{"id":8445,"date":"2026-06-10T14:53:28","date_gmt":"2026-06-10T14:53:28","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=8445"},"modified":"2026-06-10T14:53:28","modified_gmt":"2026-06-10T14:53:28","slug":"june-patch-tuesday-marks-a-new-normal-with-over-200-cves-32-rated-critical","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=8445","title":{"rendered":"June Patch Tuesday marks a \u2018new normal\u2019 with over 200 CVEs, 32 rated \u2018critical\u2019"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

June\u2019s Patch Tuesday security updates have arrived, with SAP fixing four critical vulnerabilities and Microsoft addressing over 200 CVEs. Microsoft\u2019s to-do list includes fixes for three zero days, 32 patches rated as \u2018critical\u2019, and a batch of other high-risk vulnerabilities that need urgent assessment. There\u2019s also one older flaw under exploit, and some patches affecting enterprise products for which Microsoft says exploitation is likely. Adobe, too, fixed critical vulnerabilities in enterprise software.<\/p>\n

Vulnerability surge<\/h2>\n

It\u2019s a record haul for Patch Tuesday CVEs \u2014 and that\u2019s not counting the other exploited vulnerabilities Microsoft has patched out-of-band since its May update.<\/p>\n

Microsoft recently told customers it expects the number of vulnerabilities in monthly updates to continue rising, influenced by the growing use of AI tools. As a May post<\/a> by the Microsoft Security Response Center put it: \u201cAs larger releases settle in as a norm, the way we deliver and decide on updates remains consistent. Patch Tuesday continues as our predictable rhythm for on-premises software,\u201d Going forward, customers should brace themselves for more out-of-band updates, it added.<\/p>\n

According to Nirwan Dogra<\/a>, a Senior Software Engineer at Microsoft Security, May and June 2026 represent a new norm that will challenge traditional, slower test-and-deploy patching.<\/p>\n

\u201cThe 200+ CVE count isn\u2019t an anomaly. It\u2019s the new baseline. AI-assisted vulnerability discovery (fuzzing, static analysis, variant hunting) is compressing the timeline between \u2018a bug exists\u2019 and \u2018bug is found\u2019 dramatically,\u201d he said via email.<\/p>\n

Ominously, according to Dogra, AI tools used were also resulting in more flaws being uncovered in components previous seen as too complex for manual audit such as hypervisor code and Kerberos. He recommended that organizations move towards risk-based vulnerability prioritization, automated patching pipelines, and a focus on the flaws that were likely to be exploited.<\/p>\n

Dustin Childs<\/a>, Head of Threat Awareness for TrendAI\u2019s Zero Day Initiative (ZDI) agreed: \u201cWe are heading into a high-stakes summer for cybersecurity. June\u2019s record-shattering drop of 210 Microsoft vulnerabilities is a stark warning that AI is supercharging flaw discovery at an uncontrollable scale,\u201d he said.<\/p>\n

Microsoft\u2019s high-priority fixes<\/h2>\n

Three vulnerabilities are rated as zero days because they have been publicly disclosed. Two are connected to adversarial disclosures affecting Windows by the researcher Nightmare Eclipse<\/a> which have attracted a lot of attention: CVE-2026-45586<\/a> (CTFMON) and CVE-2026-50507<\/a> (BitLocker bypass). The third is CVE-2026-49160<\/a>, a CVSS 7.8-rated denial of service zero day vulnerability in the Windows HTTP Protocol Stack used by various Windows services.<\/p>\n

Security teams should also note the patch for CVE-2026-42897<\/a>, an Exchange Server flaw under active exploitation originally disclosed<\/a> in May. This was originally addressed using workarounds but has now been patched.<\/p>\n

The list of 15 vulnerabilities where exploitation is said to be \u201cmore likely\u201d is headlined by CVE-2026-47291<\/a>, a dangerous CVSS 9.8-rated kernel-level RCE flaw in http.sys that attackers could use to target multiple important enterprise applications, for IIS, WinRM, or Windows Admin Center.<\/p>\n

Also worth paying attention to are a series of \u2018high\u2019 rated Hyper-V VM escape flaws, CVE-2026-47652<\/a>, CVE-2026-45641<\/a>, and CVE-2026-45607<\/a>. Anyone running on-premises networks will also be interested in CVE-2026-47288<\/a>, an RCE affecting the Active Directory Kerberos core, and CVE-2026-45648<\/a>, a CVSS 8.8 affecting Active Directory Domain Services (AD DS).<\/p>\n

Four critical SAP vulnerabilities<\/h2>\n

SAP\u2019s Security Patch Day haul for June<\/a> comprises 15 patches across a range of core enterprise products including, prominently, NetWeaver, Commerce Cloud, SAP S\/4HANA, and the Business Objects Business Intelligence Platform.<\/p>\n

Four of these are rated \u2018critical\u2019, the most eye-catching of which is CVE-2026-27671<\/a>, a CVSS 9.8 memory corruption vulnerability in Application Server ABAP and ABAP Platform. The problem here, said Jonathan Stross<\/a>, SAP security analyst at security company Pathlock, is that it \u201crequires no authentication and can affect confidentiality, integrity, and availability at the same time. A successful exploit can undermine the trustworthiness of the entire ABAP instance and everything connected to it.\u201d<\/p>\n

\u201cThis is one of the most serious notes in the batch because the attack requires no authentication and can affect confidentiality, integrity, and availability at the same time. A successful exploit can undermine the trustworthiness of the entire ABAP instance and everything connected to it.<\/p>\n

Not far behind it is CVE-2026-44748<\/a>, a CVSS 9.9 XML Signature Wrapping in SAML Authentication vulnerability in the SAP NetWeaver Application Server ABAP and ABAP Platform. This allows authenticated attacker with low-level user privileges to capture a signed SAML message and modify and submit an XML payload with a forged identity data.<\/p>\n

The final critical-rated flaws are CVE-2026-22732<\/a>, a CVSS 9.1 Spring Security weakness within SAP Commerce Cloud and SAP Data Hub, and CVE-2026-40128<\/a>, a CVSS 9.0 directory traversal vulnerability in the Application Server Java (Web Container).<\/p>\n

This month\u2019s update also patches two vulnerabilities marked \u2018high\u2019, the CVSS 7.4 CVE-2026-29145<\/a>, addressing multiple weaknesses in Apache Tomcat within SAP Commerce Cloud, and CVE-2026-44751<\/a>, a missing authorization check affecting Application Server ABAP of SAP NetWeaver and ABAP Platform.<\/p>\n

Adobe patches enterprise vulnerabilities<\/h2>\n

Adobe\u2019s June update addresses 123 vulnerabilities across Reader, ColdFusion, Experience Manager Forms, InDesign, InCopy, Substance 3D Sampler, Content Credentials SDK, Dreamweaver, Format Plugins, and Adobe Campaign Classic.<\/p>\n

Of note are the two CVSS 10-rated CVEs (APSB26-66<\/a>) in the Adobe Campaign Classic enterprise marketing platform, the seven mostly \u2018critical\u2019 or \u2018high\u2019-rated CVEs affecting ColdFusion (APSB26-64<\/a>), and a total of 20 CVEs affecting Reader (APSB26-63<\/a>). It\u2019s also a busy month for InDesign, which features 12 vulnerabilities (APSB26-58<\/a>), and Experience Manager which features three (AP<\/a>S<\/a>B26-57<\/a>).<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

June\u2019s Patch Tuesday security updates have arrived, with SAP fixing four critical vulnerabilities and Microsoft addressing over 200 CVEs. Microsoft\u2019s to-do list includes fixes for three zero days, 32 patches rated as \u2018critical\u2019, and a batch of other high-risk vulnerabilities that need urgent assessment. There\u2019s also one older flaw under exploit, and some patches affecting […]<\/p>\n","protected":false},"author":0,"featured_media":8446,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-8445","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8445"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8445"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8445\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/8446"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8445"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8445"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8445"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}