Active-Directory
Veeam VBR CVE-2026-44963: Any Domain User Can Own Your Backup Server
A critical CVSS 9.4 RCE lets any authenticated domain user run code on domain-joined Veeam Backup & Replication servers. Patch to 12.3.2.4854 now.
Microsoft's June Patch Tuesday Is Its Biggest Ever: 200 Flaws, 33 Critical, Three Public Zero-Days
Microsoft's largest Patch Tuesday on record fixes 200 vulnerabilities including HTTP.sys and Kerberos KDC RCEs, three Hyper-V escapes, and the HTTP/2 Bomb and YellowKey BitLocker zero-days.
NTLM Coercion's Quiet Resurgence: Why 2026's Zero-Click Attacks Look Like 2021
Two unrelated bugs in the last month — an incomplete APT28 patch and an unpatched RPC defect — both hand attackers a 1990s-era credential primitive. The fact that NTLM coercion still works in 2026 is not a series of accidents. It is the model.
Windows Netlogon CVE-2026-41089: Unauthenticated RCE on Every Domain Controller
May Patch Tuesday's marquee bug is a stack-based buffer overflow in MS-NRPC that hands SYSTEM on any domain controller reachable over the network. Patch DCs first, before anything else.