Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog


Microsoft’s May 2021 Patch Tuesday Addresses 55 CVEs (CVE-2021-31166)

After crossing the 100 CVEs patched mark for the first time in April, Microsoft patched just 55 CVEs in May, the lowest number of CVEs patched this year.

  1. 4Critical
  2. 50Important
  3. 1Moderate
  4. 0Low

Update May 17: The section for CVE-2021-31166 has been updated to reflect the release of proof-of-concept (PoC) code.

Microsoft patched 55 CVEs in the April 2021 Patch Tuesday release, including four CVEs rated as critical, 50 rated as important and one rated as moderate.

This month's Patch Tuesday release includes fixes for:

  • .NET Core & Visual Studio
  • HTTP.sys
  • Internet Explorer
  • Microsoft Accessibility Insights for Web
  • Microsoft Bluetooth Driver
  • Microsoft Dynamics Finance & Operations
  • Microsoft Exchange Server
  • Microsoft Graphics Component
  • Microsoft Office, Microsoft Office Access
  • Microsoft Office Excel
  • Microsoft Office SharePoint
  • Microsoft Office Word
  • Microsoft Windows Codecs Library
  • Microsoft Windows IrDA
  • Open Source Software
  • Role: Hyper-V
  • Skype for Business and Microsoft Lync
  • Visual Studio
  • Visual Studio Code
  • Windows Container Isolation FS Filter Driver
  • Windows Container Manager Service
  • Windows Cryptographic Services
  • Windows CSC Service
  • Windows Desktop Bridge
  • Windows OLE
  • Windows Projected File System FS Filter
  • Windows RDP Client
  • Windows SMB, Windows SSDP Service
  • Windows WalletService
  • Windows Wireless Networking.

Remote code execution (RCE) vulnerabilities accounted for 40% of the vulnerabilities patched this month, followed by Elevation of Privilege (EoP) at 20%.


CVE-2021-31166 | HTTP Protocol Stack Remote Code Execution Vulnerability

CVE-2021-31166 is a RCE vulnerability which can be exploited by a remote, unauthenticated attacker sending a crafted HTTP packet to a system utilizing the HTTP Protocol Stack (http.sys). The vulnerability is considered to be wormable, which means that a single infection could result in a chain reaction of systems impacted across an enterprise without any user interaction. Microsoft assigned this critical flaw with a 9.8 CVSSv3 score, emphasizing the severity of the vulnerability. While details have not been released, this vulnerability is rated as “Exploitation More Likely” according to Microsoft’s Exploitability Index and we strongly recommend ensuring this patch is applied as soon as possible.

On May 16, security researcher 0vercl0k published PoC code to github for CVE-2021-31166. Based on our analysis, this exploit could only result in a denial of service (DoS) condition.


CVE-2021-28476 | Hyper-V Remote Code Execution Vulnerability

CVE-2021-28476 is a RCE vulnerability in Hyper-V which could allow a remote, unauthenticated attacker to compromise a Hyper-V host via a guest virtual machine (VM). The critical flaw was assigned a CVSSv3 score of 9.9, however it is rated as “Exploitation Less Likely.” The advisory from Microsoft does point out that the likely exploitation scenario for this flaw would result in a denial of service (DoS) condition, though in some cases RCE is possible as a guest VM could cause the Hyper-V host’s kernel to read from an arbitrary address.


CVE-2021-31198, CVE-2021-31207, CVE-2021-31209, CVE-2021-31195 | Multiple Exchange Server Vulnerabilities

CVE-2021-31198, CVE-2021-31207, CVE-2021-31209 and CVE-2021-31195 are several flaws that impact Microsoft Exchange Server 2013, 2016, and 2019 and are all rated “Exploitation Less Likely,” ranging in severity from CVSSv3 6.5 to 7.8. Given the history of prior Exchange Server vulnerabilities in 2021 we felt it was important to highlight them and ensure administrators take action.

CVE-2021-31209 is a server spoofing vulnerability and received a CVSSv3 score of 6.5. CVE-2021-31195 and CVE-2021-31198 are both RCE vulnerabilities, but CVE-2021-31198, which received a CVSSv3 score of 7.8, is listed as a local attack vector. On the other hand, CVE-2021-31195 received a CVSSv3 score of 6.5 and is listed as having no impact on integrity or availability. Both RCEs require user interaction to exploit.

Only one of these vulnerabilities, CVE-2021-31207 — a security feature bypass which received a CVSSv3 score of 6.6, was publicly disclosed. According to Microsoft, it was one of the Exchange Server vulnerabilities found during Pwn2Own 2021. None of these vulnerabilities have been reported as exploited in the wild at the time of publication.

Additionally, Microsoft is introducing new security functionality to Exchange Servers as part of the May Security Update that will allow administrators to validate the version information of their Exchange Servers. Microsoft’s Exchange Team published a blog post highlighting this new functionality.


CVE-2021-28474 and CVE-2021-31181 | Microsoft SharePoint Server Remote Code Execution Vulnerability

CVE-2021-28474 and CVE-2021-31181 are a pair of RCE vulnerabilities in Microsoft SharePoint Server. Both were assigned a CVSSv3 score of 8.8 and a severity of Important. Microsoft rates these vulnerabilities as “Exploitation More Likely.” An attacker would need to be authenticated in order to exploit these flaws, though successful exploitation would grant an attacker remote code execution through the creation of a SharePoint site.

Windows 10 Version 1909 End of Life (EOL)

Microsoft has announced that the Home and Pro Windows 10, version 1909 and all editions of Windows Server, version 1909 have reached their end of life. These versions will no longer receive security updates and should be upgraded as soon as possible. The Education and Enterprise editions of Windows 10, version 1909 will remain supported until May 11, 2022, however, we do strongly encourage organizations to begin planning on upgrading or decommissioning these systems early to avoid last minute changes next year.

Tenable solutions

Users can create scans that focus specifically on our Patch Tuesday plugins. From a new advanced scan, in the plugins tab, set an advanced filter for Plugin Name contains May 2021.

With that filter set, click the plugin families to the left and enable each plugin that appears on the right side. Note: If your families on the left say Enabled, then all the plugins in that family are set. Disable the whole family before selecting the individual plugins for this scan. Here’s an example from Tenable.io:

A list of all the plugins released for Tenable’s May 2021 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

Try Tenable.io


Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now

Try Nessus Professional Free


Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable.io Web Application Scanning


Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.



Buy Now

Try Tenable.io Container Security


Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try Tenable Lumin


Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.


Continuously detect and respond to Active Directory attacks. No agents. No privileges. On-prem and in the cloud.