Microsoft June 2026 Patch Tuesday: 200+ Vulnerabilities, 6 Zero-Days Explained

Reza

Microsoft released its June 2026 Patch Tuesday update on June 10, 2026, and it is one of the larger ones in recent memory. According to BleepingComputer, the update addresses more than 200 vulnerabilities across Windows, Office, Exchange Server, HTTP.sys, and other components. Six of those vulnerabilities are zero-days, meaning patches did not exist when attackers first started using them.

If you manage Windows machines or run on-premises email through Microsoft Exchange, this is one worth prioritizing. Here is what is in the update, which vulnerabilities matter most for small and mid-sized businesses, and a practical checklist for getting current quickly.

What Got Patched This Month

The June release is notably heavy. CrowdStrike's analysis breaks it down as 206 total vulnerabilities, with 37 rated Critical. The breakdown by type:

  • 65 elevation of privilege vulnerabilities
  • 55 remote code execution vulnerabilities
  • 30 information disclosure vulnerabilities
  • 27 spoofing vulnerabilities
  • 19 security feature bypass vulnerabilities
  • 7 denial of service vulnerabilities

Windows received the most patches with 120 fixes. Microsoft Office followed with 54. The categories that matter most for typical business environments are the remote code execution and elevation of privilege flaws, since those are the pathways attackers use to take over systems.

The Six Zero-Days: What Each One Does

Five of the six zero-days were publicly disclosed before patches were available. One was actively exploited in live attacks before Microsoft issued a fix. That distinction matters a lot when you are deciding how fast to move.

Windows CTFMON Privilege Escalation (CVE-2026-45586)

CVE-2026-45586 affects the Windows Collaborative Translation Framework, a core component that handles text input, handwriting recognition, and language services. The vulnerability has a CVSS score of 7.8. A low-privileged attacker who already has a foothold on a machine can exploit it to gain SYSTEM-level privileges with no user interaction required.

This is the vulnerability security researchers have nicknamed GreenPlasma. It was publicly disclosed before Microsoft patched it, and proof-of-concept exploit code exists. Microsoft rates exploitation as "more likely," which in practice means capable attackers can use this against unpatched systems.

BitLocker Bypass (CVE-2026-50507)

CVE-2026-50507 is a security feature bypass affecting Windows BitLocker with a CVSS score of 6.8. Physical access to the machine is required, so this is not a remote attack. However, an attacker with physical access and no credentials can bypass BitLocker device encryption and read data directly from the storage device.

For businesses that rely on BitLocker as their primary protection against stolen laptops or devices, this is worth understanding. The patch addresses the bypass, but it is also a good reminder that encryption is one layer of a defense strategy, not a complete one. Policies around physical device security, remote wipe capability, and endpoint detection and response all contribute to reducing the risk when a device goes missing.

HTTP.sys Critical Remote Code Execution (CVE-2026-47291)

This one is rated Critical with a CVSS score of 9.8. CVE-2026-47291 affects HTTP.sys, the kernel-mode driver Windows uses to handle HTTP and HTTPS requests. The vulnerability involves integer overflow and heap buffer overflow flaws that allow an unauthenticated remote attacker to execute arbitrary code on the server. No login required. No user interaction needed.

Any Windows server that exposes web services to the internet is potentially affected. If you are running IIS, certain Windows Server roles, or any application that relies on the Windows HTTP stack, this patch should be a priority. The 9.8 CVSS score reflects how straightforward this is to exploit remotely.

HTTP.sys Denial of Service (CVE-2026-49160)

CVE-2026-49160 is a publicly disclosed denial-of-service vulnerability in HTTP.sys with a CVSS score of 7.5. It abuses HTTP/2 to exhaust server resources. Microsoft has included a new registry setting called MaxHeadersCount in this update that lets administrators cap the number of HTTP/2 and HTTP/3 headers the server will accept. The patch applies a default limit automatically, but administrators who want fine-grained control can adjust the value post-update.

The Exchange Zero-Day Already Being Exploited

The most immediately concerning item in this month's update is a zero-day in Microsoft Exchange Server that was being exploited in real attacks before Microsoft released a patch.

The vulnerability allows attackers to execute malicious JavaScript via a cross-site scripting (XSS) attack targeting Outlook Web Access, the browser-based email client used when employees check email outside the office. An attacker who can get a targeted user to visit a crafted URL can run code in the context of that user's browser session.

If your organization runs Exchange Server on-premises, this patch is not optional. Apply it as soon as possible.

If you use Microsoft 365 rather than on-premises Exchange, you are not affected by this specific vulnerability. Microsoft handles patching for the hosted service. This is one of the practical security advantages of cloud-hosted email.

What "Actively Exploited" Means for Your Business

When Microsoft labels a vulnerability as "exploited in the wild," it means confirmed attacks occurred against real targets before the patch was available. It does not mean every business is already compromised. It means the tools to exploit the vulnerability are in active use, and the window between patch release and widespread attacker adoption tends to be short.

Historically, attackers begin scanning for unpatched systems within 24 to 72 hours of a patch release, because the patch itself is a roadmap that tells them exactly what changed. For the Exchange zero-day in this update, exploitation was already happening before June 10. The clock had been running before the patch existed.

Businesses that patch within 48 hours of Patch Tuesday are in a meaningfully better position than those on a monthly review cycle. A vulnerability management program that flags actively-exploited CVEs for immediate handling, separately from the general patch queue, makes that faster response operationally realistic.

Who Is Most at Risk From This Month's Patches

Not every vulnerability in this update applies to every business. Here is how to think about risk based on your environment:

Immediate priority: On-premises Exchange Server

The actively exploited XSS zero-day makes this a same-day patch situation. Attackers were using it before the fix existed. Every day an unpatched Exchange server is reachable from the internet is a real exposure.

Immediate priority: Windows servers running web services

The HTTP.sys critical RCE (CVE-2026-47291, CVSS 9.8) affects any Windows server handling HTTP or HTTPS traffic. If you host internal applications, run IIS, or have servers with internet-facing ports, patch this before the weekend.

72-hour priority: All Windows workstations and servers

The Windows zero-days like GreenPlasma/CTFMON require a local attacker to already have some access to escalate. That sounds less urgent, but post-exploitation privilege escalation is how attackers move from a compromised email account to full domain administrator control. Patch workstations within 72 hours and servers immediately.

Lower immediate risk: Microsoft 365 users on cloud-hosted email

The Exchange zero-day does not affect you. Windows workstation patches still apply, but your email infrastructure risk is managed by Microsoft.

A Practical Patch Checklist for June 2026

A reasonable order of operations for working through this month's update:

  1. Update Exchange Server immediately if you run it on-premises. Apply the June 2026 Cumulative Update for your Exchange version from the Microsoft Security Update Guide.
  2. Patch Windows servers before workstations. Servers carry higher risk because they are network-accessible and run continuously. Prioritize any server running IIS or exposing HTTP.sys to the network.
  3. Verify Windows Update actually ran. Check update history to confirm the June 2026 cumulative update is installed, not just that automatic updates are enabled. On Windows 11, look for KB5094126 or KB5093998. On Windows 10, look for KB5094127.
  4. Check browsers across all devices. Microsoft Edge and Chromium-based browsers received 360 security fixes this month through Google's Chromium update channel. Make sure all browsers are on the current version.
  5. Confirm BitLocker is still functioning after the update. The BitLocker bypass patch requires the June cumulative update. After applying it, verify BitLocker shows as active on encrypted drives.

How to Handle 200+ Patches Without Losing a Weekend

Patch Tuesday releases at this scale can feel unmanageable for teams without a dedicated IT department. A few approaches that help:

Triage by exploitation status first. Start with anything marked "Exploitation Detected" or "Exploitation More Likely" in the Microsoft Security Update Guide. This month, that means the Exchange zero-day and the HTTP.sys RCE go first.

Use deployment rings. Apply patches to a small test group first, verify nothing breaks over 24 hours, then roll out broadly. This catches application compatibility issues before they hit everyone at once.

Automate the Windows baseline. Windows Update for Business or Windows Server Update Services (WSUS) can handle workstation and server patching on a schedule automatically. Critical patches can be configured to deploy within 24 hours of release, non-critical within seven days. This removes the manual effort from the standard cycle and keeps human attention for exceptions and edge cases.

Document what you deferred and why. If a patch requires a reboot during business hours and you delay it by 48 hours, write that down with a target date. If you ever have an incident touching that CVE, you need to show a plan existed.

If patching is something your team regularly falls behind on, it tends to compound over time. A managed IT services arrangement that includes patch management handles this as an ongoing process rather than a monthly scramble. At Burgi Technologies, patch management is part of what we include for clients across Orange County, and it is one of those things that works significantly better as a system than as a reactive task.

What About Businesses Still Running Windows 10?

Windows 10 reached end-of-life in October 2025. Standard Patch Tuesday updates no longer apply to it. Businesses still running Windows 10 in production either are not receiving security patches at all, or are paying for Microsoft's Extended Security Updates (ESU) program, which provides a limited patch bridge at additional per-device cost.

This month's Patch Tuesday is a useful reminder to review any remaining Windows 10 devices. Hardware that meets Windows 11 requirements can be upgraded at no additional software cost. Hardware that does not meet the requirements is overdue for a refresh conversation. The exposure gap on unpatched machines grows every month.

A Note on Supply Chain Risk

The Exchange vulnerability this month is particularly relevant from a supply chain perspective. Even if your own organization uses Microsoft 365, your accountant, attorney, or technology vendor may run on-premises Exchange. A compromised Exchange server in your supply chain can be used to target your organization through trusted communications.

This is not hypothetical. The pattern of attackers using compromised trusted partners as a pivot point into target organizations is well-established. Asking your key vendors and service providers whether they have applied June's Exchange patches is a reasonable thing to do, especially if they have access to your systems or handle sensitive data on your behalf. Our managed cybersecurity services include vendor security assessments for clients who want visibility into that third-party risk.

Frequently Asked Questions

How do I check if my Windows machines have the June 2026 patches installed?

Go to Settings, then Windows Update, and check the update history. On Windows 11, you are looking for KB5094126 or KB5093998. On Windows 10, look for KB5094127. If you manage multiple machines, Windows Admin Center or your RMM tool can show patch status across all devices in a single view without checking each one manually.

My business uses Microsoft 365 for email. Do I still need to do anything about the Exchange vulnerability?

No action needed specifically for Exchange. Microsoft manages patching for Exchange Online on their end, so hosted email is not affected by this particular vulnerability. You still need to apply the June Windows cumulative updates on workstations and any servers you manage, since the Windows zero-days apply to local systems regardless of where your email is hosted.

What is the difference between a zero-day and a regular vulnerability?

A regular vulnerability is discovered privately, reported to the vendor, and patched before it becomes public knowledge. A zero-day is either publicly disclosed or actively exploited before a patch exists. The name comes from the zero days of patch availability when attackers first use it. Zero-days get higher patching priority because there is no defensive fix to point to during the exposure window.

How quickly should we apply Patch Tuesday updates in a business environment?

For most businesses, applying patches within five to seven days of Patch Tuesday is a solid baseline for standard vulnerabilities. Critical vulnerabilities and anything marked as actively exploited should be addressed within 24 to 48 hours. If same-day patching is not operationally feasible, a staged approach, where critical patches go to test machines first and then roll out broadly within 48 hours, is a reasonable middle ground.

We have a small team with no dedicated IT. How do we realistically keep up with this?

Three practical options: enable automatic updates on all Windows devices (Settings, Windows Update, Advanced Options, then enable automatic restarts outside business hours), use Microsoft Intune for centralized patch management if you have Microsoft 365 Business Premium, or work with an MSP that includes patch management as a standard service. The manual approach works until it does not, and one missed critical patch is usually how businesses learn they need a better process in place.

Check our other posts

Check Point VPN zero-day CVE-2026-50751 small business security guide
by
Reza

Check Point VPN Zero-Day CVE-2026-50751: What Small Businesses Need to Do Now

June 11, 2026
Chrome zero-day CVE-2026-11645 update guide
by
Reza

Chrome Zero-Day CVE-2026-11645: How to Check and Update Every Browser in Your Office

June 9, 2026
Microsoft Defender zero-day CVE-2026-41091 cybersecurity blog for small business
by
Reza

Microsoft Defender Has Two Active Zero-Days: Here's How to Check If Your Business Is Patched

June 4, 2026
From remote IT support in Orange County to full business IT support services, we make technology simple, secure, and cost-effective.
Main Pages
Infrastructure and Cloud
Managed IT Services
Professional IT Services
IT Security
Industries
Areas We Serve
Other Pages
About usBlogRemote SupportTestimonialContact UsSitemapQR
Let's Talk
(949) 381-1010
info@burgitech.com
California
2522 Chambers Rd. Suite 100, Tustin CA 92780
10535 Foothill Blvd. Suite 365 Rancho Cucamonga, CA 91730
Washington
600 1st Ave. Suite 102 Seattle, WA 98104
Arizona
4742 N 24th St Suite 300 Phoenix, AZ 85016
Want to know more? Find our Privacy Policy, Disclaimer and Terms of Services.
©2025 Burgi Technologies
""