Skip to main content
Breaking
///CISA Flags SolarWinds Serv-U Flaw as Exploited///CISA Flags SolarWinds Serv-U Flaw as Exploited
SecurityXP

Microsoft Patches Record 200 Vulnerabilities in June 2026 Patch Tue...

· 4 min read · SecurityXP Editorial Desk

“This class of vulnerabilities is likely to expand further as researchers, including the discoverers of CVE-2026-49160, use advances in LLM capability to probe not just specific software, but also the standards on which software rests.” Read more on Patch Tuesday: Microsoft Fixes 17 Critical Flaws in May Patch Tuesday The second zero-day fixed is CVE-2026-50507, a Windows BitLocker security feature bypass vulnerability. The issue is tracked as CVE-2026-49160, CVE-2026-50507, CVE-2026-45586. It carries a CVSS score of 9.8 (CRITICAL).

Background

Critical Vulnerability in Windows Active Directory Domain Services CVE-2026-45648 is a Critical RCE vulnerability affecting Windows Active Directory Domain Services and has a CVSS score of 8.8.

Further details indicate that critical Vulnerability in Windows Deployment Services CVE-2026-42987 is a Critical RCE vulnerability affecting Windows Deployment Services (WDS) and has a CVSS score of 8.1.

Other CVEs to prioritize this month include: - CVE-2026-44812: an RCE flaw in Windows Graphics Component (Win32K-GRFX) that can allow an attacker to execute arbitrary code on a target system - CVE-2026-42985: an RCE bug in the Remote Desktop Client which could provide attackers with access to sensitive corporate systems - CVE-2026-44815: a critical flaw in the Windows DHCP Client caused by a stack-based buffer overflow, which could turn network traffic into a full system compromise - CVE-2026-47652: an RCE vulnerability in Windows Hyper-V which could lead to unauthorized code execution, compromise of sensitive workloads, and disruption of hosted services

CVE-2026-47291 is a Critical RCE vulnerability affecting HTTP.sys with a CVSS score of 9.8.

How It Works

CVEs:

Severity:

  • CVSS 9.8, CRITICAL

  • CVSS 9.6, CRITICAL

  • CVSS 8.8, HIGH

From a technical standpoint, the vulnerability presents several concerns:

Critical Vulnerability in Windows Kernel CVE-2026-45657 is a Critical RCE vulnerability affecting the Windows kernel and has a CVSS score of 9.8.

Critical Vulnerability in DHCP Client Service CVE-2026-44815 is a Critical RCE vulnerability affecting the Windows DHCP Client Service and has a CVSS score of 9.8.

Critical Vulnerability in Azure Kubernetes Service CVE-2026-32193 is a Critical RCE vulnerability affecting Azure Kubernetes Service (AKS) and has a CVSS score of 8.8.

CVE-2026-47652 is a Critical RCE vulnerability affecting Windows Hyper-V and has a CVSS score of 8.2, stemming from a heap-based buffer overflow flaw (CWE-122).

Scope

Jack Bicer, director of vulnerability research at Action1, said the bug could allow an attacker with physical access to a vulnerable system to bypass a key security feature and gain access to encrypted data stored on the device. Microsoft’s June 2026 Patch Tuesday, released on June 10, 2026, addressed 200 security vulnerabilities across Windows, Office, Azure, and related products, the largest single Patch Tuesday release in the programme’s history, surpassing the previous record of 167 CVEs. Included in these flaws is CVE-2026-49160, a denial-of-service DoS vulnerability inside HTTP.sys that allows attackers to remotely crash targeted Windows servers by sending custom web requests.

Critical Vulnerability in Nuance PowerScribe CVE-2026-26142 is a Critical RCE vulnerability affecting Nuance PowerScribe and has a CVSS score of 9.8.

Key Dates

| Date | Event | |, , |, , -| | 2026 | One of the most noteworthy zero-days is CVE-2026-49160, also known as “HTTP/2 Bomb.” It’s a denial of service (DoS) v… | | 2026 | “This class of vulnerabilities is likely to expand further as researchers, including the discoverers of CVE-2026-4916… | | 2003 | The huge number of fixed vulnerabilities makes this the largest Patch Tuesday since Microsoft launched the program in… | | June 10, 2026 | Microsoft’s June 2026 Patch Tuesday, released on June 10, 2026, addressed 200 security vulnerabilities across Windows… | | 2026 | June 2026 Patch Tuesday: Three Zero-Day Vulnerabilities This month’s release includes patches for three publicly disc… | | 2026 | CVE-2026-50507, Windows BitLocker Bypass (publicly disclosed): This vulnerability, nicknamed “YellowKey” by the rese… |

What To Do Now

  1. System administrators are in for a busy few weeks after Microsoft published updates to fix 200 vulnerabilities including three publicly disclosed zero-days June’s Patch Tuesday.

  2. For businesses, this can increase the impact of phishing, stolen credentials, or compromised standard user accounts.” Patches to Prioritize Overall, EoP vulnerabilities were most commonplace this month, accounting for 65 CVEs.

  3. This month’s Patch Tuesday fixes 206 security flaws in Microsoft software, making it the biggest Patch Tuesday release ever.

  4. The update includes 32 critical vulnerabilities, as well as three publicly disclosed zero-days.

  5. Microsoft classifies these as zero-days because information about the vulnerabilities became public before patches were available.

  6. The huge number of fixed vulnerabilities makes this the largest Patch Tuesday since Microsoft launched the program in October 2003.

The Bigger Picture

This disclosure adds to a growing pattern of critical vulnerabilities affecting enterprise infrastructure.

Sources

  1. https://www.crowdstrike.com/en-us/blog/
  2. https://www.crowdstrike.com/en-us/blog/featured-articles/
  3. https://www.crowdstrike.com/en-us/blog/crowdstrike-2026-technology-threat-landscape-report/
  4. https://www.crowdstrike.com/en-us/blog/patch-tuesday-analysis-june-2026/
  5. https://www.crowdstrike.com/en-us/blog/crowdstrike-zscaler-bring-continuous-identity-security-to-zero-trust-access/
  6. https://www.crowdstrike.com/en-us/blog/three-principles-to-safely-scale-agentic-ai/
  7. https://www.crowdstrike.com/en-us/blog/recent-articles/
  8. https://www.crowdstrike.com/en-us/blog/videos/
  9. https://www.crowdstrike.com/en-us/blog/video-highlights-the-4-key-steps-to-successful-incident-response/
  10. https://www.crowdstrike.com/en-us/blog/helping-non-security-stakeholders-understand-attck-in-10-minutes-or-less/
  11. https://www.crowdstrike.com/en-us/blog/analyzing-targeted-intrusions-through-the-attck-framework-lens-video/
  12. https://www.crowdstrike.com/en-us/blog/qatars-commercial-bank-chooses-crowdstrike-falcon-a-partnership-based-on-trust/
Tags: This CVE-2026-45648 CVE-2026-45657 CVE-2026-41089 CVE-2026-26142 CVE-2026-44812 Critical Vulnerability CVE-2026-50507
SE SecurityXP Editorial Desk
SecurityXP Editorial Desk Vulnerability Research & News Board

Automated and analyst-reviewed threat intelligence briefings tracking active exploitation campaigns, CVE disclosures, and extortion group activity.

Twitter LinkedIn
View Articles

Security Digest

Get the latest cybersecurity news, vulnerability alerts, and threat intelligence delivered to your inbox.

Related Articles

Vulnerabilities & Exploits

Microsoft June 2026 Security Updates

Microsoft's Urgent Security Update Microsoft has just released a massive security update, fixing 204 vulnerabilities, including 38 critical ones. This is a...

 Vulnerabilities & Exploits

SAP fixes critical flaws in NetWeaver and Commerce Cloud

Uncovering Critical Flaws in SAP NetWeaver and Commerce Cloud SAP's June 2026 Security Patch package is a big deal. It fixes 15 vulnerabilities, including...

 Vulnerabilities & Exploits

CISA Flags SolarWinds Serv-U Flaw as Exploited

Over 12,000 SolarWinds Serv-U file transfer servers sit exposed to the internet. Attackers are already knocking them offline.

 Vulnerabilities & Exploits

Cisco SD-WAN Manager Under Attack, No Patch Yet

Cisco has confirmed active exploitation of a high-severity vulnerability in Catalyst SD-WAN Manager. The flaw, CVE-2026-20245, scores 7.8 on the CVSS scale.