Threat Summary
On June 9, 2026, Microsoft released its regular Patch Tuesday security update, fixing 206 vulnerabilities (with 39 rated Critical) affecting a broad spectrum of Microsoft products including Windows kernel, Hyper-V, Remote Desktop Client, Kerberos, DHCP, BitLocker, HTTP.sys, Exchange Server, and Office. This is the largest number of vulnerabilities ever disclosed in a single security update since Microsoft begun the Patch Tuesday program 23 years ago, in October 2003.
Within this update there were ~65 Elevation of Privilege (EoP) vulnerabilities, with privilege escalation dominating this cycle. These vulnerabilities are frequently utilized by threat actors at the beginning of multi-stage attacks, chained with initial access exploits.
A total of six zero-days were addressed in this cycle. Five were publicly disclosed prior to patching, and one is activity exploited in the wild. These should be patched immediately.
Actively Exploited
| CVE | Title | CVSS | Details | Exploited? |
| CVE-2026-42897 | Microsoft Exchange Server Spoofing | 8.1 | Attacker sends a crafted email; if opened in Outlook Web Access, arbitrary JavaScript executes in the victim’s browser. Microsoft issued mitigations via the Exchange Emergency Mitigation Service. | Yes |
Publicly Disclosed Zero-Days
All five publicly disclosed zero-days trace back to a operating under the alias Nightmare-Eclipse.
- GreenPlasma (CVE-2026-45586) ¡ª CTFMON EoP
- YellowKey (CVE-2026-45585) ¡ª BitLocker bypass
- MiniPlasma (CVE-2020-17103) ¡ª Cloud Files EoP
- BlueHammer, RedSun, HTTP/2 Bomb, UnDefend ¡ª patched
- RoguePlanet ¡ª new Microsoft Defender zero-day PoC (not yet patched)
| CVE | Exploit Name | CVSS | Component | Impact |
| CVE-2026-45586 | GreenPlasma | 7.8 | Windows Collaborative Translation Framework (CTFMON) | Elevation of Privilege ¡ú SYSTEM privileges |
| CVE-2026-45585 | YellowKey | 6.8 | Windows BitLocker | Security Feature Bypass ¡ú access to BitLocker-encrypted drives via WinRE |
| CVE-2026-50507 | Bitskrieg | 6.8 | Windows BitLocker | Security Feature Bypass ¡ú full access to encrypted data with physical access |
| CVE-2026-49160 | HTTP/2 Bomb | 7.5 | HTTP.sys (HTTP/2 stack) | Denial of Service ¡ú IIS server exhausted 64 GB RAM in ~45 seconds in Proof-of-Concept (PoC) tests |
| CVE-2020-17103 | MiniPlasma | 7.0 | Windows Cloud Files Mini Filter Driver | Elevation of Privilege ¡ú SYSTEM privileges (incomplete 2020 patch re-exploited) |
| – | RoguePlanet | – | Windows Defender | Elevation of Privilege ¡ú SYSTEM privileges (No patch issued at this time) |
Recommendations
IMMEDIATE ACTIONS:
- Inventory and identify all systems running Windows kernel, Hyper-V, Remote Desktop Client, Kerberos, DHCP, BitLocker, HTTP.sys, Exchange Server, Office, and other affected components.
- Review vendor-specific KB articles; prioritize systems exposed to networks/internet or handling critical data.
- Apply all June 2026 security patches immediately, namely zero-days mentioned and other immediate patching guidance actions (see below).
PATCHING GUIDANCE:
- Remote Desktop Client (11 CVEs – 4 Critical) was the largest single-component cluster this cycle. Apply security patches for Remote Desktop Connect (RDP) enabled devices (notably for CVE-2026-44801, CVE-2026-44799, CVE-2026-42992 CVE-2026-42985).
- Hyper-V critical out-of-bounds read vulnerabilities pertaining to CVE-2026-47652, CVE-2026-45641 and CVE-2026-45607. Apply these patches immediately on virtualized infrastructure and cloud hosts.
- Microsoft (Office, Outlook, Word) had several critical exploits within this round-up, such as CVE-2026-45458 (Microsoft Office), CVE-2026-45456 (Microsoft Outlook) and CVE-2026-47635 (Microsoft Outlook and Word). Deploy cumulative updates as outlined by Microsoft¡¯s June 2026 Security Update Guide.
CONFIGURATION/MONITORING:
- Enhance monitoring/logging on domain controllers, network boundaries, email/file servers, and endpoints for abnormal behavior or exploitation attempts.
- Cisco Talos recommends updated Snort rules to detect exploitation attempts for vulnerabilities in this cycle, notably SIDs:
- Snort 2: Rules 66572¨C66577, 66581, 66589, 66590, 66594, 66595, 66601¨C66604
- Snort 3: Rules 301523¨C301525, 301527¨C301529, 301531¨C301532
USER AWARENESS:
- Alert users to the risks of opening unsolicited or suspicious Office/Word documents, even if received from known contacts, given the active exploitation of CVE-2026-42897.
PERSISTENT THEME AWARENESS:
A recurring pattern across multiple Patch Tuesdays continues, as attackers are investing heavily in undermining pre-OS boot integrity and full-disk encryption.
- 8 Secure Boot Security Feature Bypass patches this month.
- 3 BitLocker bypass vulnerabilities patched (CVE-2026-45585 YellowKey, CVE-2026-50507 Bitskrieg, CVE-2026-45658) in addition to multiple UEFI-level bypass CVEs.
LONG-TERM PREVENTION:
- Maintain regular patch cadence with rapid deployment for Critical/Important Microsoft vulnerabilities.
- Utilize least-privilege, strong authentication, network segmentation, and application-level controls for exposed assets.
- Enable auto-updates on supported platforms where feasible and audit patch status via centralized management tooling (e.g., SCCM, Intune).
- Review and validate backup and recovery procedures in case of compromise.
Temporary Workarounds
- RDP exposure: Restrict internet-facing RDP; enforce NLA; use VPN/gateway.
- BitLocker: Enable TPM+PIN authentication (instead of TPM-only) to mitigate YellowKey/Bitskrieg.
- sys / HTTP/2 Bomb: Apply Microsoft’s new MaxHeadersCount registry setting (KB5102602); disable HTTP/2 where feasible on exposed IIS servers.
- Exchange Server: Verify Exchange Emergency Mitigation Service (EEMS) is enabled; apply the CVE-2026-42897 patch urgently.
- Hyper-V hosts: Network-segment management interfaces; audit guest-to-host trust boundaries.
