{ "@context": "https://schema.org", "@type": "NewsArticle", "@id": "https://hostdir.net/blog/microsoft-june-2026-patch-tuesday-fixes-record-206-flaws-6-zero-days", "headline": "Microsoft June 2026 Patch Tuesday fixes record 206 flaws, 6 zero-days", "alternativeHeadline": "The largest Patch Tuesday in Microsoft history includes an actively exploited Exchange Server zero-day and three publicly disclosed vulnerabilities.", "url": "https://hostdir.net/blog/microsoft-june-2026-patch-tuesday-fixes-record-206-flaws-6-zero-days", "datePublished": "2026-06-11T10:49:00+00:00", "dateModified": "2026-06-11T10:50:30+00:00", "author": { "@type": "Organization", "name": "HostDir News Desk", "url": "https://hostdir.net" }, "publisher": { "@type": "Organization", "name": "HostDir", "url": "https://hostdir.net", "logo": { "@type": "ImageObject", "url": "https://hostdir.net/assets/logo.svg" } }, "image": "https://hostdir.net/uploads/news/ee14271b657d1220.webp", "description": "Microsoft released fixes for a record 206 vulnerabilities in June 2026, including six zero-days. One Exchange Server flaw is under active attack. AI tools are driving a surge in discovery.", "articleSection": "Security", "articleBody": "Microsoft released its largest Patch Tuesday on record June 10, 2026, fixing 206 security vulnerabilities across its product portfolio. The update includes fixes for six zero-day flaws, one of which is actively exploited in attacks against Exchange Server.Of the 206 flaws, 39 are rated Critical and 167 are rated Important. The breakdown includes 63 privilege escalation bugs, 56 remote code execution flaws, 30 information disclosure issues, 27 spoofing vulnerabilities, and 20 security feature bypass problems. This surpasses the previous record of 167 flaws set in April 2026.Exchange Server zero-day under active attackThe most urgent vulnerability is CVE-2026-42897, a high-severity spoofing flaw in Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition (SE). Microsoft says remote attackers with no privileges can exploit it by sending a specially crafted email. If a user opens the email in Outlook Web Access and certain interaction conditions are met, arbitrary JavaScript executes in the browser context.Microsoft first detected the attacks in mid-May and rolled out automatic temporary mitigations through the Exchange Emergency Mitigation Service (EEMS). The Cybersecurity and Infrastructure Security Agency added the flaw to its exploited vulnerabilities list on May 15 and ordered U.S. federal agencies to patch within two weeks. Over the past five years, CISA has listed 20 Exchange Server vulnerabilities as exploited, with ransomware gangs using 14 of them.AI blamed for vulnerability surgeMicrosoft security leadership acknowledged last month that artificial intelligence tools are driving a sharp increase in vulnerability discovery across the industry. Dark Reading reported that AI accelerates both the speed and scale of finding flaws, making voluminous patch updates the new normal. CyberScoop noted that fears about a flood of error-riddled software have materialized.The three publicly disclosed zero-days in this release add urgency. While Microsoft did not name the specific CVEs, the company confirmed that proof-of-concept code or public disclosure existed before the patch. The remaining two zero-days were privately reported and not known to be exploited.Administrators should prioritize the Exchange Server update and leave the EEMS mitigations in place for additional protection. Microsoft recommends installing the June 2026 Security Updates as soon as possible. With AI-driven discovery accelerating, organizations should expect similarly large Patch Tuesday releases in coming months.", "mainEntityOfPage": "https://hostdir.net/blog/microsoft-june-2026-patch-tuesday-fixes-record-206-flaws-6-zero-days", "citation": [ { "@type": "CreativeWork", "name": "Microsoft patches Exchange Server zero-day exploited in attacks", "url": "https://www.bleepingcomputer.com/news/microsoft/microsoft-patches-exchange-server-zero-day-exploited-in-attacks/" }, { "@type": "CreativeWork", "name": "Microsoft ships largest Patch Tuesday on record, with one bug under active attack", "url": "https://therecord.media/microsoft-ships-largest-patch-tuesday-on-record" }, { "@type": "CreativeWork", "name": "Microsoft Patches Record 206 Flaws, Including Three Zero-Days and Critical RCE Bugs", "url": "https://thehackernews.com/2026/06/microsoft-patches-record-206-flaws.html" }, { "@type": "CreativeWork", "name": "Microsoft breaks Patch Tuesday record with 206 vulnerabilities", "url": "https://cyberscoop.com/microsoft-patch-tuesday-june-2026/" }, { "@type": "CreativeWork", "name": "Blame AI: Patch Tuesday Hits Record 206 CVEs", "url": "https://www.darkreading.com/vulnerabilities-threats/blame-ai-patch-tuesday-record-206-cves" }, { "@type": "CreativeWork", "name": "Microsoft patches YellowKey, GreenPlasma, MiniPlasma zero-days", "url": "https://www.bleepingcomputer.com/news/microsoft/microsoft-patches-yellowkey-greenplasma-miniplasma-zero-days/" }, { "@type": "CreativeWork", "name": "Microsoft Defender RoguePlanet Zero-Day Grants SYSTEM Access on Updated Windows", "url": "https://thehackernews.com/2026/06/microsoft-defender-rogueplanet-zero-day.html" }, { "@type": "CreativeWork", "name": "Microsoft Defender 'RoguePlanet' zero-day grants SYSTEM privileges", "url": "https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-rogueplanet-zero-day-grants-system-privileges/" }, { "@type": "CreativeWork", "name": "A Record-Breaking Patch Tuesday for June 2026", "url": "https://krebsonsecurity.com/2026/06/a-record-breaking-patch-tuesday-for-june-2026/" }, { "@type": "CreativeWork", "name": "AI is making Patch Tuesday (kinda) fun again", "url": "https://www.theregister.com/patches/2026/06/09/ai-is-making-patch-tuesday-kinda-fun-again/5253225" } ], "_hostdir": { "kind": "news-article", "slug": "microsoft-june-2026-patch-tuesday-fixes-record-206-flaws-6-zero-days", "canonical": "https://hostdir.net/blog/microsoft-june-2026-patch-tuesday-fixes-record-206-flaws-6-zero-days", "category": "security", "sources": [ { "url": "https://www.bleepingcomputer.com/news/microsoft/microsoft-patches-exchange-server-zero-day-exploited-in-attacks/", "title": "Microsoft patches Exchange Server zero-day exploited in attacks", "source_name": "BleepingComputer", "source_slug": "bleeping-computer" }, { "url": "https://therecord.media/microsoft-ships-largest-patch-tuesday-on-record", "title": "Microsoft ships largest Patch Tuesday on record, with one bug under active attack", "source_name": "The Record by Recorded Future", "source_slug": "the-record" }, { "url": "https://thehackernews.com/2026/06/microsoft-patches-record-206-flaws.html", "title": "Microsoft Patches Record 206 Flaws, Including Three Zero-Days and Critical RCE Bugs", "source_name": "The Hacker News", "source_slug": "hacker-news" }, { "url": "https://cyberscoop.com/microsoft-patch-tuesday-june-2026/", "title": "Microsoft breaks Patch Tuesday record with 206 vulnerabilities", "source_name": "CyberScoop", "source_slug": "cyberscoop" }, { "url": "https://www.darkreading.com/vulnerabilities-threats/blame-ai-patch-tuesday-record-206-cves", "title": "Blame AI: Patch Tuesday Hits Record 206 CVEs", "source_name": "Dark Reading", "source_slug": "darkreading" }, { "url": "https://www.bleepingcomputer.com/news/microsoft/microsoft-patches-yellowkey-greenplasma-miniplasma-zero-days/", "title": "Microsoft patches YellowKey, GreenPlasma, MiniPlasma zero-days", "source_name": "BleepingComputer", "source_slug": "bleeping-computer" }, { "url": "https://thehackernews.com/2026/06/microsoft-defender-rogueplanet-zero-day.html", "title": "Microsoft Defender RoguePlanet Zero-Day Grants SYSTEM Access on Updated Windows", "source_name": "The Hacker News", "source_slug": "hacker-news" }, { "url": "https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-rogueplanet-zero-day-grants-system-privileges/", "title": "Microsoft Defender 'RoguePlanet' zero-day grants SYSTEM privileges", "source_name": "BleepingComputer", "source_slug": "bleeping-computer" }, { "url": "https://krebsonsecurity.com/2026/06/a-record-breaking-patch-tuesday-for-june-2026/", "title": "A Record-Breaking Patch Tuesday for June 2026", "source_name": "Krebs on Security", "source_slug": "krebs" }, { "url": "https://www.theregister.com/patches/2026/06/09/ai-is-making-patch-tuesday-kinda-fun-again/5253225", "title": "AI is making Patch Tuesday (kinda) fun again", "source_name": "The Register", "source_slug": "register-headlines" } ], "fact_checks": [ { "claim": "Microsoft fixed 206 vulnerabilities in June 2026 Patch Tuesday, a record.", "source_url": "https://thehackernews.com/2026/06/microsoft-patches-record-206-flaws.html", "verdict": "verified" }, { "claim": "CVE-2026-42897 is an actively exploited Exchange Server zero-day.", "source_url": "https://www.bleepingcomputer.com/news/microsoft/microsoft-patches-exchange-server-zero-day-exploited-in-attacks/", "verdict": "verified" }, { "claim": "AI tools are driving a surge in vulnerability discovery, according to Microsoft security leadership.", "source_url": "https://therecord.media/microsoft-ships-largest-patch-tuesday-on-record", "verdict": "reported" }, { "claim": "39 of the 206 flaws are rated Critical.", "source_url": "https://thehackernews.com/2026/06/microsoft-patches-record-206-flaws.html", "verdict": "verified" }, { "claim": "CISA added CVE-2026-42897 to its exploited vulnerabilities list on May 15, 2026.", "source_url": "https://www.bleepingcomputer.com/news/microsoft/microsoft-patches-exchange-server-zero-day-exploited-in-attacks/", "verdict": "verified" } ], "internal_links": [ { "anchor": "under", "target_url": "/providers/under", "target_kind": "provider" } ], "attribution": "HostDir News Desk — https://hostdir.net/blog/microsoft-june-2026-patch-tuesday-fixes-record-206-flaws-6-zero-days" } }