. The defensive move is exposure reduction: keep domain services, DNS administration, SMB/RPC, RDP, WinRM, and server management interfaces off the open internet; require VPN or trusted administrator networks; and patch the operating system. The CDN side can still help by hardening exposed web administration panels and flagging customers that appear to publish management services publicly.
Sources
- Microsoft Security Update Guide: CVE-2026-41089
- Microsoft Security Update Guide: CVE-2026-41096
- NVD: CVE-2026-41089
- NVD: CVE-2026-41096
- Microsoft Update Catalog
Need help patching Windows hosting servers, domain controllers, RDS, or Hyper-V without knocking customers offline? Open a ticket through Help4Network.com.