Microsoft's June 2026 Patch Tuesday landed on June 9 with more than 200 fixes and six zero-days, one already being used in attacks. But the bigger story is the company it kept: the same week brought actively exploited zero-days in Check Point VPN, Oracle PeopleSoft, Cisco SD-WAN, and Chrome — several with no patch at disclosure. If you only read the Microsoft headline, you patched the wrong thing first. Here is the whole week, ranked by what is actually being exploited.
Inside the June 2026 Patch Tuesday drop: big number, one urgent bug
Microsoft shipped fixes for roughly 200 to 206 vulnerabilities depending on which tracker you count, making this one of the largest single Patch Tuesdays on record. Of those, BleepingComputer reports 33 are rated Critical, 28 of them remote code execution.
Six zero-days were disclosed. Five were public before the patch but not yet exploited:
| CVE | Component | Type | Status |
|---|---|---|---|
| CVE-2026-42897 | Exchange Server | Spoofing | Actively exploited |
| CVE-2026-45586 | CTFMON (translation framework) | Elevation of privilege | Publicly disclosed |
| CVE-2026-49160 | HTTP.sys ("HTTP/2 Bomb") | Denial of service | Publicly disclosed |
| CVE-2026-45585 / CVE-2026-50507 | BitLocker | Security feature bypass | Publicly disclosed (PoC, physical access) |
| CVE-2020-17103 | Cloud Files mini-filter driver | Elevation of privilege | Publicly disclosed |
The one that matters for triage is CVE-2026-42897, the Exchange Server spoofing flaw, because it is the only Microsoft bug this month confirmed in active use. CISA had already flagged the underlying Exchange issue in its Known Exploited Vulnerabilities catalog ahead of the patch. If you still run on-prem Exchange, this is your first move.
The scariest unexploited entry is CVE-2026-45657, a Windows Kernel RCE rated CVSS 9.8 that, per SOCRadar, allows a remote, unauthenticated attacker to run code at SYSTEM level with no user interaction. No exploitation seen yet, but a 9.8 unauth kernel RCE does not stay theoretical for long. The HTTP.sys "HTTP/2 Bomb" (CVE-2026-49160) is also worth attention if you host public web services: a small crafted HTTP/2 request forces the server to process a disproportionate amount of data, and on shared hosts it can take down multiple services at once.
The part the recaps miss: it wasn't just Microsoft
Patch Tuesday does not happen in a vacuum, and this month it collided with a brutal run of cross-vendor zero-days that were already being exploited. eSecurity Planet's weekly roundup framed the week around zero-days, AI exploits, and supply-chain risk for good reason.
Check Point VPN — CVE-2026-50751 (CVSS 9.3, exploited)
A logic flaw in certificate validation lets an unauthenticated remote attacker establish a VPN session without a valid password. It affects gateways using the deprecated IKEv1 protocol that accept legacy Remote Access clients without requiring a machine certificate. Forensics show exploitation since May 7, 2026, and Check Point has linked at least one incident to the Qilin ransomware operation. CISA added it to its Known Exploited Vulnerabilities catalog and, per BleepingComputer, gave federal agencies just three days — a June 11 deadline — to patch or isolate affected systems. Can't patch immediately? Switch to IKEv2, drop legacy client support, or make machine-certificate authentication mandatory. A perimeter VPN bug being used by a ransomware affiliate is exactly the scenario that keeps pushing teams toward zero-trust access over flat VPN tunnels.
Oracle PeopleSoft — CVE-2026-35273 (CVSS 9.8, exploited)
An unauthenticated RCE in PeopleSoft Enterprise PeopleTools — network access over HTTP is enough to take over the server. Mandiant and The Hacker News report the ShinyHunters crew (UNC6240) exploited it as a true zero-day between May 27 and June 9, compromising roughly 300 instances and stealing data from 100-plus organizations — 68% of them in higher education. The University of Nottingham confirmed a breach, with 454,600 student records posted to the group's leak site. Oracle did not publish its out-of-band advisory until June 10, so this was unpatched the entire time it was being looted. Patch immediately and assume compromise if you run an internet-facing PeopleSoft instance.
Cisco SD-WAN Manager — CVE-2026-20245 (exploited, no patch at disclosure)
A command-injection flaw in Catalyst SD-WAN Manager's CLI runs arbitrary commands as root via crafted file uploads. SOC Prime notes it requires netadmin privileges (via stolen creds or by chaining earlier SD-WAN bugs), and observed attacks pushed config changes down to edge devices. Cisco PSIRT learned of exploitation in June and disclosed early on June 5 — with no patch and no workaround available at the time. Remediation is evidence collection and hardening until a fix ships.
Chrome V8 — CVE-2026-11645 (exploited)
Google patched a V8 JavaScript-engine zero-day under active exploitation. Browser zero-days are drive-by territory; let Chrome auto-update and confirm your fleet is on the fixed build.
What to patch first
Strip away the vendor logos and rank by one question: is it being exploited right now?
- Oracle PeopleSoft (CVE-2026-35273) — unauth RCE, mass data theft in progress. Patch and hunt for compromise today.
- Check Point VPN (CVE-2026-50751) — ransomware-linked, federal deadline already passed. Patch or apply the IKEv2/cert mitigations now.
- Microsoft Exchange (CVE-2026-42897) — the only actively exploited bug in the Patch Tuesday set.
- Cisco SD-WAN (CVE-2026-20245) — exploited with no patch; harden and monitor.
- Chrome V8 (CVE-2026-11645) — push the browser update.
- Windows Kernel RCE (CVE-2026-45657) — not yet exploited, but a 9.8 unauth RCE; schedule it before it becomes #1.
Notice the pattern: the most damaging bugs this week were not in the giant Microsoft bundle — they were edge devices and enterprise apps exposed to the internet (VPN gateways, HR systems, SD-WAN managers). That is where attackers are spending their zero-day budget, because one unauthenticated bug on a public box is worth more than a pile of local privilege escalations.
This is also the recurring lesson of 2026's worst incidents: the breach usually starts at something you forgot was internet-facing. It is the same root cause behind the year's npm supply-chain crisis and the new wave of AI-agent attacks — the attack surface grew faster than anyone's patch cadence.
We run our own infrastructure, so weeks like this are not abstract: a record Patch Tuesday plus four exploited zero-days is a real Tuesday. The teams that came through it cleanly were not the ones who patched fastest across the board; they were the ones who knew which of their boxes face the internet and patched those first. Build that inventory before the next bad week, because there will be one.
Some links may earn us a commission at no extra cost to you.
Waqas Ahmed Waseer
Waqas Ahmed Waseer is a developer and automation builder with 8+ years shipping production systems used by 100k+ people. He builds custom multi-tenant SaaS, AI automation (n8n, LLM workflows, WhatsApp bots) and hosting infrastructure (WHM/cPanel, CloudLinux) — and is the maker of WaSphere, FlowMaticX, and the WaseerHost hosting brand. 100+ projects delivered for SMBs, agencies and funded startups.
