In This Article
- What Microsoft Shipped on June 9, 2026
- The Actively Exploited Exchange Zero-Day This Cycle Finally Closes
- The Critical Remote Code Execution Flaws That Demand Action
- Why June Had Two Releases: What Microsoft Patched and What You Patch
- What Banks, Credit Unions, and Mortgage Companies Should Verify This Week
- How ABT's Guardian Operating Model Runs the June Cycle for You
- Frequently Asked Questions
The June 2026 Patch Tuesday is the largest single security release Microsoft has ever shipped. On June 9, the Microsoft Security Response Center published fixes for more than 200 vulnerabilities in one cycle, a monthly record by a comfortable margin. For a community bank, a credit union, or a mortgage company running a lean IT team, the headline is not any one of those 200 flaws. The headline is the volume itself, because nobody on a five-person IT team can read 200 advisories, decide which ones matter, and deploy the right patches to the right machines in the right order before an attacker does.
That is the real story of June. The month carried more than thirty Critical vulnerabilities, most of them remote code execution, including three separate flaws rated 9.8 out of 10 on the CVSS scale. It carried three publicly disclosed zero-days. And the same cycle finally delivered the permanent fix for an Exchange Server flaw that attackers had already been exploiting in the wild since the middle of May. Sorting the genuinely urgent from the merely numerous is the entire job, and it is a job that does not fit into the calendar of an IT director who is also running the help desk, the phone system, and the quarterly examination prep.
This article walks through what Microsoft published on June 9, which June flaws demand explicit action from a financial institution and which ones Microsoft already handled inside its own cloud, what to verify in the Microsoft Intune admin center this week, and how ABT's Guardian operating model turns a record-breaking patch month into a fifteen-minute compliance review instead of a multi-day scramble. Every CVE identifier, severity rating, and date in this article traces to a Microsoft canonical source, the National Vulnerability Database, CISA, or a respected security research publication.
The volume is the story, but only a handful of those fixes actually change what your institution does this week. Here is the short version before the section-by-section detail.
TL;DR for Banks, Credit Unions, and Mortgage Companies
- Treat the on-premises Exchange Server fix as the priority. CVE-2026-42897 is an actively exploited cross-site scripting flaw in Exchange Server Outlook Web Access. It affects on-premises Exchange Server 2016, 2019, and Subscription Edition only. Exchange Online is not affected.
- Patch the three CVSS 9.8 remote code execution flaws across the Windows fleet. The Windows Kernel, HTTP.sys, and DHCP Client each received a critical RCE fix this month, all reachable over the network.
- Patch Active Directory domain controllers. CVE-2026-45648 is a remote code execution flaw in Active Directory Domain Services, the identity backbone of nearly every financial institution.
- You do not need to patch the cloud-side June flaws. Microsoft fixed a Microsoft 365 Copilot flaw and an Exchange Online flaw inside its own service on June 4. There is nothing to install for those.
- Verify deployment in Microsoft Intune within seven days. The Windows Update for Business compliance report is the canonical surface for confirming June 2026 coverage across your fleet. Customers under ABT's Guardian operating model receive this cycle as a managed service.
What Microsoft Shipped on June 9, 2026
The June 2026 release from the Microsoft Security Response Center is the largest monthly Patch Tuesday Microsoft has ever produced. Vulnerability counts vary by source because two of the entries are non-Microsoft component CVEs, an ARM processor flaw and a UEFI Secure Boot flaw, that some trackers fold into the total and others list separately. Qualys and The Hacker News count 206 Microsoft CVEs. The Zero Day Initiative counts 208. Either way it is a record, and it dwarfs the 137 fixes that made May 2026 feel large at the time.
More than thirty of the June flaws are rated Critical, and the majority of the Critical issues are remote code execution. Three of the month's flaws were publicly disclosed before patches were available, which is the technical definition of a zero-day, although Microsoft stated it was not aware of in-the-wild exploitation of any of the brand new June vulnerabilities at the moment of release. The three publicly disclosed items were a Windows Collaborative Translation Framework privilege escalation (CVE-2026-45586), a BitLocker security feature bypass (CVE-2026-50507), and an HTTP.sys denial of service (CVE-2026-49160).
For a financial institution, the practical question is never "how many CVEs." It is "which of these can actually reach my environment, and what do I do about each one." The table below sorts the June items that matter most for a bank, credit union, or mortgage company by the action they require.
| CVE | Component | Severity | What It Does | Customer Action |
|---|---|---|---|---|
| CVE-2026-42897 | Exchange Server (OWA) | High, CVSS 8.1, cross-site scripting, actively exploited since May | A crafted email opened in Outlook Web Access runs arbitrary JavaScript in the browser context. | On-premises Exchange Server 2016, 2019, and Subscription Edition. Apply the June 10 permanent fix. Exchange Online is not affected. |
| CVE-2026-45657 | Windows Kernel | Critical, CVSS 9.8, remote code execution | A flaw in kernel TCP/IP handling lets a remote, unauthenticated attacker run code as SYSTEM with no user interaction. | Every Windows endpoint and server. Deploy the June cumulative update. |
| CVE-2026-47291 | Windows HTTP.sys | Critical, CVSS 9.8, remote code execution | Network-reachable code execution. Microsoft rates exploitation "more likely." Systems on the default MaxRequestBytes registry value are not affected. | Windows servers running HTTP.sys workloads, including Internet Information Services. Deploy the June cumulative update. |
| CVE-2026-44815 | Windows DHCP Client | Critical, CVSS 9.8, remote code execution | A vulnerable Windows machine can be compromised through a crafted DHCP response on the local network. | Every Windows endpoint and server. Deploy the June cumulative update. |
| CVE-2026-45648 | Active Directory Domain Services | Critical, remote code execution (authenticated) | A stack-based buffer overflow lets an authenticated attacker execute code on a domain controller. | Patch every domain controller in the same maintenance window. |
| CVE-2026-45497 CVE-2026-48579 |
Microsoft 365 Copilot Exchange Online |
Fixed in the cloud on June 4 | A Copilot remote code execution flaw and a Critical Exchange Online information disclosure flaw, both mitigated inside Microsoft's service. | Nothing to install. Review identity logs as a precaution. |
The pattern that matters here is the split between what you patch and what Microsoft already patched for you. The Exchange Server, Windows Kernel, HTTP.sys, DHCP Client, and Active Directory flaws all require the June cumulative update to reach your machines. The Copilot and Exchange Online flaws were fixed inside Microsoft's cloud service before the advisory was even published. Understanding which side of that line a given CVE sits on is the difference between a calm patch cycle and a panicked one, and it is exactly the kind of triage a managed Microsoft partner does so the institution does not have to.
The Actively Exploited Exchange Zero-Day This Cycle Finally Closes
Of everything in the June window, one flaw stands apart because it is the only one attackers were already exploiting in the wild. CVE-2026-42897 is a cross-site scripting vulnerability in the Outlook Web Access component of on-premises Microsoft Exchange Server. Microsoft first disclosed it on May 14, 2026. CISA added it to the federal Known Exploited Vulnerabilities catalog the very next day, May 15, with a remediation deadline of May 29 for federal agencies. Microsoft assigned it a CVSS base score of 8.1.
The exploitation path is deceptively simple. An attacker sends a specially crafted email to a target. If the recipient opens that email in Outlook Web Access and certain interaction conditions are met, arbitrary JavaScript executes in the user's browser session. The impact Microsoft describes is spoofing, not direct server takeover. There is no public evidence of unauthenticated server-side command execution. But spoofing inside a webmail session at a bank is far from harmless. It is the kind of foothold that supports credential theft, session hijacking, and convincing internal phishing that appears to come from a trusted colleague's mailbox.
Why the Timeline Confuses People
CVE-2026-42897 was a May disclosure, not a June one. Microsoft published the advisory and shipped an automatic mitigation on May 14, and attackers were already using the flaw at that point. What happened in June is that Microsoft released the permanent fix on June 10, the day after Patch Tuesday. So when security press described "an actively exploited Exchange zero-day" alongside the June rollup, both halves were correct: the exploitation began in May, and the durable patch arrived in June. For a financial institution running on-premises Exchange, the practical takeaway is unchanged. If you have not already applied the mitigation, the June fix is the moment to close this for good.
The reassuring detail is that the immediate mitigation has been available, and for most organizations active, since the day of disclosure. Microsoft delivers it through the Exchange Emergency Mitigation Service, which has shipped enabled by default since September 2021. If that service is running, the mitigation for CVE-2026-42897 was applied automatically in mid-May. Institutions in disconnected or air-gapped environments, where the Emergency Mitigation Service cannot reach Microsoft, apply the mitigation manually with the Exchange On-premises Mitigation Tool. Either way, the June 10 security update is the permanent remediation that retires the mitigation as a stopgap.
One clarification matters for the many financial institutions that have moved their mailboxes to the cloud: Exchange Online is not affected by CVE-2026-42897. Only on-premises Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition are in scope. If your institution runs a hybrid configuration with any on-premises Exchange servers remaining, those servers are in scope and need the fix. If you are fully on Exchange Online, this particular flaw is not yours to patch, which is itself a useful argument for the managed cloud migration many community financial institutions are weighing.
The Critical Remote Code Execution Flaws That Demand Action
Beyond the Exchange fix, the June rollup carried three remote code execution flaws rated 9.8 out of 10, the near-maximum on the CVSS scale. All three are reachable over a network, and the most severe requires no authentication and no user interaction at all.
The standout is CVE-2026-45657, a remote code execution flaw in the Windows Kernel. The Zero Day Initiative describes it as a bug in how the kernel handles TCP/IP that lets a remote, unauthenticated attacker execute code at SYSTEM level without any user interaction. Microsoft rated real-world exploitation of this flaw "less likely," but security researchers were quick to flag the underlying mechanism as a candidate for self-propagating, wormable exploitation, the category of vulnerability that can spread from machine to machine across a network without anyone clicking anything.
Zero Day Initiative, The June 2026 Security Update Review (June 9, 2026), on CVE-2026-45657.This CVSS 9.8 bug allows remote, unauthenticated attackers to execute code at SYSTEM level without user interaction. [...] This was listed as "Exploitation Less Likely" by Microsoft, but rest assured that every researcher and bug shop on the planet is reversing this patch right now trying to create an exploit.
The second 9.8 flaw, CVE-2026-47291, is a remote code execution vulnerability in HTTP.sys, the Windows kernel-mode component that underpins Internet Information Services and other web-facing Windows workloads. Microsoft rated this one "more likely" to be exploited, a notch above the Kernel flaw. There is one mitigating nuance worth knowing: systems running the default MaxRequestBytes registry value are not affected, so the exposure is concentrated on servers that have been tuned away from that default. For most financial institutions the safe assumption is to patch and not rely on a registry value nobody documented.
The third 9.8 flaw, CVE-2026-44815, is a remote code execution vulnerability in the Windows DHCP Client, the component every Windows machine uses to obtain a network address. A crafted DHCP response on a local network segment can compromise a vulnerable machine. The realistic threat model is an attacker who has already gained a foothold inside the network, on guest Wi-Fi or an untrusted segment, and uses the DHCP flaw to move laterally.
Rounding out the list that a financial institution should care about is CVE-2026-45648, a remote code execution flaw in Active Directory Domain Services. It requires authentication, which lowers its urgency relative to the unauthenticated kernel flaw, but Active Directory is the identity backbone for nearly every bank, credit union, and mortgage company that has not gone fully cloud-native. A code execution flaw on a domain controller is never routine. As with any domain controller patch, the rule is to update every domain controller in the same maintenance window, because a half-patched forest is not a defensible state.
The Office and Outlook document handlers also received a cluster of remote code execution fixes this month, the type-confusion and heap-overflow flaws that get exploited through a malicious document or email. Those propagate to endpoints through the same June cumulative update and the normal Microsoft 365 Apps update channel, so they are covered by the standard fleet patching cycle rather than a separate effort.
Why June Had Two Releases: What Microsoft Patched and What You Patch
June 2026 was unusual in that Microsoft effectively shipped security fixes twice. Five days before the June 9 Patch Tuesday, on June 4, Microsoft published a batch it called the June 2026 Early Security Updates. That earlier batch fixed flaws inside Microsoft's own cloud services, and it required nothing from customers because there was nothing to install.
The two cloud-side items most relevant to financial institutions were a remote code execution flaw in Microsoft 365 Copilot (CVE-2026-45497, CVSS 7.7) and a Critical information disclosure flaw in Exchange Online (CVE-2026-48579, CVSS 9.1). Both run on Microsoft's infrastructure, and Microsoft mitigated both inside the service before disclosing them. We covered the cloud-side story in detail in our breakdown of the June 2026 Microsoft 365 Copilot remote code execution flaw, where the surprising and reassuring answer for IT teams was that there was nothing to patch.
The June 4 Early Security Updates and the June 9 Patch Tuesday illustrate a structural truth about Microsoft 365 that examiners increasingly understand: the services Microsoft hosts, including Microsoft 365 Copilot and Exchange Online, are patched by Microsoft inside the platform, while the software you run on your own machines, including on-premises Exchange Server, the Windows operating system, and Active Directory, are yours to patch. ABT manages your Microsoft 365 tenant and the Microsoft Intune deployment that pushes those endpoint patches, which is why a Guardian customer experiences one June rather than two: the cloud fixes simply happen, and the on-premises fixes are deployed and verified on the institution's behalf.
This split is more than a technical footnote. It is the line that determines where your IT team spends its time. Treating every Microsoft CVE as an internal patching emergency wastes effort on flaws Microsoft already closed in the cloud. Ignoring the split and assuming "Microsoft handles everything" leaves the genuinely customer-side flaws, the Exchange Server and Windows and Active Directory ones, unpatched and exposed. Getting the line right every month, across a 200-CVE release, is the work.
What Banks, Credit Unions, and Mortgage Companies Should Verify This Week
The customer-side action for June 2026 concentrates in two Microsoft surfaces: Microsoft Intune's Windows Update for Business policies, and Microsoft Defender's vulnerability management view. Both are part of the Microsoft 365 E3 or E5 security entitlement for organizations that license the stack, and both are managed by ABT for customers under the Guardian operating model. The seven steps below map the June cumulative update to the exact admin-center surfaces where an IT director or security lead can confirm the rollout actually happened across the fleet.
-
Confirm Update Rings are set to receive the June 2026 cumulative update.
In the Microsoft Intune admin center, go to Devices, then Windows updates, then Update rings. Confirm the active ring policies set quality update deferral to no more than seven days. A deferral of fourteen or thirty days is explicitly delaying this month's critical patches.
-
Open the Windows Update for Business compliance report.
In the Microsoft Intune admin center, go to Reports, then Windows updates. The report shows per-device installation status for each cumulative update. Filter by update name to find the 2026-06 entries and read the Up to date, In progress, Failed, and Not synced counts.
-
Identify devices in a Failed or Not synced state.
For each device not yet up to date on the June cumulative update, capture the device name, last check-in time, and status. These need direct remediation: a manual Windows Update rerun, a reboot to finish a pending install, or a deeper look at a stuck Windows Update agent.
-
Verify domain controllers received the patch.
Domain controllers are often patched through Windows Server Update Services or Microsoft Configuration Manager rather than the user-device ring. Confirm the June cumulative update, which carries the Active Directory Domain Services fix, deployed cleanly to every domain controller in every site.
-
Check on-premises Exchange Server explicitly.
If your institution runs any on-premises or hybrid Exchange servers, confirm the June 10 update for CVE-2026-42897 is installed and that the Exchange Emergency Mitigation Service shows the mitigation applied. Fully cloud Exchange Online tenants can skip this step.
-
Cross-check Microsoft Defender vulnerability management.
In the Microsoft Defender portal, go to Vulnerability management, then Weaknesses, and filter for the June critical CVEs. Every device that received the cumulative update should move from Exposed to Resolved. Anything still Exposed needs investigation.
-
Document the verification for your examination evidence file.
Capture a screenshot of the Intune compliance report and the Defender vulnerability management view showing the June CVEs resolved. These artifacts are useful for FFIEC, NCUA, OCC, and FDIC examination evidence and for cyber insurance carrier evidence packets.
That checklist takes a healthy fleet roughly two to four hours of focused work. It takes much longer when patch compliance has been allowed to drift and a portion of the fleet has stopped checking in. In ABT's experience, the common pattern at institutions that have never done structured verification is that seventy to ninety percent of devices are up to date within a week, with the rest spread across genuine patch failures, devices off the network, and corrupted Windows Update agents that need a manual reset. For a deeper look at how the underlying license entitlements support this work, see our analysis of continuous security monitoring for financial institutions and last month's walkthrough of the May 2026 Patch Tuesday Netlogon and DNS Client flaws.
How ABT's Guardian Operating Model Runs the June Cycle for You
Financial institutions under ABT's Guardian operating model do not run the seven-step checklist by hand each month. ABT's managed security operations team configures the Microsoft Intune ring policies, monitors deployment across the fleet, cross-checks Microsoft Defender vulnerability management, and reports the result, the same managed cycle ABT runs every month across more than 750 financial institutions. A 200-CVE month and a 50-CVE month look the same from the institution's chair: a short operations report confirming the fleet is covered.
Guardian covers the June 2026 cycle in five concrete ways. First, the Microsoft Intune ring policies for Guardian customers are pre-configured to take Critical and Important security updates with a quality update deferral of seven days or less, so the June cumulative update reaches the fleet on Microsoft's intended schedule rather than a delayed one. Second, ABT's security operations team watches the Microsoft Defender vulnerability management view continuously, with alerts on any device that fails to remediate a June critical flaw inside the policy window. Third, ABT's managed Microsoft Sentinel deployment carries detection rules for the behaviors that would signal exploitation of the Exchange, kernel, or Active Directory flaws on a machine that has not yet been patched, which is the detection-and-response layer that matters most in the gap between disclosure and full deployment.
Fourth, the Microsoft Entra ID Conditional Access policies for Guardian customers block corporate resource access from devices that fall below the Intune compliance baseline, so an unpatched device cannot reach Microsoft 365 services once the policy window closes. Fifth, ABT files the June evidence packet into the institution's compliance binder as part of the monthly Guardian operations report, with the specific Intune compliance percentages and Defender remediation status captured for examination evidence. That combination, managed deployment plus continuous monitoring plus filed evidence, is the difference between hoping the fleet is patched and knowing it is.
The IT director reviews the June 9 release the morning of June 10. They sort 200-plus CVEs to find the ones that matter, confirm Intune ring policies, run the compliance report, find eight percent of the fleet still Failed or Not synced, open remediation tickets, separately verify on-premises Exchange and the domain controllers, cross-check Microsoft Defender, and document the evidence. Total effort: twelve to twenty hours across the IT team, more in a record-breaking month like this one with an actively exploited Exchange flaw and three CVSS 9.8 critical flaws to track.
ABT's managed security operations team runs the cycle. The IT director receives the June Guardian operations report showing fleet compliance, the small percentage of devices with remediation in flight, the Microsoft Defender confirmation that the June critical CVEs are resolved, and the on-premises Exchange fix verified. Total effort for the institution: a fifteen-minute review of the report. The compliance evidence is filed automatically for FFIEC, NCUA, OCC, or insurance carrier review.
Turn the record-breaking June patch month into a fifteen-minute review
An actively exploited Exchange flaw, three CVSS 9.8 critical remote code execution flaws, and more than 200 CVEs in one cycle is more than a lean IT team should triage alone. ABT's free thirty-minute security assessment shows you exactly how the June cumulative update has propagated across your Microsoft Intune fleet, which devices Microsoft Defender still shows as exposed, and where your on-premises Exchange and Active Directory stand, with a clear remediation plan you can hand to your team Monday morning.
Frequently Asked Questions
The questions below come up most often from credit union CIOs, community bank IT directors, and mortgage company CTOs during the Patch Tuesday review week. The answers reflect Microsoft canonical guidance and ABT's standard operating practice for the Guardian operating model.
Microsoft fixed more than 200 vulnerabilities in the June 2026 Patch Tuesday released on June 9, making it the largest single monthly security release in the company's history. Counts range from 206 to 208 depending on whether two non-Microsoft component CVEs, an ARM processor flaw and a UEFI Secure Boot flaw, are included in the total. More than thirty of the flaws are rated Critical, and the majority of the Critical issues are remote code execution. Three vulnerabilities were publicly disclosed before patches were available, but Microsoft stated it was not aware of in-the-wild exploitation of any of the new June flaws at the time of release.
Both, in a sense. Microsoft first disclosed CVE-2026-42897 on May 14, 2026, and it was already being exploited in the wild at that point, which is why CISA added it to the Known Exploited Vulnerabilities catalog on May 15. Microsoft shipped an automatic mitigation through the Exchange Emergency Mitigation Service on disclosure. The permanent fix arrived on June 10, the day after June Patch Tuesday. So when security press described an actively exploited Exchange zero-day alongside the June rollup, both halves were accurate: exploitation began in May, and the durable patch arrived in June. The flaw affects on-premises Exchange Server 2016, 2019, and Subscription Edition. Exchange Online is not affected.
No. CVE-2026-42897 affects on-premises Exchange Server only, specifically Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition. Exchange Online, the cloud mailbox service Microsoft hosts, is not affected. If your institution runs a hybrid configuration with any on-premises Exchange servers still in place, those servers are in scope and need the June 10 fix and the interim mitigation. If you are fully on Exchange Online, this flaw is not yours to patch. The separate June 4 Exchange Online information disclosure flaw, CVE-2026-48579, was fixed by Microsoft inside the cloud service and also requires no action from you.
Prioritize in this order. First, any on-premises Exchange Server, because CVE-2026-42897 is the one flaw attackers were already exploiting. Second, the three CVSS 9.8 remote code execution flaws that reach the broad Windows fleet: the Windows Kernel flaw CVE-2026-45657, the HTTP.sys flaw CVE-2026-47291, and the DHCP Client flaw CVE-2026-44815. Third, domain controllers for the Active Directory Domain Services flaw CVE-2026-45648, patched in a single maintenance window across the forest. The cloud-side Copilot and Exchange Online flaws need no action because Microsoft fixed them inside its service on June 4. In practice, deploying the single June cumulative update through Microsoft Intune covers the Windows and Active Directory items at once, which is why fleet-wide deployment and verification, not per-CVE patching, is the right operating model.
The recommended posture is to deploy within seven days of release rather than the older fourteen or thirty day window. The presence of an actively exploited Exchange flaw and three CVSS 9.8 critical remote code execution flaws makes a slow wait-and-watch approach more expensive than the small risk of a patch-induced operational issue. Set the quality update deferral in Microsoft Intune's Windows Update for Business policy to seven days or less, deploy domain controllers and on-premises Exchange in their own controlled maintenance windows, and verify coverage in the Intune compliance report and Microsoft Defender vulnerability management within the week.
For institutions under ABT's Guardian operating model, the June 2026 cycle requires no direct customer action. ABT's managed security operations team configures the Microsoft Intune ring policies, monitors deployment across the fleet, verifies remediation in Microsoft Defender vulnerability management, confirms the on-premises Exchange fix where applicable, and delivers the monthly Guardian operations report with the June compliance evidence. The IT director receives the report and uses it as audit evidence for the June patching cycle. Customers who want a deeper walkthrough of the June evidence packet can request one from their ABT account manager.
