It was just another Monday morning for Sarah in accounting. She opened an email with an attached invoice — nothing unusual, she receives dozens like it every day. She clicked to preview the Word document in Outlook, and nothing seemed to happen. Hours later, the IT team discovered that a foreign program had been silently running on her computer. Sarah did nothing wrong. She simply hadn't installed the latest update.
This is exactly the kind of scenario Microsoft's monthly "Patch Tuesday" is designed to prevent. In May 2026, the update package was unusually large: 120 security vulnerabilities patched, including 16 rated Critical. One piece of good news: for the first time since June 2024, there were no actively exploited zero-days — meaning none of the patched flaws had already been weaponised by attackers. The bad news: several of the vulnerabilities are severe enough that exploitation is likely once attackers study the patches — and unpatched systems remain easy targets.
The Most Dangerous Flaw: Just Opening an Attachment
Security experts flagged Office vulnerabilities — specifically in Word and Excel — as the highest priority. These flaws allow an attacker to remotely take control of a computer simply by getting a victim to open a malicious file.
What makes this particularly alarming is that some of these attacks work in the Preview Pane — meaning you don't even have to open the file. Simply hovering over it in File Explorer or viewing the preview in Outlook could be enough to trigger the attack. If your employees regularly receive email attachments — invoices, contracts, purchase orders — this risk applies directly to them.
A Threat to Your Entire Network
The second category of critical vulnerabilities targets server infrastructure. CVE-2026-41089 is a flaw in Windows Netlogon — the component responsible for authenticating users across a network. Exploiting it allows an attacker to take control of a company's domain server without any valid password. Security experts have labelled it "wormable," meaning malicious code could propagate automatically from machine to machine without any employee needing to click anything.
Another critical vulnerability (CVE-2026-41096) is in the Windows DNS Client. If an attacker can influence the DNS server your computer uses — for instance on an unsecured public Wi-Fi network — they can take control of your device without any action on your part.
What You Should Do Right Now
The good news: protecting yourself is straightforward and doesn't require technical expertise.
1. Install Windows Updates. The patches were released on 13 May 2026. If you haven't installed them yet, do so as soon as possible. Go to Settings → Windows Update and make sure everything is fully up to date. A restart is usually required after installation.
2. Update Microsoft Office. Open any Office application (Word, Excel…), go to File → Account → Update Options → Update Now.
3. Disable the Outlook Preview Pane temporarily. In sensitive environments, consider turning off automatic attachment previews via File → Options → Trust Center → Trust Center Settings → Attachment Handling.
4. Remind your team. Technical defences matter, but people remain the first line of defence. Remind colleagues to be cautious with email attachments — even from seemingly trusted senders.
Updates Are Not a Chore — They're Your Insurance
Many businesses delay updates fearing downtime or disruptions. In reality, the disruption caused by a successful cyberattack is far greater. May 2026's Patch Tuesday addressed 120 vulnerabilities — 16 of them critical, including flaws that can compromise entire business networks and allow remote server takeover without a password.
If you'd rather not manage updates yourself, or you're unsure about the current state of your IT infrastructure, we're here to help. Drop us a line at info@sycom.sk — we'll assess your situation and recommend the right solution.