Microsoft is tracking active exploitation of an Exchange Server zero-day with no patch issued and no remediation timeline published as of May 19, while a separate Windows kernel vulnerability achieving SYSTEM-level privilege escalation on fully patched endpoints is simultaneously unresolved. Both vulnerabilities are in active use. MAS TRM's remediation obligations are structured around patch availability: the clock starts when the vendor ships the fix. Microsoft has not shipped a fix.

The Exchange exposure is the more consequential for this desk's readership. On-premises Exchange remains the email and authentication backbone at a significant share of APAC mid-tier banks, particularly those outside Singapore's cloud-migrated majority. MAS TRM requires critical vulnerabilities patched within a defined window after vendor availability. The vendor has not shipped the patch. The regulation was written for the world where that sentence ends differently, and the closest procedural substitute available to a compliance officer today is a compensating controls documentation exercise: network segmentation, Outlook Web Access restriction, and monitoring configured to the specific technique Microsoft enumerated in its advisory. No HKMA guidance has been issued. An institution whose incident response plan reads "patch upon vendor release" is, as of today, without a plan.