14JUN

Patch Tuesday clean streak hides out-of-band KEVs

3 min read

11:51UTC

Microsoft's 13 May Patch Tuesday shipped 120 CVEs with no zero-days exploited in the wild, breaking what would have been a 22-month streak since July 2024. Two out-of-band KEV additions inside 48 hours reset the picture.

← Back to VPN zero-day, no-patch KEV, late Exchange Jump to analysis ↓

TechnologyDeveloping

Key takeaway

Two out-of-band KEVs in 48 hours show Patch Tuesday is no longer the reliable cadence.

Microsoft released its May 2026 Patch Tuesday on Wednesday 13 May with 120 CVEs addressed and no zero-days exploited in the wild, breaking a 22-month streak in which every Patch Tuesday since July 2024 had contained at least one zero-day ¹ ². BleepingComputer, which tracks the monthly cycle alongside Microsoft Security Response Center disclosures, recorded the gap as the first scheduled release in the streak without an actively exploited flaw.

The headline broke before the picture settled. Within 48 hours of the release, CISA added two further CVEs to the Known Exploited Vulnerabilities catalogue outside the scheduled window: CVE-2026-20182 in Cisco SD-WAN on Thursday 14 May, and CVE-2026-42897 in Exchange Server's Outlook Web Access on Friday 15 May. Both were actively exploited; only the Cisco flaw had a vendor patch. The Exchange addition mirrored the Palo Alto out-of-band pattern that opened May and ran alongside the Microsoft LSASS out-of-band fix issued in April .

For security operations Teams, the signal-quality question matters. Patch Tuesday was the predictable artefact around which monthly vulnerability-management work was scheduled. A clean Patch Tuesday next to two out-of-band KEVs within two days does not show improved vendor security posture; it shows that the exploitation timeline has decoupled from the scheduled release. The defensive cadence assumption (a 30-day cycle around the second Tuesday of each month) no longer maps to where the urgent disclosures actually arrive. Federal civilian agencies remain bound by Binding Operational Directive 22-01 regardless of when the KEV addition lands, and the Trump administration's FY27 proposal to cut CISA by $707 million does not change the issuance tempo, only the agency's capacity to enforce it.

Deep Analysis

In plain English

On 13 May 2026, Microsoft released its monthly security fixes covering 120 flaws, and for the first time in nearly two years there were no emergency patches for flaws hackers were already using. But within two days, US security authorities added two urgent flaws to their watch list: one in Cisco software and one in Microsoft's own email server.

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: Microsoft's October 2023 Patch Tuesday, which included a zero-day-free release that was similarly followed within days by emergency out-of-band fixes for actively exploited flaws in third-party products. The pattern of a clean scheduled release alongside an out-of-band burst is recurrent rather than exceptional, and the 2026 case follows the same structure.

Counter-parallel: The July 2024 Patch Tuesday that started the 22-month streak contained CVE-2024-38112, a zero-day in Windows MSHTML exploited by APT groups before disclosure. That release established the baseline against which May 2026's clean release is measured.

The two Patch Tuesdays share the same metric framework but represent opposite outcomes within it, illustrating that the metric itself is stable while attacker targeting and vendor disclosure timing continue to shift independently.

Consensus view: Recorded Future's vulnerability intelligence team and BleepingComputer's patch-tracking data both indicate that the 22-month in-the-wild zero-day streak ending on Patch Wednesday 13 May was a product of Microsoft's improved pre-disclosure co-ordination with vulnerability researchers, not a step-change reduction in the underlying bug rate, since out-of-band KEV additions immediately followed.

Counter-view: KEV Breen at Immersive Labs argues the headline metric, zero zero-days in Patch Tuesday, is structurally misleading: the 120-CVE release included nine critical-severity RCEs, several of which Breen's team assesses as likely exploited before disclosure based on their technical profile. The absence of confirmed in-the-wild exploitation may reflect detection gaps rather than genuine exploitation absence.

Key tension: The 22-month streak is itself a product of Microsoft's decision to announce exploitation status at Patch Tuesday disclosure, a process it controls. Two out-of-band KEV additions within 48 hours, for Cisco and Exchange, show that the exploitation tempo has not changed; only the labelling cadence has, raising the question of whether the streak was an artefact of Microsoft's disclosure process rather than attacker behaviour.

Sources:BleepingComputer·Tenable

Mentions:Microsoft →CISA →Palo Alto Networks →Known Exploited Vulnerabilities →Cisco →Trump administration →CVE-2026-20182 →Outlook Web Access →BleepingComputer →May Patch Tuesday →CVE-2023-50224 →BOD 22-01 →

First Reported In

Update #4 · AI joins the breach column on both sides

BleepingComputer· 20 May 2026

Read original →

Causes and effects

This Event

Patch Tuesday clean streak hides out-of-band KEVs

The Patch Tuesday metric has stopped being a reliable signal of vulnerability disclosure tempo. Exploitation has migrated from the scheduled release cycle to the out-of-band window where defenders have less notice.

Led to

200 fixes, six zero-days, late Exchange

May Patch Tuesday's 120-CVE zero-zero-day release broke a 22-month streak; June's 200-CVE six-zero-day reversal is a direct contrast used to frame the magnitude of the month's patch burden.

Occurred 9 Jun 2026

Read story →

Different Perspectives

Beijing-aligned attribution sceptics

CNCERT has noted that Western KEV ransomware-risk flags on DoS-only flaws such as Serv-U CVE-2026-28318 conflate disruption capability with breach capability, and that CJEU referrals for NIS2 non-transposition create compliance obligations that presuppose software-patchable architectures the Arista case shows are not universal.

Enterprise security buyers

Three successive KEV cycles in which federal deadlines precede, exceed or are refused by vendor patches require buyers to re-weight patch-SLA contractual terms: the KEV deadline is now the planning constraint, not the vendor advisory, and procurement due diligence must cover whether a hardware platform is even patchable in principle.

Check Point

Check Point disclosed CVE-2026-50751 and shipped a hotfix on 8 June, roughly 30 days after exploitation had begun, with a Qilin affiliate already inside at least one victim. Its delayed disclosure on a CVSS 9.3 perimeter bypass leaves customers to absorb a month-long pre-patch exposure window under CISA's three-day federal deadline.

European Commission and ENISA

NIS2 full personal-liability enforcement from 1 June and CJEU referrals against laggard member states represent the sharpest regulatory escalation in EU cyber history, backed by ENISA NIS360 sector-maturity evidence naming water, rail and waste water as the priority enforcement targets. NCAF 2.0 and NIS360 function as audit instruments rather than political signals.

UK NCSC

The NCSC issued the Dutch NCSC's imminent-abuse warning on the Check Point flaw in the same fortnight its sponsoring legislation cleared the Commons, widening incident-reporting duties to cover attacker pre-positioning. The payment-reporting gap left by the CS&R Bill means the NCSC continues to rely on voluntary Early Warning submissions for ransomware economics data.

US Federal CISO community

Federal CISOs face three active compliance obligations without a clean resolution: a three-day Check Point deadline met with a hotfix, a 23 June Arista deadline partially met with ACLs only, and a 16-day Exchange overrun still being fully remediated. BOD 22-01 is operating as an urgency signal but not as a vendor-cooperation mechanism.