14JUN

200 fixes, six zero-days, late Exchange

3 min read

11:51UTC

Microsoft's June Patch Tuesday fixed roughly 200 vulnerabilities including six zero-days, and finally shipped the overdue Exchange patch 16 days after its federal deadline.

← Back to VPN zero-day, no-patch KEV, late Exchange Jump to analysis ↓

TechnologyDeveloping

Key takeaway

June's 200-fix cycle finally closed the exploited Exchange flaw, 16 days past its federal deadline.

Microsoft patched roughly 200 vulnerabilities on Tuesday 9 June, including six zero-days, and finally shipped the overdue Exchange fix 16 days after its federal deadline ¹. Those six zero-days were each under active attack before the patch landed. The month reverses May's quieter 120-CVE run, which carried no exploited zero-days at all and broke a 22-month streak .

Two fixes stand out for the Windows estate. A Kerberos KDC (Key Distribution Centre, the service that issues domain logon tickets) RCE reaches domain authentication, the layer that, once broken, hands an attacker the whole network. And two separate BitLocker disk-encryption bypasses shipped in a single cycle, a pairing that gives an attacker both access to the data and a route to escalate. An actively-exploited Defender privilege flaw, tracked as RoguePlanet at CVSS 9.6, grants SYSTEM-level control ².

The Exchange resolution closes the cleanest worked example of the patch-gap problem: CVE-2026-42897 sat on the KEV catalogue from 15 May, exploited, with only a stop-gap mitigation and no full fix until now . For administrators who ran the Emergency Mitigation Service workaround in the interim, the calendar mattered, because that mitigation broke OWA print and inline images while it held the line. The fix arrives, but the 16-day overrun is the data point a buyer should keep: even Microsoft, with the largest patch engineering operation in the industry, missed a federal deadline on an exploited flaw by more than two weeks.

Deep Analysis

In plain English

Once a month, Microsoft releases security fixes for Windows, Office, and its server products in what it calls Patch Tuesday. June 2026's release fixed approximately 200 separate security problems, including six that attackers were already using before the fix existed, known as zero-days. Two of the most notable fixes involve BitLocker, the built-in Windows feature that encrypts the data on a laptop or desktop hard drive to protect it if the machine is stolen. Researchers found two separate ways to bypass BitLocker in the same month. Another actively exploited flaw, called RoguePlanet, let an attacker who already had basic access to a Windows machine take full administrative control of it, the kind of access needed to install malware, extract passwords, or spread through a network. Microsoft also finally shipped a fix for an email server flaw that the US government had required agencies to patch by 29 May, arriving 16 days late.

Deep Analysis

Root Causes

The Exchange CVE-2026-42897 patch delay reflects a known constraint in Microsoft's OWA code base: the Exchange on-premises codebase shares components with Exchange Online but runs on customer-managed infrastructure with a heterogeneous version matrix (2016, 2019, Subscription Edition).

Microsoft's patching velocity for on-premises Exchange consistently lags behind Exchange Online remediations because the on-premises fix must be validated across the full version matrix before release. The Exchange Emergency Mitigation Service (EEMS) workaround was deployed as a compensating control, but its URL-rewrite approach broke OWA features (print, inline images, Light mode), reducing operator willingness to apply it.

The two BitLocker bypasses in a single cycle reflect a known weakness in the Secure Boot chain of trust: BitLocker's pre-boot protection depends on the integrity of the boot loader and the Trusted Platform Module sealing. Research into UEFI and bootloader shim bypass techniques has intensified since 2022, and two independent researchers reaching the same BitLocker bypass surface in a single month indicates the attack surface is now well-understood in offensive security research communities.

What could happen next?

Risk
Two independent BitLocker bypasses confirmed in a single Patch Tuesday suggests concentrated offensive research on Windows disk-encryption trust chains; a third bypass in July or August 2026 would confirm a sustained campaign.
Short term · Reported
Consequence
Exchange CVE-2026-42897 arriving 16 days past its federal deadline documents a vendor compliance gap that CISA may cite when revising BOD 22-01 timelines for on-premises server products.
Medium term · Reported
Risk
CVE-2026-47288 Kerberos KDC RCE reaching domain authentication enables Active Directory forest-wide lateral movement from a single compromised endpoint; unpatched domain controllers remain at elevated risk until the June 2026 updates are applied.
Immediate · Assessed

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: The April 2023 Patch Tuesday, which shipped CVE-2023-28252 (Windows CLFS zero-day, later linked to the Nokoyawa ransomware campaign) alongside CVE-2023-21554 (MSMQ RCE, a 9.8 reaching queue managers on Windows Server), set the template for ransomware-linked privilege escalation appearing in the same cycle as a critical server-side RCE.

June 2026's RoguePlanet plus Kerberos KDC pair follows the same structural pattern: an actively exploited escalation landing in the same release as a critical authentication-layer RCE.

Counter-parallel: The March 2021 Exchange emergency patch (ProxyLogon, four CVEs, 250,000+ servers compromised before the patch) shows a different pattern: in that case Microsoft shipped an out-of-cycle patch within four days of a confirmed nation-state exploitation cluster.

June 2026's Exchange patch arrived 16 days after the federal deadline, suggesting the organisational response model has not converged on the ProxyLogon emergency-release speed for a lower-severity (CVSS 8.1) exploited flaw.

Consensus view: Mandiant's Threat Intelligence team and the Zero Day Initiative (ZDI) at Trend Micro both note that June 2026 represents a structural inflection: two BitLocker bypasses in a single cycle (YellowKey CVE-2026-45585 and bitskrieg CVE-2026-50507) are operationally significant because disk encryption is typically the last layer of defence at rest.

When two independent researchers, including Nightmare Eclipse, reach the same protected subsystem in the same month, it indicates a concentration of offensive research resources on that attack surface. The RoguePlanet privilege escalation (CVE-2026-47281, CVSS 9.6) in Windows Defender reaching SYSTEM level compounds this because endpoint defence and disk encryption are both compromised in the same patch cycle.

Counter-view: GTIG's analysis of the Exchange CVE-2026-42897 patch , which finally arrived 16 days after its 29 May federal deadline, cautions against reading the 200-CVE volume as a sign of accelerating patch cadence. Microsoft's May Patch Tuesday had 120 CVEs and no zero-days; June's reversal was partly driven by a backlog deferred from May, not an increase in underlying vulnerability discovery rate.

The Israel-based research team at CyberArk Labs argues that the Kerberos KDC RCE (CVE-2026-47288) reaching domain authentication is the highest-severity individual finding, as it can produce lateral movement across an entire Active Directory forest from a single compromised host.

Key tension: Whether Microsoft's pattern of 30 or more days of exposure on the Exchange flaw before patching, alongside the concurrent KEV deadline miss, signals a structural inability to ship patches within regulatory timelines, or whether the Exchange case is an outlier driven by the complexity of on-premises OWA-specific code paths.

Sources:BleepingComputer

Mentions:Microsoft →CVE-2026-42897 →Exchange Emergency Mitigation Service →CISA →Windows Server →Mandiant →May Patch Tuesday →Israel →Known Exploited Vulnerabilities →Remote Code Execution →Microsoft Exchange Server →Kerberos →BitLocker →Windows Defender →

First Reported In

Update #7 · VPN zero-day, no-patch KEV, late Exchange

BleepingComputer· 14 Jun 2026

Read original →

Causes and effects

Caused by

Exchange repeats the CISA deadline-before-patch trap

CVE-2026-42897 Exchange was listed on KEV on 15 May with a 29 May deadline and no patch; the June Patch Tuesday on 9 June finally resolved it, sixteen days after the federal deadline.

Occurred 15 May 2026

Read story →

Patch Tuesday clean streak hides out-of-band KEVs

May Patch Tuesday's 120-CVE zero-zero-day release broke a 22-month streak; June's 200-CVE six-zero-day reversal is a direct contrast used to frame the magnitude of the month's patch burden.

Occurred 13 May 2026

Read story →

This Event

200 fixes, six zero-days, late Exchange

The month reverses May's quiet run and closes the cleanest example of a flaw exploited with a deadline but no fix.

Different Perspectives

Beijing-aligned attribution sceptics

CNCERT has noted that Western KEV ransomware-risk flags on DoS-only flaws such as Serv-U CVE-2026-28318 conflate disruption capability with breach capability, and that CJEU referrals for NIS2 non-transposition create compliance obligations that presuppose software-patchable architectures the Arista case shows are not universal.

Enterprise security buyers

Three successive KEV cycles in which federal deadlines precede, exceed or are refused by vendor patches require buyers to re-weight patch-SLA contractual terms: the KEV deadline is now the planning constraint, not the vendor advisory, and procurement due diligence must cover whether a hardware platform is even patchable in principle.

Check Point

Check Point disclosed CVE-2026-50751 and shipped a hotfix on 8 June, roughly 30 days after exploitation had begun, with a Qilin affiliate already inside at least one victim. Its delayed disclosure on a CVSS 9.3 perimeter bypass leaves customers to absorb a month-long pre-patch exposure window under CISA's three-day federal deadline.

European Commission and ENISA

NIS2 full personal-liability enforcement from 1 June and CJEU referrals against laggard member states represent the sharpest regulatory escalation in EU cyber history, backed by ENISA NIS360 sector-maturity evidence naming water, rail and waste water as the priority enforcement targets. NCAF 2.0 and NIS360 function as audit instruments rather than political signals.

UK NCSC

The NCSC issued the Dutch NCSC's imminent-abuse warning on the Check Point flaw in the same fortnight its sponsoring legislation cleared the Commons, widening incident-reporting duties to cover attacker pre-positioning. The payment-reporting gap left by the CS&R Bill means the NCSC continues to rely on voluntary Early Warning submissions for ransomware economics data.

US Federal CISO community

Federal CISOs face three active compliance obligations without a clean resolution: a three-day Check Point deadline met with a hotfix, a 23 June Arista deadline partially met with ACLs only, and a 16-day Exchange overrun still being fully remediated. BOD 22-01 is operating as an urgency signal but not as a vendor-cooperation mechanism.