Microsoft’s May 2026 Patch Tuesday addresses two vulnerabilities already being exploited in the wild, including a zero-day flaw in NTLM authentication that allows attackers to steal credential hashes without any user interaction. The update also carries a hard deadline: administrators have until June 26 to apply a Secure Boot certificate update or risk boot failures on patched systems.
CVE-2026-32201 SharePoint RCE Confirmed Exploited Before Patch Release
CVE-2026-32201 is a remote code execution vulnerability in SharePoint Server that Microsoft confirmed was under active exploitation before Tuesday’s patch. The vulnerability allows an attacker with authenticated access to execute arbitrary code on the SharePoint server process. SharePoint Server deployments remain common across enterprise and government environments as the backend for intranets, document management, and workflow automation.
Microsoft has not published technical details about the exploitation method to limit further weaponization, but the confirmed pre-patch exploitation indicates threat actors had operational knowledge of the flaw prior to its public disclosure.
CVE-2026-32202 NTLM Zero-Click Hash Leak Exploited as Zero-Day
CVE-2026-32202 is the more operationally dangerous of the two actively exploited flaws. Microsoft classifies it as a zero-day — exploited before any patch existed — and the mechanism requires no user interaction to trigger.
The vulnerability leaks NTLM credential hashes, which attackers can then use in relay attacks: capturing a victim’s NTLM hash and forwarding it to authenticate against other systems on the same network without ever cracking the underlying password. In Active Directory environments, credential relay against high-value targets such as domain controllers, file servers, or Exchange servers can enable lateral movement and privilege escalation from a single compromised position.
NTLM hash theft via zero-click means an attacker needs only to be positioned where they can deliver a crafted network payload to the target — no phishing link click, no document open, no user-facing lure required. This places the attack within reach of network-adjacent threat actors and significantly raises the urgency of the patch for organizations that have not yet disabled NTLM in their environments.
Secure Boot Certificate Rotation Creates a June 26 Hard Deadline
Separate from the two actively exploited vulnerabilities, May’s Patch Tuesday includes a Secure Boot update that administrators cannot defer indefinitely. Microsoft’s 2011-era Secure Boot certificates expire on June 26, 2026. Systems that have received other May 2026 patches but have not applied the Secure Boot certificate update face potential boot failures after the expiration date.
Microsoft has described this as a hard deadline with no grace period. The certificate rotation does not introduce new security protections on its own, but it prevents a scenario where patched systems cannot boot due to an expired root of trust in the Unified Extensible Firmware Interface chain. Organizations running large Windows fleets with complex UEFI configurations should test the Secure Boot update in staged rings before the June 26 cutoff.
Windows Hotpatch Now Default for Eligible Windows 11 Systems
Starting with the May 2026 cycle, Windows hotpatch — which applies security updates without requiring a system reboot — is enabled by default for eligible Windows 11 devices. Hotpatch has been available for Windows Server for several years; the extension to Windows 11 endpoints reduces reboot-related downtime for security patching.
The feature applies only to qualifying patch types; updates that modify system binaries requiring restart replacement cannot be applied as hotpatches. Administrators should verify which updates in the May cycle were delivered as hotpatches versus standard updates requiring reboot confirmation.
The combination of CVE-2026-32201 and CVE-2026-32202 in active exploitation makes May’s Patch Tuesday a priority cycle. Organizations running SharePoint Server on-premises and those with NTLM still active in their Active Directory environments face the most immediate risk. For the NTLM zero-day specifically, applying the patch is the definitive remediation — network-level NTLM blocking can reduce exposure in the interim but may break legacy authentication workflows that have not yet been migrated.
