On 9 June 2026, Microsoft shipped the single largest Patch Tuesday in the programme’s 23-year history: 206 documented vulnerabilities resolved in one release, of which 37 are rated critical, three are publicly disclosed zero-days, and two carry the near-maximum severity score of CVSS 9.8 — both of them unauthenticated remote code execution flaws that need no user interaction to fire. The Zero Day Initiative called it Microsoft’s biggest monthly release ever. For the UK small and medium-sized business (SME) still nursing an unpatched Windows estate as of today, 1 July 2026, this is no longer an abstract advisory. It is a live compliance and exposure problem.
The reason is simple. Cyber Essentials v3.3 — the ‘Danzell’ question set that took effect in April 2026 — hard-codes a 14-day patch window for critical and high-severity fixes. Count forward from 9 June and that window closed on 23 June 2026. Any organisation seeking or holding certification that had not deployed these patches by that date is already outside the mandated window, and structurally exposed to a wave of exploitation that historically begins the very next day — what the industry grimly nicknames ‘Exploit Wednesday’. This article breaks down what shipped, which CVEs to prioritise, and the 10-step IT admin action plan every UK SME should be running right now.
What Microsoft actually shipped on 9 June 2026
The June 2026 cumulative update addresses 206 vulnerabilities across the Microsoft ecosystem. Windows itself accounted for roughly 120 patches, with Microsoft Office contributing a further 54, and the remainder spread across Azure components, Edge, SharePoint, .NET, Visual Studio and Microsoft Dynamics. By vulnerability class, the release resolved 54 remote code execution (RCE) flaws and 65 elevation-of-privilege (EoP) flaws — the two categories that matter most to an attacker trying to land on a network and then move laterally toward domain administrator.
The headline entries are the two CVSS 9.8 remote code execution vulnerabilities. CVE-2026-45657 is a Windows Kernel RCE reachable over TCP/IP with no authentication and no user interaction, giving an attacker SYSTEM-level control of a machine that merely has a listening service exposed. CVE-2026-47291 is an integer-overflow RCE in HTTP.sys, the kernel-mode HTTP request handler that underpins IIS and many Windows web services. The good news on the latter is that exposure requires a non-default configuration — specifically a MaxRequestBytes registry value set above 65534 — but any SME running line-of-business web applications on Windows Server should confirm that setting before assuming it is safe.
Sitting alongside them is CVE-2026-44815, a stack buffer overflow in the Windows DHCP Client, also rated CVSS 9.8. This one deserves particular attention on SME networks: a rogue or compromised DHCP server on the local segment can trigger unauthenticated remote code execution on any Windows client that requests an address. On a flat office network with no VLAN segmentation — the reality for a great many UK SMEs — a single malicious device is enough to reach every workstation. Rounding out the priority set are seven critical Remote Desktop Client RCEs (CVSS 7.5–8.8), the Active Directory Domain Services flaw CVE-2026-45648 (CVSS 8.8, exploitable by any authenticated domain user via the NSPI RPC interface), the publicly disclosed CTFMON elevation-of-privilege bug CVE-2026-45586 (CVSS 7.8, grants SYSTEM), and the BitLocker Security Feature Bypass CVE-2026-50507 (CVSS 6.8) for which proof-of-concept code is already public.
Three of these vulnerabilities were publicly disclosed before the patch shipped, and at least one — the BitLocker bypass — has working proof-of-concept code in circulation. Historically, mass scanning and exploitation of the most severe Patch Tuesday flaws begins within 24–72 hours of release. The unauthenticated, no-interaction nature of CVE-2026-45657 and CVE-2026-44815 means an attacker does not need to phish a single employee to get in. If your Windows estate was not fully patched by 23 June 2026, you are simultaneously outside the Cyber Essentials v3.3 window and inside the exploitation window. Both clocks are already running.
Timeline: how this release unfolded
Breaking down the 206: where the vulnerabilities landed
Not every one of the 206 vulnerabilities carries equal weight, and a disciplined IT admin triages by class and by exposed surface rather than by raw count. The chart below shows the approximate distribution across the major Microsoft product families in the June release, which helps focus deployment effort where the largest concentration of fixes — and therefore the largest concentration of risk — actually sits.
Read this way, the priority order becomes obvious. The 120 Windows patches contain the three CVSS 9.8 flaws and the domain controller RCE, so servers and the core operating system come first. The 65 elevation-of-privilege bugs are the fuel for lateral movement once an attacker has a foothold, and the 54 RCE flaws are the initial-access vectors. A well-run patch cycle sequences deployment so that internet-facing and domain-critical systems are remediated before general workstations.
The compliance gap: how few UK SMEs are actually certified
The uncomfortable context for this release is how thin the UK’s baseline cyber hygiene remains. According to the DSIT Cyber Security Breaches Survey published on 30 April 2026, only around 5% of UK businesses hold Cyber Essentials certification — up from 3% the year before, but still a small minority. That growth is concentrated at the top end: roughly 35% of large businesses are certified, compared with about 12% of small businesses. The overwhelming majority of the UK’s 5.5 million-plus small firms have no formal, audited patch-management discipline at all.
The significance is that certification is not a badge for its own sake — it is a proxy for whether an organisation has the operational muscle to apply 206 patches inside a fortnight. A business already running a scheduled, documented patch cycle absorbed the June release as routine work. A business without one is discovering, three weeks later, that it has no reliable way to even confirm which of its machines are still vulnerable. That gap between the 5% and everyone else is exactly where the Five Eyes AI cyber warning and this record Patch Tuesday intersect.
Where most SMEs fail on patching — a self-assessment
Before committing to any plan, it helps to score your own estate honestly against the failure modes IASME assessors and incident responders see most often. Each row below reflects a common weakness; a ‘High’ badge means it is both widespread and high-impact, and should be closed first.
If three or more rows describe your organisation — and for most SMEs without dedicated IT they will — the June release is not a one-off scramble but a symptom. The underlying issue is the absence of a proactive, scheduled administration routine, which is precisely what turns a 206-CVE month from an emergency into a Tuesday.
What proactive patch management costs — by business size
UK SME leaders reasonably want to know what a properly managed patch and administration regime costs relative to the exposure it removes. The bands below are indicative monthly figures for a proactive IT administration engagement, benchmarked against Cloudswitched’s IT Admin service model. They are illustrative starting points, not quotes — every estate is scoped individually.
| Business size | Typical Windows estate | Indicative managed admin cost | What’s covered |
|---|---|---|---|
| Micro (1–9 staff) | Up to 12 endpoints, no server or single NAS | From £150–£350 / month | Monthly patch cycle, inventory, verification reporting |
| Small (10–49 staff) | 10–60 endpoints, 1–2 servers | From £400–£900 / month | Fortnightly visits, server-first sequencing, CE alignment |
| Medium (50–99 staff) | 60–120 endpoints, 2–4 servers, AD domain | From £1,000–£2,000 / month | Weekly admin, domain-controller priority, documentation |
| Larger SME (100–200 staff) | 120–300 endpoints, multi-server, multi-site | Scoped — POA | Dedicated administrator, change control, quarterly review |
Set against the alternative — the DSIT survey’s finding that 43% of businesses were breached last year, and the direct costs of incident response, downtime and lost data — proactive administration is consistently the cheaper path. It converts unpredictable emergency spend into a fixed, budgetable line, which is exactly the calculation a £2.5bn incident like the JLR cyberattack makes vivid for boards.
Reactive versus proactive: two ways to meet a 206-CVE month
Reactive posture
What most SMEs do today
- Notices the news headline days or weeks after release
- Has no inventory, so cannot say which machines are exposed
- Patches ad hoc, workstation by workstation, when someone has time
- Servers and domain controllers left until last — the reverse of best practice
- No verification that fixes actually installed
- Misses the 14-day Cyber Essentials window without realising it
- Discovers gaps only during an audit or, worse, a breach
Proactive posture
Where Cloudswitched IT Admin takes you
- Scheduled cycle catches Patch Tuesday the week it lands
- Maintained inventory means instant exposure assessment
- Risk-ordered deployment: internet-facing and domain-critical first
- Servers and domain controllers prioritised, then workstations
- Post-patch verification and reporting on every device
- 14-day window met and documented for CE assessors
- Gaps surfaced and closed before they become incidents
The 10-step IT admin action plan every UK SME should run
Whether you run this in-house or hand it to a managed IT administrator, the sequence below is the disciplined way to close out a record Patch Tuesday and stay closed for the next one. The progress bars indicate roughly how far through the cycle each step sits and the cadence it belongs to.
Steps 1 through 9 close out June specifically. Step 10 is the one that matters most over time: a recurring, scheduled administration routine means the July, August and September releases — and the next record-breaker after that — are handled as routine maintenance rather than fire-fighting. This is the core of proactive IT administration as opposed to reactive break-fix support.
The gauge above is an informed estimate, not a survey figure — but it aligns with the reality that only around 12% of small businesses hold Cyber Essentials, and that a slightly larger group patches diligently without formal certification. The point stands: the great majority of UK SMEs did not clear this release inside the mandated window, which is why proactive administration is now a competitive as well as a compliance issue.
The instinct after a record Patch Tuesday is to push every update everywhere at once. Resist it. Deploy to a small pilot ring first (a handful of representative machines), confirm your line-of-business applications still work, then expand in waves — internet-facing and domain-critical systems first, general workstations last. Always take a verified backup before mass deployment so you have a clean rollback path. Done properly, all 206 fixes can be safely deployed well inside the 14-day window without breaking a single application.
At a glance: the June 2026 Patch Tuesday essentials
| Fact | Detail |
|---|---|
| Release date | 9 June 2026 (second Tuesday) |
| Total vulnerabilities | 206 — largest in the programme’s 23-year history |
| Critical-rated | 37 |
| Publicly disclosed zero-days | 3 |
| Remote code execution flaws | 54 total (7 in Remote Desktop Client) |
| Elevation-of-privilege flaws | 65 |
| Top-severity CVEs (CVSS 9.8) | CVE-2026-44815 (DHCP Client), CVE-2026-45657 (Kernel), CVE-2026-47291 (HTTP.sys) |
| Active Directory RCE | CVE-2026-45648 (CVSS 8.8, any authenticated domain user) |
| BitLocker bypass | CVE-2026-50507 (CVSS 6.8, PoC public, physical access) |
| CTFMON EoP | CVE-2026-45586 (CVSS 7.8, publicly disclosed, SYSTEM) |
| Key KB updates | KB5094126 (Windows 11 24H2), KB5094127 (Windows 10) |
| Products patched | Windows ~120, Office 54, plus Azure, Edge, SharePoint, .NET |
| Compliance deadline | 23 June 2026 — 14-day window under Cyber Essentials v3.3 |
| UK breach rate (DSIT, Apr 2026) | 43% of businesses (~612,000), 5.19m cyber crimes |
| UK CE certification rate | ~5% overall (35% large, 12% small) |
Related reading from Cloudswitched
This release does not sit in isolation. If you are hardening your estate against June’s threat landscape, these recent Cloudswitched briefings connect directly to the patching and administration story: our analysis of the Cisco Unified CM CVE-2026-20230 VoIP exploit shows the same patch-window discipline applied to telephony infrastructure; the £2.5bn JLR cyberattack resilience plan makes the board-level cost case for proactive IT leadership; the Scattered Spider TfL conviction underscores why technical patching must pair with social-engineering defence; the Five Eyes AI cyber warning and its Cyber Essentials action plan set the certification context for this article; and the Veeam 3-2-1-1-0 data resilience guide covers the verified-backup step that must precede any mass patch deployment. For the wider cloud-strategy backdrop, see our piece on the EU DMA gatekeeper designation for AWS and Azure.
Patch discipline shouldn’t depend on who’s free that week
Cloudswitched IT Admin puts a dedicated, scheduled administrator on your infrastructure — maintaining your inventory, sequencing patches server-first, verifying every install and documenting it all for Cyber Essentials. A 206-CVE month becomes routine, not a crisis.
Talk to us about IT Admin ServicesFrequently asked questions
Make the next record Patch Tuesday a non-event
206 CVEs was a stress test of patch discipline, and most UK SMEs did not pass it. Cloudswitched IT Admin gives you a dedicated administrator, a scheduled cycle and documented, Cyber Essentials-ready evidence — so exposure is closed inside the window, every month, without the scramble.
Talk to us about IT Admin Services


