Microsoft’s May 2026 Patch Tuesday rolls out today, and there’s a specific reason every Australian business should treat this one as urgent: RedSun and UnDefend — the two follow-on exploits to April’s Bluehammer (CVE-2026-33825) — are expected to be patched in this release. April fixed the original Bluehammer flaw in Microsoft Defender, but the same threat actor has two more techniques already in the wild that the April update didn’t cover, as flagged in Ivanti’s forecast on Help Net Security.

This Patch Tuesday is also the first to ship fixes from Project Glasswing — the new AI-driven vulnerability discovery effort that brings together Microsoft, Apple, Cisco, Amazon and others on Anthropic’s Mythos model. Expect a higher-than-usual CVE count and a wider cross-product surface (Edge, Server, Office, .NET) than a normal month, plus a rolled-in fix for the critical April out-of-band patch (CVE-2026-40372, ASP.NET Core EoP, CVSS 9.1).

Who’s affected: every Windows endpoint running Defender, which is the default on Windows 11 and Server 2022/2025. If your team uses Windows laptops or your servers run Microsoft IIS, you’re in scope.

What to do today:

• Push the May 2026 updates through your patch management tooling as soon as they land in your channel. The Bluehammer follow-ons are already known to attackers, so the usual 7–14 day testing buffer carries real risk this month.
• Verify the April out-of-band fix for CVE-2026-40372 is installed. It rolls into this month’s update, but anyone who took the 21 April shipment should still confirm.
• Reboot any machine that’s been up for more than 30 days. Patches that don’t reboot don’t protect you.

If your business uses managed IT, ask your provider when these patches will be rolled out across your fleet. If you’re handling Windows updates in-house, this is a today task, not a this-fortnight one. All IT Services handles patch management across the May release for our clients automatically.