June 2026 Patch Tuesday: 208 CVEs and a Wormable Flaw

Microsoft released 208 security patches on June 10, 2026, making this the largest Patch Tuesday in the company’s history. The previous record was 177. Among those 208 fixes are several that affect systems your business almost certainly runs: Windows desktops, Exchange email servers, and Microsoft Defender antivirus. At least two of these vulnerabilities are already being exploited by attackers right now.

If your IT provider hasn’t already contacted you about this update, that’s a problem. Here’s what happened, what it means for your business, and what you should be asking your IT team today.

The Wormable Windows Kernel Flaw: CVE-2026-45657

The most serious fix in this batch is CVE-2026-45657, a vulnerability in how Windows handles network traffic at the kernel level. It received a CVSS score of 9.8 out of 10, which is about as high as it gets.

What makes this one different from a typical security patch is the word “wormable.” That means an attacker doesn’t need to trick anyone into clicking a link or opening an attachment. The vulnerability can be exploited remotely, without any user interaction, and malware that exploits it could spread automatically from one computer to another across a network. No employee mistake required.

If that sounds familiar, it’s because the same class of flaw powered WannaCry in 2017. That ransomware attack spread to over 200,000 computers in 150 countries within days, shutting down hospitals, manufacturers, and logistics companies. The UK’s National Health Service was hit hard enough that it had to divert ambulances.

Microsoft currently rates CVE-2026-45657 as “exploitation less likely,” meaning they haven’t seen it used in attacks yet. But security researchers are already reverse-engineering the patch to understand the underlying flaw. Once that research is published, working exploit code typically follows within days or weeks. The window between patch release and active exploitation is shrinking fast.

For a business owner, the takeaway is simple: every Windows computer in your company needs this patch installed before that window closes. This is not a “we’ll get to it next maintenance cycle” situation.

Two Vulnerabilities Attackers Are Already Using

While the wormable kernel flaw gets the headlines, two other vulnerabilities in this batch are already being used in active attacks.

CVE-2026-42897: Exchange Server remote code execution. If your company still runs an on-premises Exchange server for email, this one applies directly to you. Attackers are actively exploiting this flaw to execute code on Exchange servers, which gives them access to your company’s email, contacts, calendars, and potentially the entire network. Microsoft has confirmed active exploitation.

On-premises Exchange has been a persistent target for years. If your IT provider hasn’t migrated your email to Microsoft 365 or at least has a plan to do so, ask them why. Every month that goes by with an on-prem Exchange server is another month of elevated risk.

CVE-2026-41091: Microsoft Defender privilege escalation. This vulnerability lets an attacker who already has basic access to a system escalate their privileges to full administrator control. It’s already in CISA’s Known Exploited Vulnerabilities catalog, which means the federal government considers it an active threat and has directed all federal agencies to patch it. CISA doesn’t add vulnerabilities to that list casually.

The concerning detail here is that it affects Microsoft Defender, the antivirus software built into every copy of Windows. If your company relies on Defender as its primary security tool, an attacker could use this flaw to disable it entirely and then operate freely on the system.

This is one of the reasons we deploy dedicated endpoint detection and response (EDR) alongside built-in protections. Relying on a single layer of defense means a single vulnerability can take down your entire security posture.

Two More Patches That Matter for SMBs

CVE-2026-44815: DHCP Client remote code execution. This vulnerability is present on every supported version of Windows. DHCP is the system that assigns network addresses to devices when they connect. Because it runs automatically on every Windows computer, an attacker on the same network segment could exploit it without needing credentials or any interaction from a user.

For businesses with guest Wi-Fi networks connected to the same infrastructure as corporate systems, or offices with flat network architectures where everything shares one subnet, this is a real concern. Proper network segmentation reduces the risk, but the patch eliminates it.

AI-driven vulnerability discovery is accelerating. This record-breaking patch count isn’t random. Microsoft’s VP of Engineering publicly acknowledged that AI tools are driving the surge. Microsoft’s internal AI system, MDASH, independently identified 16 vulnerabilities in May alone before human researchers found them. External researchers are using large language models to analyze code and reverse-engineer patches faster than ever.

What this means in practice: vendors are finding more vulnerabilities faster, which means more patches more often. But attackers have access to the same AI tools, and they’re using them to develop exploits faster too. The safe window between a patch being released and an exploit being available in the wild is compressing from weeks to days.

What This Means for Your Business

A few years ago, a monthly patching cycle with a 30-day window was considered acceptable for most businesses. That model is breaking down. When AI tools can analyze a patch and produce working exploit code in days, a 30-day patching window means weeks of unnecessary exposure.

For a 50 to 500 person company running Windows endpoints, Microsoft 365, and possibly an on-premises server or two, this update touches your entire environment. Every laptop, every desktop, every server needs attention.

Manual patching can’t keep up with this volume. An IT administrator manually deploying 208 patches across dozens or hundreds of machines, testing for conflicts, rebooting systems, and confirming installation is a multi-day project. Meanwhile, two of those vulnerabilities are actively being exploited today.

This is why managed patching through an MSP matters. Automated patch management tools can deploy, validate, and report on patches across your entire environment within hours, not weeks. Our team runs this process through our vulnerability management program, with 24/7 monitoring from our SOC to detect exploitation attempts during the patching window.

We’ve written about what our zero-day response process actually looks like from the inside. The short version: when a critical patch drops, every affected client system is identified, patched, and verified within hours, not queued for next month.

Five Questions to Ask Your IT Provider This Week

If you work with an IT provider, whether it’s an internal team or a managed services partner, ask these questions about the June Patch Tuesday update:

1. Have all 208 patches been deployed across our environment? Not “scheduled” or “in progress.” Deployed, verified, and confirmed.
2. Are the actively exploited vulnerabilities (CVE-2026-42897 and CVE-2026-41091) already patched? These two should have been prioritized above the rest.
3. Do we still run any on-premises Exchange servers? If yes, ask what the migration plan is and what the timeline looks like.
4. What is our current patch management SLA? If the answer is “we patch within 30 days,” that’s too slow for wormable kernel flaws and actively exploited vulnerabilities.
5. What happens between when a patch is released and when it’s installed? There should be monitoring, threat detection, and compensating controls during that gap, not just silence.

If your provider can’t answer these clearly, or if you’re not confident patches are being applied promptly and consistently, that’s a gap worth closing before the next record-breaking Patch Tuesday arrives.