May 2021 Patch Tuesday: Wormable vulnerability to prioritize

We received a reprieve this month on the volume of vulnerabilities being addressed during Patch Tuesday but we do have some unique vulnerabilities that are worth highlighting. The lower total count of vulnerabilities should free up more time to deal with the end-of-service dates for Windows 10 versions 1803, 1809, and 1909 if you have any of those in circulation.

There are a total of 55 vulnerabilities addressed in this month’s Patch Tuesday release. Four are critical, six are marked as “exploitation more likely,” and three are zero-days. These along with the Dell vulnerability are the ones you should prioritize in most environments.

Microsoft vulnerabilities

We have four remote code vulnerabilities associated with Windows OS and other Microsoft products that are rated as critical, and more marked as “exploitation more likely” that should be high on your priority list.

CVE-2021-31166 is of special note and can affect any Windows 10 systems or Windows Server running as a web server. It is wormable, making it a prime target for exploitation, so you should prioritize this vulnerability for patching.


 CVE Title




 HTTP Protocol Stack Remote Code Execution Vulnerability


 Exploitation More Likely


 OLE Automation Remote Code Execution Vulnerability


 Exploitation Less Likely


 Scripting Engine Memory Corruption Vulnerability


 Exploitation More Likely


 Hyper-V Remote Code Execution Vulnerability


 Exploitation Less Likely


 Microsoft SharePoint Server Remote Code Execution Vulnerability


 Exploitation More Likely


 Windows Graphics Component Elevation of Privilege Vulnerability


 Exploitation More Likely


 Microsoft SharePoint Remote Code Execution Vulnerability


 Exploitation More Likely


 Windows Graphics Component Elevation of Privilege Vulnerability


 Exploitation More Likely

Cumulative updates

May 2021 brings the End of Service and last cumulative updates for Windows 10 1803, 1809, and 1909. These builds will no longer be receiving monthly security and quality updates. Microsoft, of course, recommends updating to versions 2004 or 20H2.

Both cumulative KB5003169 (OS Build 18363.1556) and KB5003173 (OS Builds 19041.985 and 19042.985) come with an assortment of security updates. KB5003173 does include a new “News and Interests” feed that will deliver news stories, finance, and weather information and will live on the taskbar.

Third-party vulnerabilities

There were also a number of vulnerabilities this past month that were addressed by third-party vendors.

Dell client platform control vulnerability

Dell announced CVE-2021-21551 that affects the dbutil_2_3.sys driver used by the Dell assortment of firmware update utilities and driver management software. We have an automation manager policy available in the Automation Cookbook that will remove the offending dbutil_2_3.sys as a stop-gap mitigation, but you will still need to follow the guidance from Dell to permanently resolve this.


Twelve different Adobe applications received fixes for 43 vulnerabilities this month with one being actively exploited in Adobe Reader. CVE-2021-28550 affects multiple versions of Adobe Reader, and Adobe Reader should receive top priority as it is seeing active exploitation.


Internet Explorer 11 and 9—yes you read that correctly—had CVE-2021-26419 addressed with Security Updates. With a CVSS of 7.5 and marked as “exploitation more likely,” now is a good time to audit your environments for Internet Explorer 11 and 9 installs and remove them if possible.


While we have more breathing room this month versus previous months there are still a number of high-priority patches that require your attention. Patch Management in N-able RMM and N-central® should make it easy for you to contend with the Windows Patch Tuesday and Adobe update for CVE-2021-28550. You’ll still need to check inventory and perform an audit of any Dell systems you have deployed to make sure you address the CVE-2021-21551 vulnerability.

Lewis Pope is Head Security Nerd for N-able you can follow him on Twitter at @cybersec_nerd

Want to stay up to date?

Get the latest MSP tips, tricks, and ideas sent to your inbox each week.

Loading form....

If the form does not load in a few seconds, it is probably because your browser is using Tracking Protection. This is either an Ad Blocker plug-in or your browser is in private mode. Please allow tracking on this page to request a trial.

Note: Firefox users may see a shield icon to the left of the URL in the address bar. Click on this to disable tracking protection for this session/site