Microsoft's Record June 2026 Patch Tuesday: A Wormable Kernel Flaw, an Active Exchange Zero-Day, and 200+ Fixes You Cannot Skip

Microsoft's June 9, 2026 Patch Tuesday rewrote the record books. The release demands attention from every IT team running Windows, but two vulnerabilities stand out as genuinely urgent: a wormable, unauthenticated Windows Kernel flaw with a CVSS score of 9.8, and a zero-day in on-premises Exchange Server already being exploited in the wild. Here is what happened, what is at risk, and exactly what your team needs to do.

The Biggest Patch Tuesday in History

Microsoft released fixes for more than 200 vulnerabilities on June 9, 2026, making it the largest single Patch Tuesday since the program launched in 2003. Trend Micro Zero Day Initiative researcher Dustin Childs counted 208 CVEs; Tenable's analysis logged 198. Either way, the release smashes the previous record of 167 CVEs set in October 2025.

The batch includes fixes for three publicly disclosed zero-days, 32 Critical-severity flaws, and 166 Important-severity issues. Why are counts climbing so fast? Microsoft has publicly stated that AI-assisted vulnerability discovery tools are finding flaws at unprecedented rates, and that trend is expected to accelerate. Bigger patch batches are the new normal.

The Headline Threat: CVE-2026-45657, a Wormable Windows Kernel Flaw (CVSS 9.8)

CVE-2026-45657 is a use-after-free flaw in the Windows Kernel rooted in how the operating system processes TCP/IP traffic. This CVSS 9.8 bug lets remote, unauthenticated attackers execute code at SYSTEM level with no user interaction required.

The word "wormable" is not used lightly. Security researchers at the Zero Day Initiative have confirmed the flaw can self-propagate across networks, with a profile similar to EternalBlue, the vulnerability behind WannaCry. That comparison is sobering: in May 2017, WannaCry spread to more than 200,000 systems across 150 countries even though Microsoft had issued a patch two months earlier. Organizations that delayed deploying that patch paid the price.

CVE-2026-45657 affects Windows 11 versions 23H2 through 26H1 on x64 and ARM64, plus Windows Server 2022 and Server 2025 including Server Core. Multiple security researchers warn that a reliable public exploit could arrive within days of the patch release.

One more complication landed on the same day: a researcher known as "Nightmare Eclipse" published proof-of-concept code for "RoguePlanet," a new Windows Defender zero-day that abuses a race condition to spawn a command shell with SYSTEM-level privileges. No out-of-band patch has been released yet.

The Actively Exploited Threat: CVE-2026-42897, Exchange Server OWA Zero-Day

While the kernel flaw grabs headlines, the Exchange vulnerability deserves equal urgency because attackers are already using it in real attacks.

Microsoft has confirmed active exploitation of CVE-2026-42897, a spoofing flaw in on-premises Exchange Server. It allows attackers to execute arbitrary JavaScript in Outlook Web Access simply by sending a weaponized email that a victim opens or previews in a browser. The attack requires no server-side access before delivery. The payload travels through the standard email pipeline and OWA's rendering engine triggers execution automatically.

Once that JavaScript runs, an attacker can steal session tokens and impersonate the mailbox owner without ever touching the server itself. CVE-2026-42897 carries a CVSS score of 8.1 and affects Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition. Exchange Online is not impacted.

CISA added CVE-2026-42897 to its Known Exploited Vulnerabilities catalog on May 15, 2026, requiring Federal Civilian Executive Branch agencies to mitigate by May 29, 2026. Microsoft released patches on June 9, 2026. Active exploitation is confirmed and primarily targets organizations with externally accessible OWA portals. Detection is difficult because XSS attacks leave minimal forensic artifacts.

Other Critical Fixes You Should Not Miss

The rest of June's patch batch is not filler. Several CVEs carry CVSS 9.8 scores and deserve fast treatment:

• CVE-2026-47291 is an HTTP.sys RCE flaw (CVSS 9.8) affecting any Windows server fronting HTTP traffic.
• CVE-2026-44815 is a DHCP Client RCE (CVSS 9.8) that effectively affects every Windows endpoint.
• CVE-2026-4245 is a wormable bug in the Windows Remote Desktop Licensing Service, allowing unauthenticated code execution over TCP port 135 and propagation across entire domains without user interaction.
• CVE-2026-50507 is a publicly disclosed BitLocker bypass that lets an attacker circumvent drive encryption, a serious concern for any organization relying on BitLocker for data-at-rest protection.
• A cluster of seven Remote Desktop Client CVEs, several rated CVSS 8.8 with "Exploitation More Likely" designations, affects users who RDP to systems they do not control.

What Your Team Must Do Now

This is not a patch cycle you can defer. Here are the steps, in priority order:

1. Patch the Windows Kernel TCP/IP flaw immediately. Target internet-facing Windows servers within 24 to 48 hours. The wormable nature and low attack complexity create conditions for network-wide compromise in minutes.
2. Patch on-premises Exchange Server today. Organizations running Exchange Server 2016 and 2019 must be enrolled in the Extended Security Update program to receive fixes automatically. Exchange Server Subscription Edition customers get them automatically. If you have not applied the patch, do it now.
3. Verify the Exchange Emergency Mitigation Service is running. Microsoft's immediate guidance points to EEMS, which applies protection via a URL Rewrite rule and is on by default for supported on-premises deployments. Confirm the Windows service has not been disabled. You can manually trigger a mitigation download by running Invoke-Command -ScriptBlock { Start-MitigationsDownload.ps1 } in PowerShell.
4. Audit OWA exposure. If your OWA portal is publicly accessible, place it behind a VPN or enforce multi-factor authentication at the perimeter while you confirm patching is complete.
5. Do not skip BitLocker and DHCP patches. CVE-2026-50507 and CVE-2026-44815 affect virtually every Windows machine. Roll them out in the same deployment window.
6. Consider moving to Exchange Online. Every supported on-premises Exchange version is affected by CVE-2026-42897. Exchange Online customers are not exposed. If this month's zero-day is not a compelling argument for migration, it is hard to know what is.
7. Monitor for RoguePlanet exploitation. The Windows Defender zero-day published on June 9, 2026 gives attackers a path to SYSTEM privileges. Until Microsoft issues an out-of-band fix, watch for unusual privilege escalation events in your EDR logs.

The core lesson from June 2026 Patch Tuesday is straightforward: record-breaking patch volumes are now a structural reality, not an anomaly. Businesses that treat patching as a monthly checkbox rather than a continuous, risk-prioritized process will keep falling further behind the threat actors who exploit that gap.

How 247techify can help

At 247techify, we help businesses manage exactly this kind of pressure: identifying which patches matter most for your specific environment, deploying updates without disrupting operations, and hardening the systems attackers target first. If your team is stretched thin or you are unsure whether your Exchange or Windows infrastructure is fully protected after this month's record release, get in touch at https://www.247techify.com/ and we will help you cut through the noise and act fast.