Microsoft Patches 200 Flaws and 6 Zero Days in June 2026

Patch Tuesday is supposed to be the day Windows gets safer. This month, the window of safety lasted a few hours. On June 9, 2026, Microsoft shipped fixes for 200 vulnerabilities, the biggest single release in the program's history, including six zero days. By Tuesday afternoon, an anonymous researcher had already published a working exploit for a brand new Microsoft Defender flaw, tested against machines running that morning's updates. Administrators patched 200 holes and ended the day with at least one new one. Microsoft was not alone that week, either: two days later Oracle shipped emergency mitigations for an actively exploited PeopleSoft zero day that ShinyHunters used to loot HR systems at more than 100 organizations.

Key Takeaways

• Microsoft fixed 200 vulnerabilities on June 9, 2026, including 33 critical flaws and six zero days, five of them publicly disclosed and one actively exploited.
• CVE-2026-42897, an Exchange Server flaw under active exploitation, lets attackers run arbitrary JavaScript in Outlook Web Access by sending a specially crafted email.
• CVE-2026-45586 (GreenPlasma) and CVE-2020-17103 (Mini-Plasma) both elevate attackers to SYSTEM, while CVE-2026-45585 (YellowKey) and CVE-2026-50507 bypass BitLocker encryption on drives an attacker can physically reach.
• RoguePlanet, a Microsoft Defender exploit released by researcher Nightmare Eclipse hours after the patches shipped, spawns a SYSTEM shell on fully updated Windows 10 and 11.
• RoguePlanet is at least the sixth zero day proof of concept the same researcher has published since April 2026, following BlueHammer, RedSun, UnDefend, YellowKey, GreenPlasma, and MiniPlasma.

What Did Microsoft Fix in the June 2026 Patch Tuesday?

Microsoft fixed 200 vulnerabilities across Windows, Office, Exchange, and Azure, a count that excludes the 360 Edge and Chromium flaws patched earlier and makes June 2026 the largest Patch Tuesday ever released. According to BleepingComputer, the breakdown is 65 elevation of privilege flaws, 55 remote code execution flaws, 30 information disclosure bugs, 27 spoofing issues, 19 security feature bypasses, and 7 denial of service vulnerabilities.

Thirty three of the 200 are rated Critical: 28 enable remote code execution, 4 grant elevated privileges, and 1 discloses sensitive information. Beyond the zero days, Help Net Security highlights CVE-2026-44815, an unauthenticated remote code execution bug in the DHCP service, and CVE-2026-45657, a wormable flaw in Windows kernel TCP/IP handling, as the issues most likely to be weaponized next. It is the second month in a row that a Windows networking component made the urgent list, after the Netlogon RCE flaw under active exploitation earlier in June.

Which Zero Days Were Patched?

Six zero days were patched: five publicly disclosed before a fix existed, and one already exploited in real attacks. The actively exploited flaw is the one that should worry anyone who reads email. CVE-2026-42897 is an Exchange Server spoofing vulnerability that attackers trigger by sending a specially crafted email, which then executes arbitrary JavaScript inside the victim's Outlook Web Access session. The victim does not need to download anything or click a suspicious link; the malicious message does the work when the mailbox renders it.

Two of the publicly disclosed zero days hand attackers SYSTEM, the highest privilege level on Windows, even on machines that were fully patched before Tuesday. CVE-2026-45586, nicknamed GreenPlasma, abuses a link following bug in the Windows Collaborative Translation Framework (CTFMON). CVE-2020-17103, nicknamed Mini-Plasma, sits in the Cloud Files Mini Filter Driver and carries a 2020 CVE identifier because it was originally reported six years ago and remained exploitable until now.

Two more zero days defeat BitLocker, Windows' full disk encryption. CVE-2026-45585 is the flaw behind the YellowKey BitLocker bypass disclosed in May, and CVE-2026-50507 is a second, separate bypass. Both let an attacker with physical access read data from an encrypted drive, which means a stolen or briefly unattended laptop is enough. The sixth zero day, CVE-2026-49160, is an uncontrolled resource consumption bug in the HTTP/2 stack of HTTP.sys that can knock internet facing web servers offline with crafted request streams.

What Is the RoguePlanet Defender Exploit?

RoguePlanet is a proof of concept exploit for an unpatched Microsoft Defender vulnerability, published just hours after the June updates went live by the anonymous researcher known as Nightmare Eclipse. The exploit abuses a race condition in how Defender handles files and, when it wins the race, spawns a Windows command prompt running with SYSTEM privileges. BleepingComputer reports that it was tested on Windows 11 official and Canary builds and on Windows 10 with the June 2026 updates (KB5094126) installed, meaning a machine patched on Tuesday morning was exploitable by Tuesday afternoon.

The researcher is candid about reliability: "The exploit is a race condition, so it's a hit or miss. I have managed to get a 100% success rate on some machines while it struggled to work on others." The flaw was originally confirmed as remote code execution through Defender's scanning of files on remote SMB shares, but a Microsoft change to the mpengine SysIO API in mid May blocked the junction attack path and limited the public exploit to local privilege escalation. Microsoft says it is "aware of the reported vulnerability and is actively investigating," and no in the wild exploitation has been reported so far.

The release fits a now familiar pattern. RoguePlanet is at least the sixth zero day proof of concept Nightmare Eclipse has dropped since early April 2026, after BlueHammer, RedSun, UnDefend, YellowKey, GreenPlasma, and MiniPlasma, and the third Patch Tuesday in a row punctuated by a fresh exploit from the same source. We covered the earlier Defender pair in the RedSun and UnDefend zero days from May. SecurityWeek notes the irony that the security tool installed on virtually every Windows machine keeps becoming the privilege escalation vector itself.

What Should You Do Now?

Install the June 2026 updates immediately, then work through the gaps the updates do not close:

• Apply the June 9 security updates on every Windows 10 and 11 machine (KB5094126 for Windows 10) and on all Exchange servers. CVE-2026-42897 is being exploited right now via crafted emails, so Exchange comes first.
• If you run Outlook Web Access, assume hostile messages have already arrived and review OWA session logs for unexpected script activity before and after patching.
• Treat BitLocker as bruised until your fleet is patched: keep laptops physically secured, and enable a startup PIN so an attacker with the device still faces an extra factor.
• For RoguePlanet, there is no patch yet. Application allowlisting blocks the public exploit from executing, per ThreatLocker, and you should watch Microsoft's advisories for an out of band Defender fix.
• Prioritize CVE-2026-44815 (DHCP) and CVE-2026-45657 (wormable TCP/IP) on servers, since unauthenticated network flaws of this class are historically weaponized within weeks.

The larger lesson from June: a fully patched system is the start of your defense, not the end. Two zero days elevated attackers to SYSTEM on machines with every available update, and a public exploit beat Microsoft's patch cycle by hours.

Sources: BleepingComputer (Patch Tuesday), BleepingComputer (RoguePlanet), Help Net Security, and SecurityWeek.