Opinion / Commentary

The 'No Zero-Days' Headline Is Teaching Defenders the Wrong Lesson About Patch Tuesday

Every month that Microsoft's Patch Tuesday contains no actively exploited zero-days, security coverage softens and patching urgency drops. This framing optimises for the wrong signal — it measures whether attackers have already acted, not whether they are about to. May's Patch Tuesday has 120 vulnerabilities including a wormable DNS RCE, but the dominant headline will be the absence of zero-days.

CipherWatch Editorial · Security Intelligence Platform
4 min read

This month’s Microsoft Patch Tuesday fixed 120 vulnerabilities, including 17 Critical-rated flaws and a network-based Windows DNS Client RCE that requires no user interaction to trigger. The headline across most security outlets: “No Zero-Days.”

That framing is not wrong. It is, however, actively misleading practitioners about how to respond.

What “No Zero-Days” Actually Measures

A zero-day designation on Patch Tuesday means Microsoft has confirmed active exploitation in the wild at the time of patch release. It is a reactive label — it tells you that threat actors were already using this flaw before Microsoft could stop them. The absence of a zero-day designation means: we do not have confirmed evidence of exploitation yet.

It does not mean the vulnerabilities are not severe. It does not mean attackers have not found them. It does not mean you have more time.

The consequence of reading “no zero-days” as “lower urgency” plays directly into the economics of post-patch exploitation. Patch diffing — the process of reverse-engineering Microsoft’s patches to understand precisely what was fixed — has been industrialised. Criminal groups and nation-state teams run diffing pipelines that operate within hours of Microsoft’s monthly release. The documented window between patch availability and a working exploit for Critical network-based vulnerabilities is commonly 48 to 72 hours. For flaws with simple, well-understood primitive types, it is sometimes less.

A zero-day designation only appears in the record when someone confirms exploitation. In the days between patch release and that confirmation, the vulnerability is being actively studied, weaponised, and in some cases deployed. There is no safe waiting period.

The Signal Defenders Actually Need

The useful question for a Patch Tuesday is not “are any of these being exploited right now?” It is: “which of these will be weaponised in the next seven days, and are those the systems I have already patched?”

That question requires reading CVSS vectors, not just scores. CVE-2026-41096 — Windows DNS Client RCE — has the attack vector combination that signals rapid weaponisation: AV:N/AC:L/PR:N/UI:N. Network-based, low complexity, no privileges, no user interaction. Every component of that vector indicates a flaw that defenders have a narrow window to close before exploitation begins.

Comparing this month’s coverage against months with a zero-day: the response will be softer, the urgency lower, the escalation paths quieter. The outcome if exploitation occurs is identical.

How the Framing Was Created — and Who Benefits From It

The zero-day framing was not invented maliciously. It emerged because “zero-day confirmed in active exploitation” is genuinely the most dangerous category — it means the clock has already started for defenders, rather than just starting now. As a triage tool for security operations teams, it is defensible shorthand.

The problem is what happens next. That shorthand has been absorbed into organisational vulnerability management processes as a patching tier. Zero-day Patch Tuesdays trigger emergency change control and executive notification. Non-zero-day months get processed in the next scheduled window. The practical difference in patching speed can be weeks.

Threat actors have noticed. Patch Tuesday exploitation campaigns routinely begin with the vulnerabilities classified as “exploited post-patch” — flaws that had no zero-day designation when they were patched, then entered CISA’s Known Exploited Vulnerabilities catalogue 30 to 90 days later when organisations running slower patching cycles started getting hit. The zero-day label came after the exploitation. The patching opportunity was in the first 72 hours.

What Correctly Calibrated Practice Looks Like

The teams doing this well do not use zero-day status as a patching tier. They use attack surface characteristics. A Critical network-based RCE with no authentication requirement gets the same response whether it has a KEV listing or not: patch internet-facing and network-accessible systems within 24 hours, endpoints within 72 hours, treat the release as a change window rather than a prioritisation event.

That discipline is genuinely hard to maintain when 120 vulnerabilities arrive monthly and operational capacity is finite. It requires ruthless triage: patch the right 15 vulnerabilities in 24 hours rather than attempting all 120 in three weeks. The “no zero-days” shorthand does not assist that triage. It gives practitioners permission to treat the wrong month as quiet.

May 2026’s Patch Tuesday contains a wormable network RCE affecting every supported Windows version, authenticated RCE in SharePoint, critical SAP flaws, and critical Fortinet authentication vulnerabilities — all released simultaneously, none currently exploited. That last fact is not a reason to relax. It is a description of the window that remains open, and it will not stay open past this week.

Defenders who act on “no zero-days” coverage rather than attack surface analysis are not being cautious. They are waiting for the confirmation to arrive in CISA’s KEV catalogue, at which point they are already reacting to an incident rather than preventing one.

Share this article