Skip to content
You can now search across every topic, entity and event.What's new
Cybersecurity: Threats and Defences
4JUL

200 fixes, six zero-days, late Exchange

3 min read
11:00UTC

Microsoft's June Patch Tuesday fixed roughly 200 vulnerabilities including six zero-days, and finally shipped the overdue Exchange patch 16 days after its federal deadline.

TechnologyDeveloping
Key takeaway

June's 200-fix cycle finally closed the exploited Exchange flaw, 16 days past its federal deadline.

Microsoft patched roughly 200 vulnerabilities on Tuesday 9 June, including six zero-days, and finally shipped the overdue Exchange fix 16 days after its federal deadline 1. Those six zero-days were each under active attack before the patch landed. The month reverses May's quieter 120-CVE run, which carried no exploited zero-days at all and broke a 22-month streak .

Two fixes stand out for the Windows estate. A Kerberos KDC (Key Distribution Centre, the service that issues domain logon tickets) RCE reaches domain authentication, the layer that, once broken, hands an attacker the whole network. And two separate BitLocker disk-encryption bypasses shipped in a single cycle, a pairing that gives an attacker both access to the data and a route to escalate. An actively-exploited Defender privilege flaw, tracked as RoguePlanet at CVSS 9.6, grants SYSTEM-level control 2.

The Exchange resolution closes the cleanest worked example of the patch-gap problem: CVE-2026-42897 sat on the KEV catalogue from 15 May, exploited, with only a stop-gap mitigation and no full fix until now . For administrators who ran the Emergency Mitigation Service workaround in the interim, the calendar mattered, because that mitigation broke OWA print and inline images while it held the line. The fix arrives, but the 16-day overrun is the data point a buyer should keep: even Microsoft, with the largest patch engineering operation in the industry, missed a federal deadline on an exploited flaw by more than two weeks.

Deep Analysis

In plain English

Once a month, Microsoft releases security fixes for Windows, Office, and its server products in what it calls Patch Tuesday. June 2026's release fixed approximately 200 separate security problems, including six that attackers were already using before the fix existed, known as zero-days. Two of the most notable fixes involve BitLocker, the built-in Windows feature that encrypts the data on a laptop or desktop hard drive to protect it if the machine is stolen. Researchers found two separate ways to bypass BitLocker in the same month. Another actively exploited flaw, called RoguePlanet, let an attacker who already had basic access to a Windows machine take full administrative control of it, the kind of access needed to install malware, extract passwords, or spread through a network. Microsoft also finally shipped a fix for an email server flaw that the US government had required agencies to patch by 29 May, arriving 16 days late.

Deep Analysis
Root Causes

The Exchange CVE-2026-42897 patch delay reflects a known constraint in Microsoft's OWA code base: the Exchange on-premises codebase shares components with Exchange Online but runs on customer-managed infrastructure with a heterogeneous version matrix (2016, 2019, Subscription Edition).

Microsoft's patching velocity for on-premises Exchange consistently lags behind Exchange Online remediations because the on-premises fix must be validated across the full version matrix before release. The Exchange Emergency Mitigation Service (EEMS) workaround was deployed as a compensating control, but its URL-rewrite approach broke OWA features (print, inline images, Light mode), reducing operator willingness to apply it.

The two BitLocker bypasses in a single cycle reflect a known weakness in the Secure Boot chain of trust: BitLocker's pre-boot protection depends on the integrity of the boot loader and the Trusted Platform Module sealing. Research into UEFI and bootloader shim bypass techniques has intensified since 2022, and two independent researchers reaching the same BitLocker bypass surface in a single month indicates the attack surface is now well-understood in offensive security research communities.

What could happen next?
  • Risk

    Two independent BitLocker bypasses confirmed in a single Patch Tuesday suggests concentrated offensive research on Windows disk-encryption trust chains; a third bypass in July or August 2026 would confirm a sustained campaign.

    Short term · Reported
  • Consequence

    Exchange CVE-2026-42897 arriving 16 days past its federal deadline documents a vendor compliance gap that CISA may cite when revising BOD 22-01 timelines for on-premises server products.

    Medium term · Reported
  • Risk

    CVE-2026-47288 Kerberos KDC RCE reaching domain authentication enables Active Directory forest-wide lateral movement from a single compromised endpoint; unpatched domain controllers remain at elevated risk until the June 2026 updates are applied.

    Immediate · Assessed
First Reported In

Update #7 · VPN zero-day, no-patch KEV, late Exchange

BleepingComputer· 14 Jun 2026
Read original
Different Perspectives
UK managed service providers and data centre operators
UK managed service providers and data centre operators
Newly brought into critical-infrastructure scope by the Cyber Security and Resilience Bill's Lords second reading, facing fines up to £17m or 4% of global turnover and a new near-miss reporting duty they did not previously carry. The sector moves from best-practice guidance to statutory exposure within this Parliamentary session.
Threat-intelligence industry
Threat-intelligence industry
SOCRadar's confirmation that one operator sits on two ransomware crews' negotiation panels, following Bitdefender's affiliate-overlap flag six weeks earlier, gives the sector its second independent data point that brand-based tracking undercounts shared access. The firms doing this work are shifting language from named-group attribution toward access-broker mapping.
FSB Centre 16
FSB Centre 16
Named by NCSC as running an SNMP-hijacking campaign against communications, energy, healthcare, defence and financial-services operators, harvesting device data and reconfiguring routers through a decades-old plaintext-authentication protocol. The campaign runs in parallel to, not in place of, the GRU's separate DNS-hijacking operation named in April.
CISA
CISA
CISA's Known Exploited Vulnerabilities catalogue added seven CVEs between 5 and 14 July, none from a headline security vendor, capped by the 18-year-old Cisco IOS bug CVE-2008-4128. BOD 26-04's risk-tiered listing rules make that slowdown as much a policy artefact as a threat-intensity read.
Nidec
Nidec
Nidec faces a $2m demand from Blackfield after the crew breached a server at its supplier Chaun Choung Technology rather than Nidec's own network. The attack reached Nidec's data without touching its own perimeter at all, the same supply-chain route World Leaks used against Tata Electronics.
Tata Electronics
Tata Electronics
Tata Electronics restricted remote access to its purchase-order systems and hired a forensic consultant after World Leaks posted 630GB of its files, including purported Apple and Tesla design material, to a leak site. The exposed value sits on its customers' balance sheets, not its own, which is what makes it hard to price.