Microsoft’s June 2026 Patch Tuesday release is one of the largest security updates of the year, addressing more than 200 Microsoft vulnerabilities along with hundreds of republished non-Microsoft CVEs.
While Microsoft has not reported any vulnerabilities as actively exploited in the wild at the time of release, this month’s update still deserves close attention. This Patch Tuesday release includes three publicly disclosed zero-day vulnerabilities, 15 vulnerabilities rated “Exploitation More Likely,” and multiple Critical issues with CVSS scores as high as 10.0.
Several of the highest-risk vulnerabilities affect core Windows services, enterprise identity systems, remote access technologies, and Microsoft cloud platforms. For IT and security teams, the priority is to patch exposed systems first, move quickly on identity and remote access risks, and reduce patching delays across distributed endpoints.
Microsoft Patch Breakdown
Microsoft’s June 2026 Patch Tuesday release is unusually large, with 206 Microsoft vulnerabilities and 362 republished non-Microsoft CVEs.
The good news is that Microsoft has not reported active exploitation for any of this month’s vulnerabilities at the time of release. However, the update still includes several risk signals that should move security teams beyond a routine patching cycle.
Category | June 2026 Patch Tuesday |
Microsoft vulnerabilities | 206 |
Republished non-Microsoft CVEs | 362 |
Publicly disclosed zero-days | 3 |
Actively exploited zero-days | 0 reported at release |
Exploitation More Likely vulnerabilities | 15 |
Highest CVSS score | 10.0 |
This month’s vulnerabilities affect a wide mix of Microsoft products and components, including Windows HTTP.sys, Windows DHCP Client, Windows Kernel, Windows NTLM, BitLocker, Winlogon, Remote Desktop Client, Microsoft Office SharePoint, Exchange Online, Azure services, Visual Studio Code, and multiple graphics-related Windows components.
Zero-Day and Exploitation More Likely Vulnerabilities
Three vulnerabilities were publicly disclosed before patches were available, and 15 vulnerabilities were rated “Exploitation More Likely.”
That combination matters. Public disclosure can give attackers a head start, while Microsoft’s exploitability assessment indicates which flaws are more likely to see working exploit code developed in the near future.
CVE | Affected Component | Type | CVSS | Status |
CVE-2026-45586 | Windows Collaborative Translation Framework | Elevation of Privilege | 7.8 | Publicly disclosed |
CVE-2026-49160 | Windows HTTP.sys | Denial of Service | 7.5 | Publicly disclosed |
CVE-2026-50507 | Windows BitLocker | Security Feature Bypass | 6.8 | Publicly disclosed |
In addition to the publicly disclosed vulnerabilities, Microsoft identified 15 issues as “Exploitation More Likely.” These affect several high-value areas across Windows, Microsoft cloud services, collaboration platforms, and endpoint components, including:
Windows HTTP.sys
Windows NTLM
Windows BitLocker
Windows Kernel
Winlogon
Desktop Window Manager (DWM) Core Library
Microsoft Graphics Component
Microsoft Office SharePoint
Remote Desktop Client
Windows Collaborative Translation Framework
Windows Win32K Graphics Components
HTTP/2
Security teams should prioritize these vulnerabilities ahead of routine updates, especially when affected systems are internet-facing, tied to authentication, used for remote access, or broadly deployed across endpoints. Even without confirmed active exploitation, this month’s publicly disclosed and “Exploitation More Likely” vulnerabilities create a shorter runway for remediation.
Critical Vulnerabilities
June’s release includes several Critical vulnerabilities that should be reviewed early in the patching process. The highest-priority issues affect Microsoft cloud services, Windows networking components, Exchange Online, and core Windows services that can increase the impact of a compromise.
CVE | Affected Component | CVSS | Type | Why It Matters |
CVE-2026-48567 | Azure HorizonDB | 10.0 | Elevation of Privilege | This is the highest-scoring vulnerability in the release. Because it affects a Microsoft cloud service, organizations should confirm exposure and remediation requirements as part of their June review. |
CVE-2026-44815 | Windows DHCP Client | 9.8 | Remote Code Execution | DHCP is widely used across enterprise environments. A remotely exploitable DHCP Client vulnerability could create significant risk if affected systems are broadly deployed. |
CVE-2026-47291 | Windows HTTP.sys | 9.8 | Remote Code Execution | HTTP.sys is used by IIS and other Windows services. Systems exposed to untrusted networks should be patched quickly, especially where HTTP.sys is enabled. |
CVE-2026-45657 | Windows Kernel | 9.8 | Elevation of Privilege | Kernel-level privilege escalation can help attackers gain deeper control after initial access, making it important for endpoint and server hardening. |
CVE-2026-48579 | Exchange Online | 9.8 | Elevation of Privilege | Email environments are high-value targets. Organizations using Exchange Online should review Microsoft’s guidance and verify that protections are applied. |
These vulnerabilities are not all equal in terms of exposure or required action. Cloud-service vulnerabilities may be remediated differently than endpoint or server vulnerabilities, while Windows networking flaws may demand faster action when systems are exposed to external or untrusted traffic.
For most organizations, the fastest path is to prioritize Critical vulnerabilities that combine high severity, remote attack potential, broad deployment, and exposure to the internet or sensitive internal networks.
How to Prioritize Patches This Month
With more than 200 Microsoft vulnerabilities and hundreds of republished non-Microsoft CVEs in this release, June’s patching effort should be guided by exposure and business impact. Start with systems that are easiest to target remotely, then move to identity, privilege escalation, and endpoint risks.
Patch Within 72 Hours
Prioritize internet-facing systems and high-severity vulnerabilities that could be targeted remotely or affect business-critical services.
Focus on:
Windows HTTP.sys
IIS and web-facing Windows services
SharePoint
Exchange Online and Microsoft 365 admin environments
Azure-hosted services
Remote Desktop infrastructure
Systems affected by Critical remote code execution vulnerabilities
Vulnerabilities marked “Exploitation More Likely”
These systems present the largest attack surface, especially when they are exposed to untrusted networks or support core business services.
Patch Within 1 to 2 Weeks
Next, focus on identity, authentication, and privilege-related vulnerabilities. These issues may not always be the first step in an attack, but they can significantly increase the impact once an attacker gains access.
Prioritize updates affecting:
Windows NTLM
Active Directory-related services
Winlogon
Windows Kernel
BitLocker
Windows DHCP Client
Systems with broad internal network exposure
This tier is especially important for domain-joined devices, servers, administrator workstations, and systems that support authentication or access control.
Regular Patch Cycle
After high-exposure and high-impact vulnerabilities are addressed, deploy the remaining updates across user endpoints and applications.
Include:
Microsoft Office applications
Remote Desktop Client
Visual Studio Code
Microsoft Graphics Components
Desktop Window Manager (DWM)
Windows Win32K Graphics Components
Many endpoint vulnerabilities require user interaction, but they remain attractive targets for phishing, malicious documents, and malware delivery. Keeping these updates on schedule helps reduce the risk of attackers chaining lower-severity issues with more serious privilege escalation flaws.
Notable Third-Party Updates
In addition to Microsoft vulnerabilities, the June 2026 release includes 362 republished non-Microsoft CVEs. These republished CVEs do not always require the same response as newly patched Microsoft vulnerabilities, but they still matter for vulnerability tracking, compliance, and patch prioritization.
Teams should review third-party exposure alongside Microsoft updates by checking:
Which affected applications are installed across managed endpoints
Whether vulnerable versions are still present after updates are deployed
Which third-party CVEs are tied to business-critical applications
Whether any republished CVEs overlap with existing compliance or audit requirements
With hundreds of republished CVEs included this month, visibility matters as much as deployment. Security teams need a clear way to see which devices are affected, which updates are missing, and which applications should move ahead of the standard patch cycle.
How Splashtop AEM Can Help
June’s Patch Tuesday release creates a familiar challenge for IT teams: too many updates, too many endpoints, and too little time to manually confirm what is exposed. Splashtop AEM helps teams move from reactive patching to faster, more consistent remediation across distributed environments.
Faster Remediation for High-Priority CVEs
When a release includes Critical vulnerabilities affecting Windows HTTP.sys, Windows DHCP Client, Windows Kernel, Remote Desktop Client, and other widely deployed components, speed matters. Splashtop AEM helps IT teams identify vulnerable endpoints and deploy needed updates quickly, reducing the gap between patch availability and remediation.
With automated patch policies, teams can prioritize urgent updates, schedule deployments, and reduce the manual effort required to keep systems current.
Better Visibility Across Distributed Endpoints
Patching is harder when IT teams cannot easily see which devices are missing updates or which vulnerabilities affect their environment. Splashtop AEM provides centralized visibility into endpoint health, patch status, software inventory, and CVE exposure, helping teams find gaps before they become larger security risks.
Dashboards and reporting give teams a clearer view of which endpoints need attention, which patches succeeded, and where follow-up remediation may be required.
Less Manual Work, More Consistent Patching
For teams still patching manually, Splashtop AEM reduces repetitive work by automating update deployment and helping standardize patch policies across devices. For teams using Microsoft Intune, it adds real-time patching, broader visibility, and more direct control when fast remediation is needed. For teams using an RMM, it provides a lighter, modern way to manage patching, endpoint insights, scripting, and remediation from a streamlined console.
Splashtop AEM also supports ring-based deployments, allowing teams to roll out critical updates in phases while reducing disruption. Combined with scripting and remediation tools, IT can respond faster when updates fail, endpoints fall behind, or specific systems require additional action.
Try Splashtop AEM Free
June’s Patch Tuesday release is too large to manage with slow, manual patching. With more than 200 Microsoft vulnerabilities, three publicly disclosed zero-days, 15 vulnerabilities rated “Exploitation More Likely,” and hundreds of republished non-Microsoft CVEs, IT teams need a faster way to identify exposure and deploy critical updates.
Splashtop AEM helps you automate patch deployment, improve CVE visibility, monitor endpoint health, and respond faster when urgent vulnerabilities affect your environment.
Start a free trial of Splashtop AEM and see how easier patch management can be.
