Microsoft has released its June 2026 Patch Tuesday updates, addressing 200 security vulnerabilities, including three publicly disclosed zero-day flaws and 33 critical vulnerabilities.
Although none of the zero-days are currently known to have been exploited in active attacks, organisations are strongly encouraged to apply the latest updates as soon as possible to reduce their exposure.
This month's security updates include:
Remote code execution and privilege escalation vulnerabilities continue to represent some of the highest risks, potentially allowing attackers to execute malicious code or gain elevated permissions on affected systems.
Microsoft has patched a vulnerability within the Windows Collaborative Translation Framework that could allow an attacker with local access to escalate privileges to SYSTEM level, providing complete control over the affected machine.
A newly disclosed HTTP/2 denial-of-service vulnerability could enable attackers to consume excessive server memory using specially crafted requests, potentially leading to service disruption or outages.
To help mitigate this risk, Microsoft has introduced a new configuration option allowing administrators to limit the number of accepted HTTP headers.
Microsoft has also resolved a BitLocker bypass vulnerability affecting systems configured with TPM-only protection. An attacker with physical access could potentially access encrypted drives through the Windows Recovery Environment.
Organisations relying solely on TPM protection should review their BitLocker configuration and consider enabling TPM + PIN authentication for additional protection.
While no active exploitation has been reported for these zero-day vulnerabilities, publicly disclosed flaws often become attractive targets once technical details are available.
Security teams should prioritise:
Alongside Microsoft's releases, several major technology vendors also published important security updates this month, including Adobe, Cisco, Fortinet, Google, SAP, Veeam, Ivanti, Check Point and Ubiquiti.
The volume of patches released across the industry highlights the importance of maintaining an effective vulnerability management programme and ensuring critical systems are updated without delay.
Patch management remains one of the most effective ways to reduce cyber risk, yet many organisations struggle with visibility across their estate and understanding which vulnerabilities require immediate attention.
Platforms like CybaOps help security teams cut through the noise by providing centralised asset visibility, vulnerability prioritisation and actionable remediation guidance, enabling organisations to move from reactive patching to proactive risk management.
With attackers continuing to exploit newly disclosed vulnerabilities at speed, maintaining a disciplined patching process is essential for reducing the likelihood of compromise.
If you would like to view the full report for June 2026, click here.