Microsoft Patch Tuesday June 2026

The June edition of the Patch Tuesday update addresses 200 vulnerabilities, including 3 zero-day vulnerabilities.

The following vulnerabilities were addressed through the update that threat actors exploited to orchestrate attacks:

3 zero-day vulnerabilities addressed

1. ‘GreenPlasma’ – CVE-2026-45586- Windows Collaborative Translation Framework (CTFMON) Elevation of privileges

Through its June edition of Patch Tuesday, Microsoft has addressed a zero-day elevation of privilege vulnerability in the Windows Collaborative Translation Framework (CTFMON) that allowed attackers to gain SYSTEM-level privileges once they gain initial access.

What makes this flaw dangerous is that, alongside phishing, malware, credential theft, or remote access attacks, it can be used to orchestrate massive ransomware campaigns, maintain stealthy persistence, and cause network-wide compromise.

The attackers can exploit the vulnerability to:

• Gain SYSTEM-level privileges on affected systems
• Disable or bypass security solutions like EDR and antivirus tools
• Harvest credentials (from LSASS memory and other local systems)
• Create backdoor and persistence mechanisms
• Move laterally across Active Directory environments
• Evade detection mechanisms
• Tamper with logs
• Deploy ransomware across networks
• Gain access to sensitive and confidential data
• Engage in espionage and long-term surveillance

2. CVE-2026-49160- HTTP.sys – Denial of Service

Another zero-day flaw fixed through the update is a zero-day HTTP.sys Denial of Service flaw that allowed attackers to send tailored HTTP/.2 requests to vulnerable Windows servers and applications. By exploiting the vulnerability remotely, attackers could disrupt critical operations, internet-facing applications, and APIs.

The attackers can exploit the vulnerability to:

• Cause reputational damage via operational disruption
• Crash applications and IIS (Internet Information Service) servers
• Exploit internet-facing Windows infrastructure
• Disrupt critical operations and public services
• Disrupt online portals, APIs, and web applications
• Cause service outages (like emergency services in healthcare, financial services in banking, and essential services in government)

3. ‘YellowKey’ – CVE-2026-50507 – Windows BitLocker – Security Feature Bypass

Microsoft has addressed a BitLocker security feature bypass zero-day vulnerability that allows attackers with physical access to bypass disk encryption protections if certain conditions are met.

This flaw can be exploited in targeted espionage operations. It is highly concerning for organizations with lost/stolen corporate devices.

The attackers can exploit the vulnerability to:

• Bypass the encryption protections in BitLocker
• Access confidential files in endpoints
• Extract customer, corporate, or government data from stolen devices
• Bypass security protections at the endpoint-level
• Carry out espionage and gather intelligence
• Harvest credentials, tokens, and secrets stored locally
• Compromise employee laptops and other devices

SharkStriker’s recommendations

The following are some of the security recommendations:

• Immediately apply the June Patch Tuesday update to all the applicable Microsoft Windows servers, workstations, cloud services, and Microsoft applications, prioritizing internet-facing and business-critical systems.
• Prioritize patching Active Directory Domain Controllers, Exchange Servers, SharePoint Servers, Hyper-V hosts, Remote Desktop systems, and externally accessible web servers.
• Organizations using TPM-only BitLocker deployments should evaluate stronger configurations, such as TPM+PIN, to mitigate risks associated with publicly disclosed BitLocker bypass techniques.
• Review security logs for suspicious authentication activity, privilege escalation attempts, HTTP/2 abuse patterns, unusual service crashes, and indicators of exploitation targeting newly patched vulnerabilities.
• Analyze historical telemetry for signs of compromise involving Active Directory, Kerberos, Remote Desktop, Exchange, SharePoint, and Windows privilege escalation activity.
• Ensure asset inventories accurately identify vulnerable Microsoft systems and establish rapid patch validation procedures for critical updates.
• Configure SIEM, EDR, and network monitoring solutions to detect exploitation attempts, abnormal administrative activity, and indicators associated with privilege escalation and remote code execution attacks.
• Continue enforcing least privilege, network segmentation, multi-factor authentication, application control, and endpoint protection to reduce the impact of successful exploitation attempts.