Microsoft Dropped Six CVEs Into CISA KEV On The Same Day. MSHTML Is Back, RDP Privilege Management Failed Again, And Word Trusts Untrusted Input. Read The Cluster, Not The Individual CVEs.

CISA added six Microsoft CVEs to the Known Exploited Vulnerabilities catalog on May 13, 2026. All six landed in the same drop. The federal patch deadline is short. The interesting analysis is not which one is the most severe — the interesting analysis is that all six shipped together, span the entire Windows attack surface, and read as a chain when you line them up.

This is gap-fill coverage. We have zero prior reporting on any of the six identifiers across the DugganUSA archive as of May 15. That gap closes today.

The six

CVE-2026-21513. Microsoft MSHTML Framework. Protection mechanism failure. An unauthorized attacker bypasses a security feature over a network. MSHTML is the legacy HTML rendering engine that Edge tried to retire and that everything from Outlook preview panes to embedded WebBrowser controls still loads. The category is bypass, not RCE on its face, but bypass plus any of the other five is the chain that matters.

CVE-2026-21525. Microsoft Windows Remote Access Connection Manager (RACM). NULL pointer dereference. An unauthorized attacker denies service locally. The DoS framing undersells the operational reality — RACM is the service that brokers VPN, dial-up, and IKE connections on Windows hosts, and crashing it on a corporate endpoint mid-connection is a meaningful availability event during incident response when you most need remote access to work.

CVE-2026-21510. Microsoft Windows Shell. Protection mechanism failure. An unauthorized attacker bypasses a security feature over a network. The Shell is the explorer.exe surface plus the libraries that handle URL invocation, file-type association, and shortcut resolution. Bypass on Shell historically means a crafted .lnk, .url, or shell-handler payload that defeats Mark-of-the-Web, SmartScreen, or zone enforcement. The full exploitation chain depends on the underlying mechanism that failed, which Microsoft has not fully detailed in the public advisory.

CVE-2026-21533. Microsoft Windows Remote Desktop Services. Improper privilege management. An authorized attacker elevates privileges locally. RDP privesc is the recurring Windows trope — once you are on the host as any user, the gap between low-priv shell and SYSTEM closes by way of an RDP service component that was never supposed to honor an authenticated request the way it does. Combined with phishing or initial-access tooling that lands a low-priv shell, this is the second half of an end-to-end compromise.

CVE-2026-21519. Microsoft Desktop Window Manager (DWM). Type confusion. An authorized attacker elevates privileges locally. DWM type confusion is the same family of bug class that produced multiple kernel-mode privilege escalations across the past several Patch Tuesdays. DWM runs with elevated privileges, handles compositor primitives that user-mode processes feed it, and historically returns root-equivalent access when its type assumptions get violated.

CVE-2026-21514. Microsoft Office Word. Reliance on untrusted inputs in a security decision. An authorized attacker elevates privileges locally. Word reliance-on-untrusted-input usually decodes to a crafted document that tricks an internal trust decision — macro confirmation, protected-view exit, embedded-link resolution — into firing without the user gate that was supposed to stand in the way. Word EoP chained with phishing is the boring, durable initial-access vector that has been working for two decades.

What this looks like as a cluster

Read the six together and the shape is the standard Windows kill chain, rendered as one Patch Tuesday drop.

Entry. A crafted Word document arrives by email. CVE-2026-21514 trips a security decision and code runs without the prompt that should have stopped it. Or a crafted .lnk in a phishing zip rides CVE-2026-21510 past Mark-of-the-Web. Or a malicious URL rendered in an Outlook preview pane abuses CVE-2026-21513 in MSHTML.

Persistence and lateral motion. From the low-priv foothold, CVE-2026-21533 against Remote Desktop Services or CVE-2026-21519 against the Desktop Window Manager climbs to SYSTEM. Once at SYSTEM on one endpoint, the attacker is no longer relying on Microsoft logic flaws for the rest of the engagement — they are using credentials, scheduled tasks, and the normal post-compromise toolkit.

Optional payload. CVE-2026-21525 against RACM is a DoS, which sounds like the runt of the litter, but it is the right tool for the right moment. Crash RACM on the responder's workstation in the middle of an incident and you buy several minutes of confusion. Or chain it into a coordinated disruption against a fleet of endpoints that all share the same VPN concentrator. DoS in a targeted kill chain is not the headline — it is the smoke grenade.

Five of the six landed on KEV because Microsoft and CISA both observed exploitation in the wild. The sixth is on KEV because the listing process gates on credible exploitation evidence, not on perfect public attribution. Treat all six as active.

Why six on the same day matters

Patch Tuesday volume varies. Six KEV-flagged CVEs in one Microsoft drop is on the high end of what we have seen this year. The clustering tells you two things at once.

First, the offensive research pipeline is publishing in coordinated batches now. Adversaries who hold private capability against multiple Windows subsystems wait for the day a single patch announcement covers all of them, then either burn the capabilities in the window before defenders patch, or rotate to the next set. Patch Tuesday is the calendar event the offensive side optimizes against, not just the calendar event defenders optimize for.

Second, the patch-management cost has compounded. Six CVEs in the same drop is not six independent patch decisions for an enterprise. It is one synchronized patch cycle that has to land across endpoint, server, RDP-host, and Office-deployed fleets. Organizations that defer patching past the first week of the cycle will see this cluster collide with the next month's cluster, and the deferred risk stacks. The KEV deadline mechanism is partially designed to break the deferral pattern, but it only directly binds federal civilian agencies.

What to do this week

If you operate Windows endpoints in an enterprise environment, the action list is short.

Pull the latest Microsoft cumulative update across your patch ring. The May 13 cumulative covers all six CVEs in this cluster plus a number of non-KEV items that Microsoft folded in. The cumulative update is the right unit to deploy. Picking individual CVE patches is the wrong shape of work.

Prioritize the rings. Internet-facing RDP hosts get the patch this week without exception. Endpoint fleets that handle external email — every knowledge-worker endpoint at your org — get the patch this week. Servers running Office Web Apps or any service that opens documents server-side get the patch this week. The rest of the estate moves on its normal cadence with the caveat that the cumulative is in flight and the testing window matters.

Hunt for exploitation evidence. The behavioral signatures are the standard set. Anomalous child processes from winword.exe and excel.exe. SYSTEM-level processes that did not exist before a recent user-initiated document open. Outbound HTTPS from rdpclip.exe, dwm.exe, or rasman.exe to non-corporate destinations. Defender XDR, CrowdStrike Falcon, SentinelOne, and Carbon Black all surface these patterns by default — make sure the alerts are actually being read.

Communicate the deadline. CISA's KEV federal deadline is typically three weeks. For the private sector the actionable deadline is the next several days. KEV listings are gated on active exploitation evidence, and the gap between KEV listing and broad opportunistic scanning is measured in days, not weeks. Your incident response team needs to know this cluster is on the wire.

Where we sit

The DugganUSA archive had zero prior coverage of these six CVE identifiers as of the May 15 sweep. That gap is now closed. Going forward, our iocs index will tag indicators attributable to exploitation against this cluster with the CVE identifiers, and the STIX feed will deliver the attributable infrastructure to subscribers on the normal cadence.

If you read this post and you do not run a feed-driven detection stack, the link to register for ours is the same as always — analytics dugganusa dot com slash stix slash register. Thirty seconds, Bearer key issued immediately. The feed will not patch your Windows estate for you, but it will tell you whether the C2 infrastructure that exploitation campaigns reach back to is already on the wire in your environment.

The cluster is the story. Six CVEs, one drop, full kill-chain coverage from entry to persistence to disruption. Patch the cumulative. Hunt the behavior. Read the next Patch Tuesday cluster the same way.

Sources: CISA Known Exploited Vulnerabilities Catalog entries for CVE-2026-21513, CVE-2026-21525, CVE-2026-21510, CVE-2026-21533, CVE-2026-21519, and CVE-2026-21514, all added 2026-05-13. Microsoft Security Update Guide entries for the May 13, 2026 cumulative update. DugganUSA archive coverage check against the iocs and blog indexes confirmed zero prior on 2026-05-15.

Her name was Renee Nicole Good.

His name was Alex Jeffery Pretti.