Microsoft's June 2026 Patch Tuesday was the largest in the programme's history — roughly 200 vulnerabilities fixed in a single release, beating the previous record of 167. For stretched IT teams that's a lot to absorb, so here's what actually matters and what to do first.

What happened

Released on 9 June, the update addressed around 200 flaws, 33 of them rated Critical (most allowing remote code execution). BleepingComputer initially counted three publicly disclosed zero-days and revised that to six the following day — five disclosed before a fix was available, and one already being exploited in real attacks.

The actively exploited one matters most: CVE-2026-42897, an Exchange Server flaw triggered by a specially crafted email that can run code in the victim's Outlook Web Access session — no click or download required. Other notable fixes include a "wormable" Windows kernel flaw (CVE-2026-45657, CVSS 9.8), a BitLocker bypass requiring physical access, and an HTTP/2 denial-of-service flaw. Security researchers also noted the growing role of AI in finding vulnerabilities faster than ever — one reason monthly patch counts keep climbing.

Why this matters

A record-breaking patch month isn't just a headline — it's a prioritisation problem. You can't apply 200 fixes everywhere at once, and attackers know it. The gap between a flaw being public and being patched is exactly where breaches happen, and with at least one Exchange flaw already exploited, that gap is dangerous this month.

What to do

  1. Patch internet-facing systems first, especially on-premises Microsoft Exchange — treat CVE-2026-42897 as urgent.
  2. Then prioritise the wormable and SYSTEM-level flaws on servers and domain controllers.
  3. Roll out the rest on a schedule to workstations, testing line-of-business apps first, as large updates occasionally break older software.
  4. Make patching a managed process, not an afterthought — know what you run, what's exposed, and patch within days where it's internet-facing.

If keeping on top of patching across your estate is a struggle, that's exactly the kind of thing our managed support takes off your plate — we patch, monitor and test so you don't have to firefight every second Tuesday. Get in touch to talk it through.

Source: Microsoft June 2026 Patch Tuesday fixes 6 zero-days, 200 flaws — BleepingComputer