Microsoft recently rolled out updates to fix 113 security issues in its Windows systems and software. Among these, eight were labeled as “critical.” Notably, one of the flaws they repaired is already being exploited by attackers.
One significant vulnerability is CVE-2026-20805, affecting the Desktop Window Manager (DWM). Kev Breen, a cyber threat expert at Immersive, explains that despite its moderate CVSS score of 5.5, this flaw poses a real threat because hackers are using it against organizations. It can compromise security features that are meant to protect against malicious code manipulation.
Chris Goettl from Ivanti points out that this is a serious issue, and organizations should prioritize their response, regardless of the official severity rating.
This month also saw the patching of two vulnerabilities in Microsoft Office (CVE-2026-20952 and CVE-2026-20953) that could allow attackers to execute code just by previewing harmful messages.
Additionally, Microsoft removed outdated modem drivers due to another flaw (CVE-2023-31096), which could allow unauthorized access. Adam Barnett from Rapid7 highlights the potential risks associated with legacy modem drivers, indicating that many may still be active on systems.
Experts, including those from Immersive, Ivanti, and Rapid7, are concerned about a critical bypass vulnerability (CVE-2026-21265) in the Secure Boot feature. This is crucial for keeping devices safe from serious threats. The certificates that support this feature will expire soon, making swift updates vital.
In software news, Mozilla released updates for Firefox resolving 34 vulnerabilities, some of which are suspected to be exploited in the wild. Google Chrome and Microsoft Edge updates are expected shortly as well.
In the world of cybersecurity, staying vigilant is essential. Users and IT administrators must regularly update their systems, as even minor oversights can lead to significant vulnerabilities.
For more information on Microsoft’s patches, visit the Microsoft Security Response Center.
