Threat Summary
On June 9, 2026, Microsoft released its regular Patch Tuesday security update, fixing 206 vulnerabilities (with 39 rated Critical) affecting a broad spectrum of Microsoft products including Windows kernel, Hyper-V, Remote Desktop Client, Kerberos, DHCP, BitLocker, HTTP.sys, Exchange Server, and Office. This is the largest number of vulnerabilities ever disclosed in a single security update since Microsoft begun the Patch Tuesday program 23 years ago, in October 2003.
Within this update there were ~65 Elevation of Privilege (EoP) vulnerabilities, with privilege escalation dominating this cycle. These vulnerabilities are frequently utilized by threat actors at the beginning of multi-stage attacks, chained with initial access exploits.
A total of six zero-days were addressed in this cycle. Five were publicly disclosed prior to patching, and one is activity exploited in the wild. These should be patched immediately.
Actively Exploited
| CVE |
Title |
CVSS |
Details |
Exploited? |
| CVE-2026-42897 |
Microsoft Exchange Server Spoofing |
8.1 |
Attacker sends a crafted email; if opened in Outlook Web Access, arbitrary JavaScript executes in the victim’s browser. Microsoft issued mitigations via the Exchange Emergency Mitigation Service. |
Yes |
Publicly Disclosed Zero-Days
All five publicly disclosed zero-days trace back to a rogue security researcher operating under the alias Nightmare-Eclipse.
- GreenPlasma (CVE-2026-45586) — CTFMON EoP
- YellowKey (CVE-2026-45585) — BitLocker bypass
- MiniPlasma (CVE-2020-17103) — Cloud Files EoP
- BlueHammer, RedSun, HTTP/2 Bomb, UnDefend — patched
- RoguePlanet — new Microsoft Defender zero-day PoC (not yet patched)
| CVE |
Exploit Name |
CVSS |
Component |
Impact |
| CVE-2026-45586 |
GreenPlasma |
7.8 |
Windows Collaborative Translation Framework (CTFMON) |
Elevation of Privilege → SYSTEM privileges |
| CVE-2026-45585 |
YellowKey |
6.8 |
Windows BitLocker |
Security Feature Bypass → access to BitLocker-encrypted drives via WinRE |
| CVE-2026-50507 |
Bitskrieg |
6.8 |
Windows BitLocker |
Security Feature Bypass → full access to encrypted data with physical access |
| CVE-2026-49160 |
HTTP/2 Bomb |
7.5 |
HTTP.sys (HTTP/2 stack) |
Denial of Service → IIS server exhausted 64 GB RAM in ~45 seconds in Proof-of-Concept (PoC) tests |
| CVE-2020-17103 |
MiniPlasma |
7.0 |
Windows Cloud Files Mini Filter Driver |
Elevation of Privilege → SYSTEM privileges (incomplete 2020 patch re-exploited) |
| – |
RoguePlanet |
– |
Windows Defender |
Elevation of Privilege → SYSTEM privileges (No patch issued at this time) |
Recommendations
IMMEDIATE ACTIONS:
- Inventory and identify all systems running Windows kernel, Hyper-V, Remote Desktop Client, Kerberos, DHCP, BitLocker, HTTP.sys, Exchange Server, Office, and other affected components.
- Review vendor-specific KB articles; prioritize systems exposed to networks/internet or handling critical data.
- Apply all June 2026 security patches immediately, namely zero-days mentioned and other immediate patching guidance actions (see below).
PATCHING GUIDANCE:
- Remote Desktop Client (11 CVEs – 4 Critical) was the largest single-component cluster this cycle. Apply security patches for Remote Desktop Connect (RDP) enabled devices (notably for CVE-2026-44801, CVE-2026-44799, CVE-2026-42992 CVE-2026-42985).
- Hyper-V critical out-of-bounds read vulnerabilities pertaining to CVE-2026-47652, CVE-2026-45641 and CVE-2026-45607. Apply these patches immediately on virtualized infrastructure and cloud hosts.
- Microsoft (Office, Outlook, Word) had several critical exploits within this round-up, such as CVE-2026-45458 (Microsoft Office), CVE-2026-45456 (Microsoft Outlook) and CVE-2026-47635 (Microsoft Outlook and Word). Deploy cumulative updates as outlined by Microsoft’s June 2026 Security Update Guide.
CONFIGURATION/MONITORING:
- Enhance monitoring/logging on domain controllers, network boundaries, email/file servers, and endpoints for abnormal behavior or exploitation attempts.
- Cisco Talos recommends updated Snort rules to detect exploitation attempts for vulnerabilities in this cycle, notably SIDs:
- Snort 2: Rules 66572–66577, 66581, 66589, 66590, 66594, 66595, 66601–66604
- Snort 3: Rules 301523–301525, 301527–301529, 301531–301532
USER AWARENESS:
- Alert users to the risks of opening unsolicited or suspicious Office/Word documents, even if received from known contacts, given the active exploitation of CVE-2026-42897.
PERSISTENT THEME AWARENESS:
A recurring pattern across multiple Patch Tuesdays continues, as attackers are investing heavily in undermining pre-OS boot integrity and full-disk encryption.
- 8 Secure Boot Security Feature Bypass patches this month.
- 3 BitLocker bypass vulnerabilities patched (CVE-2026-45585 YellowKey, CVE-2026-50507 Bitskrieg, CVE-2026-45658) in addition to multiple UEFI-level bypass CVEs.
LONG-TERM PREVENTION:
- Maintain regular patch cadence with rapid deployment for Critical/Important Microsoft vulnerabilities.
- Utilize least-privilege, strong authentication, network segmentation, and application-level controls for exposed assets.
- Enable auto-updates on supported platforms where feasible and audit patch status via centralized management tooling (e.g., SCCM, Intune).
- Review and validate backup and recovery procedures in case of compromise.
Temporary Workarounds
- RDP exposure: Restrict internet-facing RDP; enforce NLA; use VPN/gateway.
- BitLocker: Enable TPM+PIN authentication (instead of TPM-only) to mitigate YellowKey/Bitskrieg.
- sys / HTTP/2 Bomb: Apply Microsoft’s new MaxHeadersCount registry setting (KB5102602); disable HTTP/2 where feasible on exposed IIS servers.
- Exchange Server: Verify Exchange Emergency Mitigation Service (EEMS) is enabled; apply the CVE-2026-42897 patch urgently.
- Hyper-V hosts: Network-segment management interfaces; audit guest-to-host trust boundaries.
References: