All Insights

137 CVEs Dropped on Tuesday. Your IT Team Has One Person. Here's the Fix.

CivSafe Team·May 15, 2026·7 min read

Monday was a normal Monday. Tuesday changed that.

Microsoft dropped 137 CVEs on May 12 — one of the largest single-month vulnerability dumps on record. Fourteen rated critical. Four separate remote code execution flaws in Microsoft Word. A critical hole in the Windows Netlogon service, the component that handles authentication across your entire network. A DNS client vulnerability that could be triggered remotely without any user interaction.

No zero-days this time, which was treated as good news.

Here's the part nobody's leading with: five months into 2026, Microsoft alone has already disclosed more than 500 vulnerabilities. The current pace puts us on track to surpass 1,245 — the all-time annual record, set in 2020. And we're talking about one vendor.

Something has structurally changed. Understanding what changed — and specifically what it means if your IT "team" is one person wearing three hats — is worth five minutes of your time.

Why This Is Suddenly Different

Vulnerabilities have always existed. What's changed is how fast they're being found now.

AI-assisted vulnerability scanning has gone from experimental to routine in the last twelve months. Major vendors are now running AI models over their entire codebases on a continuous basis — not just when a new product ships, but constantly. The same AI capabilities that let a developer review 10,000 lines of code in seconds also let a security scanner find semantic logic errors that manual audits and traditional static analysis tools would miss entirely.

Palo Alto Networks published a data point last week that's worth sitting with: after deploying frontier AI models to scan their own codebase, they found 75 security issues covered in 26 CVEs. Their typical monthly discovery rate with conventional methods? Roughly five. That's a 15x increase from the same code, found in weeks.

Microsoft's security team is doing the same thing, at a much larger scale. They're now crediting AI-assisted vulnerability research by name on multiple CVEs per Patch Tuesday release. Britain's National Cyber Security Centre issued a warning last month telling organizations to prepare for exactly this: a sustained surge of urgent software updates driven by AI-assisted discovery, with no sign of the pace slowing.

That's where Tuesday's 137 are coming from. And next month's batch. And every one after that.

The Math Problem Nobody's Solved for Small Teams

Here's the honest framing: enterprise security teams with a dozen analysts can absorb a 24-to-48-hour crunch when critical patches drop. They've built workflows around Patch Tuesday. They have ticketing systems, test environments, change control processes, a dedicated person watching CVE feeds.

If you're running a 20-person NGO, a municipal department, or a 30-person professional services firm, your "security team" is probably your IT generalist — and that person is already stretched between managing Microsoft 365 licenses, troubleshooting VPN connectivity, handling a printer that keeps disappearing from the network, and onboarding the two people who started last Monday.

A researcher quoted in Insurance Business put it plainly: "Security teams that have always been capable of a 24-to-48-hour sprint for a critical patch are potentially looking at a continuous 24/7 onslaught, and people will not be able to sustain that."

That's not a hyperbolic warning about some future scenario. That's describing what's happening to small teams right now, in the back half of this year.

And here's the trap: not patching feels riskier than ever, because it objectively is. But attempting to patch everything, as fast as it's coming, is physically impossible for a one-person IT operation. So what do you actually do?

The Triage Tool Most Small Orgs Haven't Heard Of

There's a free tool called EPSS — the Exploit Prediction Scoring System — maintained by FIRST.org, the same independent nonprofit that runs the CVSS scoring most IT folks already know.

Where CVSS tells you how severe a vulnerability is in theory, EPSS tells you how likely it is to be exploited in the next 30 days in practice. It runs on a machine learning model trained on actual exploit activity across the internet. Every CVE in the database gets a probability score between 0 and 1. Higher score means active attacker interest. Low score means security researchers found it, it's technically real, but nobody's building weapons around it yet.

The workload difference is staggering. Research published this spring ran EPSS against real-world CVE datasets and found that combining EPSS with CISA's Known Exploited Vulnerabilities (KEV) catalog reduces the "immediately urgent" pile from roughly 16,000 vulnerabilities down to around 850 — a 95% reduction — while still covering 85% of the threats that actually get used in real attacks.

Read that again. You don't need to patch everything. You need to patch the 850 things that attackers are actually touching, and you can let the other 15,000 wait in a managed queue.

This is not a controversial idea in the security community. The frustrating part is how few small organizations have operationalized it.

What This Looks Like in Practice

Step one: Get on the KEV list. CISA maintains a catalog of vulnerabilities that are confirmed to be actively exploited in the wild. It's free, it's public, it's updated continuously. If a CVE is on this list and it applies to software you run, it's not in the "maybe next month" pile. It goes to the front. Bookmark it: cisa.gov/known-exploited-vulnerabilities-catalog.

Step two: Check EPSS scores before you triage. When Patch Tuesday drops or a vendor sends an advisory, don't just look at the CVSS score. Pull the CVE number, look it up on the EPSS database (first.org/epss), and see the probability score. A CVSS 9.0 vulnerability with an EPSS score of 0.004 — a 0.4% exploitation probability — is legitimately lower priority than a CVSS 6.5 with an EPSS of 0.7. Severity in theory is not the same as danger in practice.

Step three: Automate the feed, not just the patching. Most small orgs know to enable automatic Windows updates. Fewer have set up structured CVE monitoring for the specific software stack they run — their firewall firmware, their backup appliance, their self-hosted tools, their WordPress plugins. Tools like Automox, Wiz, and Tenable can do this at an SMB price point. If budget is tight, at a minimum: subscribe to GitHub security advisories for any open-source software you run, and set up email alerts for your specific vendors through their security bulletins.

Step four: Accept that perfect isn't the goal. The organizations that get into serious trouble aren't the ones that miss a few low-probability patches in a busy month. They're the ones that have no process at all, patch reactively only after incidents, or have software running that nobody in the org knows is even there. A lightweight, consistent process beats a heroic but unsustainable one every time.


The AI-driven patch surge isn't slowing down. Microsoft hitting 500+ CVEs in five months is not an anomaly — it's the new baseline, probably on its way to becoming the floor. The vendors using AI to find their own bugs are being responsible. The problem is that the patching demand downstream lands on teams that were never resourced for this volume.

The answer isn't more IT staff (most small orgs can't hire their way out of this) and it isn't hoping attackers pick bigger targets (they don't). The answer is smarter triage — using the same data that enterprise security teams use, most of which is free and available right now.

This is one of the areas where we spend a lot of time with small teams: building a lightweight vulnerability management process that one IT generalist can actually run, without requiring an enterprise toolchain or a dedicated security analyst. If your current posture is "we patch when it breaks," this is a good week to change that.

CivSafe — Strategic Innovation. Community Impact.