20MAY

Patch Tuesday clean streak hides out-of-band KEVs

3 min read

09:58UTC

Microsoft's 13 May Patch Tuesday shipped 120 CVEs with no zero-days exploited in the wild, breaking what would have been a 22-month streak since July 2024. Two out-of-band KEV additions inside 48 hours reset the picture.

← Back to AI joins the breach column on both sides Jump to analysis ↓

TechnologyDeveloping

Key takeaway

Two out-of-band KEVs in 48 hours show Patch Tuesday is no longer the reliable cadence.

Microsoft released its May 2026 Patch Tuesday on Wednesday 13 May with 120 CVEs addressed and no zero-days exploited in the wild, breaking a 22-month streak in which every Patch Tuesday since July 2024 had contained at least one zero-day ¹ ². BleepingComputer, which tracks the monthly cycle alongside Microsoft Security Response Center disclosures, recorded the gap as the first scheduled release in the streak without an actively exploited flaw.

The headline broke before the picture settled. Within 48 hours of the release, CISA added two further CVEs to the Known Exploited Vulnerabilities catalogue outside the scheduled window: CVE-2026-20182 in Cisco SD-WAN on Thursday 14 May, and CVE-2026-42897 in Exchange Server's Outlook Web Access on Friday 15 May. Both were actively exploited; only the Cisco flaw had a vendor patch. The Exchange addition mirrored the Palo Alto out-of-band pattern that opened May and ran alongside the Microsoft LSASS out-of-band fix issued in April .

For security operations Teams, the signal-quality question matters. Patch Tuesday was the predictable artefact around which monthly vulnerability-management work was scheduled. A clean Patch Tuesday next to two out-of-band KEVs within two days does not show improved vendor security posture; it shows that the exploitation timeline has decoupled from the scheduled release. The defensive cadence assumption (a 30-day cycle around the second Tuesday of each month) no longer maps to where the urgent disclosures actually arrive. Federal civilian agencies remain bound by Binding Operational Directive 22-01 regardless of when the KEV addition lands, and the Trump administration's FY27 proposal to cut CISA by $707 million does not change the issuance tempo, only the agency's capacity to enforce it.

Deep Analysis

In plain English

On 13 May 2026, Microsoft released its monthly security fixes covering 120 flaws, and for the first time in nearly two years there were no emergency patches for flaws hackers were already using. But within two days, US security authorities added two urgent flaws to their watch list: one in Cisco software and one in Microsoft's own email server.

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: Microsoft's October 2023 Patch Tuesday, which included a zero-day-free release that was similarly followed within days by emergency out-of-band fixes for actively exploited flaws in third-party products. The pattern of a clean scheduled release alongside an out-of-band burst is recurrent rather than exceptional, and the 2026 case follows the same structure.

Counter-parallel: The July 2024 Patch Tuesday that started the 22-month streak contained CVE-2024-38112, a zero-day in Windows MSHTML exploited by APT groups before disclosure. That release established the baseline against which May 2026's clean release is measured.

The two Patch Tuesdays share the same metric framework but represent opposite outcomes within it, illustrating that the metric itself is stable while attacker targeting and vendor disclosure timing continue to shift independently.

Consensus view: Recorded Future's vulnerability intelligence team and BleepingComputer's patch-tracking data both indicate that the 22-month in-the-wild zero-day streak ending on Patch Wednesday 13 May was a product of Microsoft's improved pre-disclosure co-ordination with vulnerability researchers, not a step-change reduction in the underlying bug rate, since out-of-band KEV additions immediately followed.

Counter-view: KEV Breen at Immersive Labs argues the headline metric, zero zero-days in Patch Tuesday, is structurally misleading: the 120-CVE release included nine critical-severity RCEs, several of which Breen's team assesses as likely exploited before disclosure based on their technical profile. The absence of confirmed in-the-wild exploitation may reflect detection gaps rather than genuine exploitation absence.

Key tension: The 22-month streak is itself a product of Microsoft's decision to announce exploitation status at Patch Tuesday disclosure, a process it controls. Two out-of-band KEV additions within 48 hours, for Cisco and Exchange, show that the exploitation tempo has not changed; only the labelling cadence has, raising the question of whether the streak was an artefact of Microsoft's disclosure process rather than attacker behaviour.

Sources:BleepingComputer·Tenable

Mentions:Microsoft →CISA →Palo Alto Networks →Known Exploited Vulnerabilities →Cisco →Trump administration →CVE-2026-20182 →Outlook Web Access →BleepingComputer →May Patch Tuesday →CVE-2023-50224 →BOD 22-01 →

First Reported In

Update #4 · AI joins the breach column on both sides

BleepingComputer· 20 May 2026

Read original →

Different Perspectives

Tsinghua University Institute for International Strategic Studies

Beijing-aligned commentary rejects US attribution of PRC-nexus clusters (UNC2814, APT45, UAT-8616) as politically motivated framing, characterising the April sixteen-agency joint advisory as coordinated Western pressure rather than independent technical assessment.

Google Threat Intelligence Group

GTIG's 11 May report establishes AI-assisted offence and AI-infrastructure targeting as concurrent named-incident categories, not theoretical ones: UNC6780 attacked LiteLLM and Cisco AI Defense in parallel; state actors used Gemini operationally; CANFAIL and LONGSTREAM used LLM-generated queries to evade static analysis.

Cisco

Cisco has not confirmed the UNC6780 breach scope beyond the named AI Defense and AI Assistant projects; GitHub confirmed an investigation. CVE-2026-20182 is the sixth Cisco SD-WAN KEV entry in 2026, reaching that milestone the same week UNC6780's source-code visibility into the portfolio became public.

NCSC

The ICO's South Staffs Water fine applies NCSC PAM and monitoring guidance as the GDPR Article 32 enforcement baseline against a water-sector CNI operator, extending the Capita precedent before the CS&R Bill has reached Royal Assent. NCSC guidance now carries enforceable weight inside the existing statutory framework for CNI sectors processing personal data.

Microsoft Security Response Center

The Exchange Emergency Mitigation Service URL rewrite is the sole available mitigation for CVE-2026-42897; MSRC has not signalled an out-of-band patch timeline. The workaround breaks OWA calendar print, inline images, and Light mode, forcing CISOs to choose between user-experience breakage and active-exploitation exposure.

CISA

CISA's Exchange CVE-2026-42897 deadline of 29 May, set before Microsoft published a patch, repeats the PAN-OS posture from 6 May: exploitation velocity now overrides vendor release timelines. BOD 22-01 compliance against an unpatched flaw leaves federal CISOs with only mitigation documentation and mailbox-rule monitoring.