Skip to content
You can now search across every topic, entity and event.What's new
Cybersecurity: Threats and Defences
14JUL

Patch Tuesday clean streak hides out-of-band KEVs

3 min read
08:46UTC

Microsoft's 13 May Patch Tuesday shipped 120 CVEs with no zero-days exploited in the wild, breaking what would have been a 22-month streak since July 2024. Two out-of-band KEV additions inside 48 hours reset the picture.

TechnologyDeveloping
Key takeaway

Two out-of-band KEVs in 48 hours show Patch Tuesday is no longer the reliable cadence.

Microsoft released its May 2026 Patch Tuesday on Wednesday 13 May with 120 CVEs addressed and no zero-days exploited in the wild, breaking a 22-month streak in which every Patch Tuesday since July 2024 had contained at least one zero-day 1 2. BleepingComputer, which tracks the monthly cycle alongside Microsoft Security Response Center disclosures, recorded the gap as the first scheduled release in the streak without an actively exploited flaw.

The headline broke before the picture settled. Within 48 hours of the release, CISA added two further CVEs to the Known Exploited Vulnerabilities catalogue outside the scheduled window: CVE-2026-20182 in Cisco SD-WAN on Thursday 14 May, and CVE-2026-42897 in Exchange Server's Outlook Web Access on Friday 15 May. Both were actively exploited; only the Cisco flaw had a vendor patch. The Exchange addition mirrored the Palo Alto out-of-band pattern that opened May and ran alongside the Microsoft LSASS out-of-band fix issued in April .

For security operations Teams, the signal-quality question matters. Patch Tuesday was the predictable artefact around which monthly vulnerability-management work was scheduled. A clean Patch Tuesday next to two out-of-band KEVs within two days does not show improved vendor security posture; it shows that the exploitation timeline has decoupled from the scheduled release. The defensive cadence assumption (a 30-day cycle around the second Tuesday of each month) no longer maps to where the urgent disclosures actually arrive. Federal civilian agencies remain bound by Binding Operational Directive 22-01 regardless of when the KEV addition lands, and the Trump administration's FY27 proposal to cut CISA by $707 million does not change the issuance tempo, only the agency's capacity to enforce it.

Deep Analysis

In plain English

On 13 May 2026, Microsoft released its monthly security fixes covering 120 flaws, and for the first time in nearly two years there were no emergency patches for flaws hackers were already using. But within two days, US security authorities added two urgent flaws to their watch list: one in Cisco software and one in Microsoft's own email server.

First Reported In

Update #4 · AI joins the breach column on both sides

BleepingComputer· 20 May 2026
Read original
Causes and effects
This Event
Patch Tuesday clean streak hides out-of-band KEVs
The Patch Tuesday metric has stopped being a reliable signal of vulnerability disclosure tempo. Exploitation has migrated from the scheduled release cycle to the out-of-band window where defenders have less notice.
Different Perspectives
UK managed service providers and data centre operators
UK managed service providers and data centre operators
Newly brought into critical-infrastructure scope by the Cyber Security and Resilience Bill's Lords second reading, facing fines up to £17m or 4% of global turnover and a new near-miss reporting duty they did not previously carry. The sector moves from best-practice guidance to statutory exposure within this Parliamentary session.
Threat-intelligence industry
Threat-intelligence industry
SOCRadar's confirmation that one operator sits on two ransomware crews' negotiation panels, following Bitdefender's affiliate-overlap flag six weeks earlier, gives the sector its second independent data point that brand-based tracking undercounts shared access. The firms doing this work are shifting language from named-group attribution toward access-broker mapping.
FSB Centre 16
FSB Centre 16
Named by NCSC as running an SNMP-hijacking campaign against communications, energy, healthcare, defence and financial-services operators, harvesting device data and reconfiguring routers through a decades-old plaintext-authentication protocol. The campaign runs in parallel to, not in place of, the GRU's separate DNS-hijacking operation named in April.
CISA
CISA
CISA's Known Exploited Vulnerabilities catalogue added seven CVEs between 5 and 14 July, none from a headline security vendor, capped by the 18-year-old Cisco IOS bug CVE-2008-4128. BOD 26-04's risk-tiered listing rules make that slowdown as much a policy artefact as a threat-intensity read.
Nidec
Nidec
Nidec faces a $2m demand from Blackfield after the crew breached a server at its supplier Chaun Choung Technology rather than Nidec's own network. The attack reached Nidec's data without touching its own perimeter at all, the same supply-chain route World Leaks used against Tata Electronics.
Tata Electronics
Tata Electronics
Tata Electronics restricted remote access to its purchase-order systems and hired a forensic consultant after World Leaks posted 630GB of its files, including purported Apple and Tesla design material, to a leak site. The exposed value sits on its customers' balance sheets, not its own, which is what makes it hard to price.