
On June 9, Microsoft closed more than two hundred vulnerabilities, including six zero-days and a wormable kernel flaw with CVSS 9.8. Exchange Server had already been actively attacked for weeks before the patch was released. What IT teams must patch now and how to prioritise when the list is too long.
Every second Tuesday of the month, Microsoft publishes its security updates. Most months that is seventy to one hundred, spread across Windows, Office, and server software. On 9 June 2026, it was different. Microsoft closed more than two hundred vulnerabilities in a single release — a record — including six zero-days and a kernel flaw that is wormable and requires no user interaction. For IT teams managing a busy patch schedule, this is a release that demands immediate attention.
This article discusses the three most urgent vulnerabilities, explains why Exchange is particularly alarming, and provides a practical prioritisation model for organisations that cannot patch everything at once.
A typical Patch Tuesday contains vulnerabilities that Microsoft rates as 'critical' but where exploitation is complex or requires user interaction. The June release contains multiple vulnerabilities where this is not the case. The wormable kernel flaw does not need to be triggered by an attacker through social engineering or a malicious attachment. It is sufficient to send specially crafted network traffic to a vulnerable system.
This makes the impact fundamentally different from the average critical vulnerability. Once a single system on a network is compromised, the attack can spread automatically to other vulnerable machines on the same segment. That is precisely why wormability carries so much weight in prioritisation.
CVE-2026-45657 is a remote code execution vulnerability in the Windows Kernel with a CVSS score of 9.8 — the highest risk category. The flaw lies in how Windows processes TCP/IP traffic at the kernel level. An unauthenticated attacker can, without any user interaction, send a malicious payload that executes arbitrary code with SYSTEM privileges.
The vulnerability affects Windows 11 in all current versions, including 23H2, 24H2, and 25H2, as well as Windows Server 2022 and Server 2025. Systems that are not directly reachable via the internet but are on an internal network alongside other vulnerable machines are equally at risk once the worm enters the network.
Microsoft's patch resolves the flaw by rewriting how TCP/IP packets are processed at the kernel level. No temporary mitigation is available that preserves functionality. Patching is the only effective solution.
CVE-2026-42897 is a pre-authentication remote code execution vulnerability in Exchange Server's Outlook on the Web (OWA) component with a CVSS score of 9.8. The notable circumstance here is that the vulnerability had already been actively exploited for weeks before Microsoft released the definitive patch on 9 June.
The attack works through improper deserialization in the OWA proxy module: an attacker sends a malicious serialised payload to the public OWA endpoint without needing any credentials. The server processes the payload and the attacker gains code execution on the Exchange system itself. Once inside, privilege escalation to Domain Admin is historically straightforward from an Exchange compromise, because Exchange has extensive rights in Active Directory by default.
Organisations running Exchange Server on-premises — Exchange 2019 is still widely used in hybrid Microsoft 365 deployments — must treat the June 9 patch as an absolute priority. Anyone who has not yet patched Exchange should assume that active attack campaigns are running.
A vulnerability that receives less attention but is operationally dangerous sits in Microsoft Defender itself. CVE-2026-41091 is an Elevation of Privilege flaw with CVSS 7.8. A local attacker can elevate their privileges to SYSTEM level via a race condition in the Defender service. This vulnerability is actively being exploited in the wild.
The fact that Microsoft Defender itself is an attack vector illustrates something security teams must internalise: security software is still software, and security software with high system privileges is an attractive target. The patch closes the race condition. Until it is installed, every system with Defender and a malicious local user or active malware infection faces elevated risk.
With more than two hundred updates at once, prioritisation is not a luxury but a necessity. A practical model works in three layers.
Layer one: internet-facing systems. Exchange Server, remote desktop gateways, VPN concentrators, web servers, and API gateways. These are the systems an attacker can reach first without needing a foothold. For CVE-2026-42897, this means: all Exchange servers that have OWA publicly available, patch today.
Layer two: domain infrastructure and privileged endpoints. Domain controllers, admin workstations, systems with Defender for Endpoint installed, and systems processing sensitive data. CVE-2026-45657 and CVE-2026-41091 fall here: kernel updates for all active Windows systems in this segment.
Layer three: the rest of the fleet. End-user workstations, legacy systems in isolation, and thin clients. A slightly wider deadline applies here, but these systems must also be updated within the normal patch cycle — a wormable flaw remains wormable even when not immediately exploited.
First, activate updates immediately for internet-facing servers. Use the Microsoft Security Update Guide to filter on CVSS 9.0 or higher and on 'exploited: yes'. That list determines the order for the next forty-eight hours.
Second, use Windows Autopatch or Intune Update Rings to get the Windows 11 kernel update onto all endpoints within five working days. For organisations already using Windows Autopatch but still managing Exchange manually, that manual Exchange management is now the bottleneck.
Third, document temporarily non-patchable exceptions. Systems that cannot be patched immediately due to critical business processes, applications that are incompatible with the update, or maintenance constraints must be documented with a clear compensating control: network segmentation, increased monitoring, or temporarily disabling external reachability.
The record number of CVEs in June is not a coincidence. It reflects a growing trend: attackers are professionalising faster than the average patch speed of organisations. At the same time, increasing connectivity between cloud, on-premises, and endpoints expands the attack surface every month. The combination of wormability, pre-auth attacks, and active exploitation before the patch date makes clear that a monthly patch cycle for critical systems is no longer sufficient.
Organisations looking to sharpen their patch and vulnerability management, deploy Intune for automated Windows updates, or migrate their Exchange environment to Exchange Online to eliminate this class of on-premises risk: Zarioh can help you set this up structurally. Contact us for a conversation about your current patch strategy.
Zarioh Digital Solutions
IT specialists from Utrecht, the Netherlands. We help businesses with Microsoft 365, AI agents, hosting and telephony — and share what we learn in practice. Follow us on LinkedIn

Security

Security

Security