UMVA has learned that Microsoft has unleashed a massive security update, tackling a staggering 206 vulnerabilities on Patch Tuesday for June, shattering previous records and sending a clear message that cybersecurity is top priority.
The behemoth update impacts a wide range of Microsoft products, from Windows and Office to Exchange Server and cloud services. A particularly concerning aspect of this update is that one vulnerability is already being exploited in the wild, highlighting the urgent need for users to apply these patches.
According to information obtained by UMVA, 38 vulnerabilities have been classified as critical, while the remainder are designated as high-risk. This significant release is a clear indication that Microsoft is taking a proactive stance against potential threats.
A whopping 118 vulnerabilities have been addressed across various Windows versions, including Windows 10, 11, and Server. One of the vulnerabilities being actively exploited is an Elevation of Privilege (EoP) vulnerability in Microsoft Defender, which could allow an attacker to gain system privileges.
Microsoft has swiftly replaced the vulnerable Malware Protection Engine via automatic Defender updates, with the patched engine boasting a version number of at least 1.1.26040.8. Users can verify their engine version by navigating to Settings and then About in Windows 11 or Update & Security in Windows 10.
The update also tackles 10 security vulnerabilities in the Security Feature Bypass (SFB) category, which could enable malicious code to be loaded during system startup. Furthermore, 19 Remote Code Execution (RCE) vulnerabilities classified as critical have been addressed in Windows, including CVE-2026-47288 and CVE-2026-47291.
Microsoft Office users are also affected, with 54 vulnerabilities fixed, including 25 RCE vulnerabilities, nine of which are classified as critical. These vulnerabilities could allow attackers to execute malicious code without user interaction.
Additionally, Microsoft has addressed vulnerabilities in Microsoft Hyper-V, Exchange Server, and Edge. The update includes patches for critical RCE vulnerabilities that could enable malicious code to escape from a guest system and execute code on the host system.
The next Patch Tuesday is scheduled for July 14th, 2026, and users are urged to apply these patches as soon as possible to ensure their systems remain secure and protected.