Back to News

Microsoft’s Biggest-Ever Patch Tuesday — 206 CVEs, 9 June 2026: The 10-Step IT Admin Action Plan Every UK SME Must Run Before Exploit Wednesday Hits

Microsoft’s Biggest-Ever Patch Tuesday — 206 CVEs, 9 June 2026: The 10-Step IT Admin Action Plan Every UK SME Must Run Before Exploit Wednesday Hits

On 9 June 2026, Microsoft shipped the single largest Patch Tuesday in the programme’s 23-year history: 206 documented vulnerabilities resolved in one release, of which 37 are rated critical, three are publicly disclosed zero-days, and two carry the near-maximum severity score of CVSS 9.8 — both of them unauthenticated remote code execution flaws that need no user interaction to fire. The Zero Day Initiative called it Microsoft’s biggest monthly release ever. For the UK small and medium-sized business (SME) still nursing an unpatched Windows estate as of today, 1 July 2026, this is no longer an abstract advisory. It is a live compliance and exposure problem.

The reason is simple. Cyber Essentials v3.3 — the ‘Danzell’ question set that took effect in April 2026 — hard-codes a 14-day patch window for critical and high-severity fixes. Count forward from 9 June and that window closed on 23 June 2026. Any organisation seeking or holding certification that had not deployed these patches by that date is already outside the mandated window, and structurally exposed to a wave of exploitation that historically begins the very next day — what the industry grimly nicknames ‘Exploit Wednesday’. This article breaks down what shipped, which CVEs to prioritise, and the 10-step IT admin action plan every UK SME should be running right now.

206
CVEs patched (record)
37
Critical vulnerabilities
9.8
Top CVSS score (×2)
14
Days to patch (CE v3.3)

What Microsoft actually shipped on 9 June 2026

The June 2026 cumulative update addresses 206 vulnerabilities across the Microsoft ecosystem. Windows itself accounted for roughly 120 patches, with Microsoft Office contributing a further 54, and the remainder spread across Azure components, Edge, SharePoint, .NET, Visual Studio and Microsoft Dynamics. By vulnerability class, the release resolved 54 remote code execution (RCE) flaws and 65 elevation-of-privilege (EoP) flaws — the two categories that matter most to an attacker trying to land on a network and then move laterally toward domain administrator.

The headline entries are the two CVSS 9.8 remote code execution vulnerabilities. CVE-2026-45657 is a Windows Kernel RCE reachable over TCP/IP with no authentication and no user interaction, giving an attacker SYSTEM-level control of a machine that merely has a listening service exposed. CVE-2026-47291 is an integer-overflow RCE in HTTP.sys, the kernel-mode HTTP request handler that underpins IIS and many Windows web services. The good news on the latter is that exposure requires a non-default configuration — specifically a MaxRequestBytes registry value set above 65534 — but any SME running line-of-business web applications on Windows Server should confirm that setting before assuming it is safe.

Sitting alongside them is CVE-2026-44815, a stack buffer overflow in the Windows DHCP Client, also rated CVSS 9.8. This one deserves particular attention on SME networks: a rogue or compromised DHCP server on the local segment can trigger unauthenticated remote code execution on any Windows client that requests an address. On a flat office network with no VLAN segmentation — the reality for a great many UK SMEs — a single malicious device is enough to reach every workstation. Rounding out the priority set are seven critical Remote Desktop Client RCEs (CVSS 7.5–8.8), the Active Directory Domain Services flaw CVE-2026-45648 (CVSS 8.8, exploitable by any authenticated domain user via the NSPI RPC interface), the publicly disclosed CTFMON elevation-of-privilege bug CVE-2026-45586 (CVSS 7.8, grants SYSTEM), and the BitLocker Security Feature Bypass CVE-2026-50507 (CVSS 6.8) for which proof-of-concept code is already public.

Why this matters this week, not next quarter

Three of these vulnerabilities were publicly disclosed before the patch shipped, and at least one — the BitLocker bypass — has working proof-of-concept code in circulation. Historically, mass scanning and exploitation of the most severe Patch Tuesday flaws begins within 24–72 hours of release. The unauthenticated, no-interaction nature of CVE-2026-45657 and CVE-2026-44815 means an attacker does not need to phish a single employee to get in. If your Windows estate was not fully patched by 23 June 2026, you are simultaneously outside the Cyber Essentials v3.3 window and inside the exploitation window. Both clocks are already running.

Timeline: how this release unfolded

April 2026 — Cyber Essentials v3.3 ‘Danzell’ takes effect
IASME’s updated question set tightens the patching control, requiring critical and high-severity fixes to be applied within 14 days of vendor release. This becomes the yardstick against which June’s patch discipline is measured.
30 April 2026 — DSIT Cyber Security Breaches Survey published
The Department for Science, Innovation and Technology reports that 43% of UK businesses — around 612,000 organisations — suffered a breach or attack in the prior 12 months, amounting to an estimated 5.19 million cyber crimes. The backdrop for June’s release is a threat environment already at a high-water mark.
9 June 2026 — Patch Tuesday ships 206 CVEs
Microsoft releases the largest single security update in the programme’s history. KB5094126 lands for Windows 11 24H2 and KB5094127 for Windows 10, alongside cumulative updates for supported Server builds. The Zero Day Initiative confirms it as a record.
10 June 2026 — ‘Exploit Wednesday’
The day after every Patch Tuesday, threat actors reverse-engineer the fixes to build working exploits for organisations that have not yet patched. With three zero-days and two CVSS 9.8 unauthenticated RCEs in scope, the attack surface for laggards is unusually wide.
Mid-June 2026 — Security researchers publish analysis
CrowdStrike, the Zero Day Initiative and UK-focused analysts break down the priority CVEs, flagging the DHCP Client, Windows Kernel and HTTP.sys flaws as the ones to deploy first, and confirming public proof-of-concept for the BitLocker bypass.
23 June 2026 — Cyber Essentials 14-day window closes
Fourteen days after release, the compliance deadline under CE v3.3 passes. Any certified or certifying business that has not deployed the critical fixes is now non-compliant on the patching control — a gap an IASME assessor will look for.
1 July 2026 — Today
Three weeks on, unpatched estates remain a real presence across the UK SME landscape. With the Cyber Security and Resilience Bill progressing through Parliament, the regulatory direction of travel is firmly toward stricter, more auditable patch discipline — not less.

Breaking down the 206: where the vulnerabilities landed

Not every one of the 206 vulnerabilities carries equal weight, and a disciplined IT admin triages by class and by exposed surface rather than by raw count. The chart below shows the approximate distribution across the major Microsoft product families in the June release, which helps focus deployment effort where the largest concentration of fixes — and therefore the largest concentration of risk — actually sits.

Windows OS & kernel
120
Microsoft Office
54
Elevation of privilege (all)
65
Remote code execution (all)
54
Critical-rated overall
37
Remote Desktop Client RCE
7
Publicly disclosed zero-days
3

Read this way, the priority order becomes obvious. The 120 Windows patches contain the three CVSS 9.8 flaws and the domain controller RCE, so servers and the core operating system come first. The 65 elevation-of-privilege bugs are the fuel for lateral movement once an attacker has a foothold, and the 54 RCE flaws are the initial-access vectors. A well-run patch cycle sequences deployment so that internet-facing and domain-critical systems are remediated before general workstations.

The compliance gap: how few UK SMEs are actually certified

The uncomfortable context for this release is how thin the UK’s baseline cyber hygiene remains. According to the DSIT Cyber Security Breaches Survey published on 30 April 2026, only around 5% of UK businesses hold Cyber Essentials certification — up from 3% the year before, but still a small minority. That growth is concentrated at the top end: roughly 35% of large businesses are certified, compared with about 12% of small businesses. The overwhelming majority of the UK’s 5.5 million-plus small firms have no formal, audited patch-management discipline at all.

5%
Share of UK businesses holding Cyber Essentials certification (DSIT, April 2026)

The significance is that certification is not a badge for its own sake — it is a proxy for whether an organisation has the operational muscle to apply 206 patches inside a fortnight. A business already running a scheduled, documented patch cycle absorbed the June release as routine work. A business without one is discovering, three weeks later, that it has no reliable way to even confirm which of its machines are still vulnerable. That gap between the 5% and everyone else is exactly where the Five Eyes AI cyber warning and this record Patch Tuesday intersect.

Where most SMEs fail on patching — a self-assessment

Before committing to any plan, it helps to score your own estate honestly against the failure modes IASME assessors and incident responders see most often. Each row below reflects a common weakness; a ‘High’ badge means it is both widespread and high-impact, and should be closed first.

Common UK SME patch-management weaknesses
No central inventory of Windows devices and versionsHigh
Servers patched on a slower cycle than workstationsHigh
Unsupported or end-of-life systems still in productionHigh
Flat network with no VLAN segmentation (DHCP exposure)High
No documented 14-day patch SLA aligned to Cyber EssentialsMid
Patches applied but never verified as installedMid
Line-of-business apps blocking OS updatesMid
No rollback plan or tested backup before mass deploymentLow

If three or more rows describe your organisation — and for most SMEs without dedicated IT they will — the June release is not a one-off scramble but a symptom. The underlying issue is the absence of a proactive, scheduled administration routine, which is precisely what turns a 206-CVE month from an emergency into a Tuesday.

What proactive patch management costs — by business size

UK SME leaders reasonably want to know what a properly managed patch and administration regime costs relative to the exposure it removes. The bands below are indicative monthly figures for a proactive IT administration engagement, benchmarked against Cloudswitched’s IT Admin service model. They are illustrative starting points, not quotes — every estate is scoped individually.

Business sizeTypical Windows estateIndicative managed admin costWhat’s covered
Micro (1–9 staff)Up to 12 endpoints, no server or single NASFrom £150–£350 / monthMonthly patch cycle, inventory, verification reporting
Small (10–49 staff)10–60 endpoints, 1–2 serversFrom £400–£900 / monthFortnightly visits, server-first sequencing, CE alignment
Medium (50–99 staff)60–120 endpoints, 2–4 servers, AD domainFrom £1,000–£2,000 / monthWeekly admin, domain-controller priority, documentation
Larger SME (100–200 staff)120–300 endpoints, multi-server, multi-siteScoped — POADedicated administrator, change control, quarterly review

Set against the alternative — the DSIT survey’s finding that 43% of businesses were breached last year, and the direct costs of incident response, downtime and lost data — proactive administration is consistently the cheaper path. It converts unpredictable emergency spend into a fixed, budgetable line, which is exactly the calculation a £2.5bn incident like the JLR cyberattack makes vivid for boards.

Reactive versus proactive: two ways to meet a 206-CVE month

Reactive posture

What most SMEs do today

  • Notices the news headline days or weeks after release
  • Has no inventory, so cannot say which machines are exposed
  • Patches ad hoc, workstation by workstation, when someone has time
  • Servers and domain controllers left until last — the reverse of best practice
  • No verification that fixes actually installed
  • Misses the 14-day Cyber Essentials window without realising it
  • Discovers gaps only during an audit or, worse, a breach

Proactive posture

Where Cloudswitched IT Admin takes you

  • Scheduled cycle catches Patch Tuesday the week it lands
  • Maintained inventory means instant exposure assessment
  • Risk-ordered deployment: internet-facing and domain-critical first
  • Servers and domain controllers prioritised, then workstations
  • Post-patch verification and reporting on every device
  • 14-day window met and documented for CE assessors
  • Gaps surfaced and closed before they become incidents

The 10-step IT admin action plan every UK SME should run

Whether you run this in-house or hand it to a managed IT administrator, the sequence below is the disciplined way to close out a record Patch Tuesday and stay closed for the next one. The progress bars indicate roughly how far through the cycle each step sits and the cadence it belongs to.

Step 1 — Build a live estate inventory
Day 0
Step 2 — Identify exposure to the priority CVEs
Day 0–1
Step 3 — Take verified backups before deploying
Day 1
Step 4 — Patch internet-facing systems first
Day 1–2
Step 5 — Patch domain controllers & servers (CVE-2026-45648)
Day 2–4
Step 6 — Roll out KB5094126 / KB5094127 to workstations
Day 4–10
Step 7 — Segment the network to contain DHCP exposure
Day 5–12
Step 8 — Verify every patch installed & reboot completed
Day 10–14
Step 9 — Document for Cyber Essentials evidence
Day 14
Step 10 — Institute a recurring scheduled patch cycle
Ongoing

Steps 1 through 9 close out June specifically. Step 10 is the one that matters most over time: a recurring, scheduled administration routine means the July, August and September releases — and the next record-breaker after that — are handled as routine maintenance rather than fire-fighting. This is the core of proactive IT administration as opposed to reactive break-fix support.

18%
Estimated share of UK SMEs meeting the 14-day patch window on this release

The gauge above is an informed estimate, not a survey figure — but it aligns with the reality that only around 12% of small businesses hold Cyber Essentials, and that a slightly larger group patches diligently without formal certification. The point stands: the great majority of UK SMEs did not clear this release inside the mandated window, which is why proactive administration is now a competitive as well as a compliance issue.

Practical tip: sequence, don’t stampede

The instinct after a record Patch Tuesday is to push every update everywhere at once. Resist it. Deploy to a small pilot ring first (a handful of representative machines), confirm your line-of-business applications still work, then expand in waves — internet-facing and domain-critical systems first, general workstations last. Always take a verified backup before mass deployment so you have a clean rollback path. Done properly, all 206 fixes can be safely deployed well inside the 14-day window without breaking a single application.

At a glance: the June 2026 Patch Tuesday essentials

FactDetail
Release date9 June 2026 (second Tuesday)
Total vulnerabilities206 — largest in the programme’s 23-year history
Critical-rated37
Publicly disclosed zero-days3
Remote code execution flaws54 total (7 in Remote Desktop Client)
Elevation-of-privilege flaws65
Top-severity CVEs (CVSS 9.8)CVE-2026-44815 (DHCP Client), CVE-2026-45657 (Kernel), CVE-2026-47291 (HTTP.sys)
Active Directory RCECVE-2026-45648 (CVSS 8.8, any authenticated domain user)
BitLocker bypassCVE-2026-50507 (CVSS 6.8, PoC public, physical access)
CTFMON EoPCVE-2026-45586 (CVSS 7.8, publicly disclosed, SYSTEM)
Key KB updatesKB5094126 (Windows 11 24H2), KB5094127 (Windows 10)
Products patchedWindows ~120, Office 54, plus Azure, Edge, SharePoint, .NET
Compliance deadline23 June 2026 — 14-day window under Cyber Essentials v3.3
UK breach rate (DSIT, Apr 2026)43% of businesses (~612,000), 5.19m cyber crimes
UK CE certification rate~5% overall (35% large, 12% small)

Related reading from Cloudswitched

This release does not sit in isolation. If you are hardening your estate against June’s threat landscape, these recent Cloudswitched briefings connect directly to the patching and administration story: our analysis of the Cisco Unified CM CVE-2026-20230 VoIP exploit shows the same patch-window discipline applied to telephony infrastructure; the £2.5bn JLR cyberattack resilience plan makes the board-level cost case for proactive IT leadership; the Scattered Spider TfL conviction underscores why technical patching must pair with social-engineering defence; the Five Eyes AI cyber warning and its Cyber Essentials action plan set the certification context for this article; and the Veeam 3-2-1-1-0 data resilience guide covers the verified-backup step that must precede any mass patch deployment. For the wider cloud-strategy backdrop, see our piece on the EU DMA gatekeeper designation for AWS and Azure.

Patch discipline shouldn’t depend on who’s free that week

Cloudswitched IT Admin puts a dedicated, scheduled administrator on your infrastructure — maintaining your inventory, sequencing patches server-first, verifying every install and documenting it all for Cyber Essentials. A 206-CVE month becomes routine, not a crisis.

Talk to us about IT Admin Services

Frequently asked questions

Is the June 2026 Patch Tuesday really the biggest ever?
Yes. At 206 documented vulnerabilities resolved in a single release, it is the largest monthly security update Microsoft has shipped in the 23-year history of the Patch Tuesday programme. The Zero Day Initiative, which tracks these releases closely, confirmed it as a record. For comparison, a typical Patch Tuesday resolves between 60 and 120 CVEs, so June 2026 is roughly double a heavy month — and it arrived with three publicly disclosed zero-days and two unauthenticated CVSS 9.8 remote code execution flaws, which makes the volume genuinely consequential rather than just a large number.
Which CVEs should a UK SME patch first?
Prioritise the three CVSS 9.8 flaws: CVE-2026-45657 (Windows Kernel RCE, unauthenticated, no user interaction), CVE-2026-44815 (DHCP Client RCE, triggered by a rogue DHCP server on the local network) and CVE-2026-47291 (HTTP.sys RCE, relevant if MaxRequestBytes is set above 65534). Immediately after those, patch CVE-2026-45648 on your domain controllers, since any authenticated domain user can exploit it via the NSPI RPC interface. Then address the seven Remote Desktop Client RCEs and the publicly disclosed CTFMON elevation-of-privilege bug. Internet-facing and domain-critical systems always come before general workstations.
What is the Cyber Essentials v3.3 14-day patch rule?
Cyber Essentials v3.3 — the ‘Danzell’ question set that took effect in April 2026 — requires that all critical and high-severity security updates be applied within 14 days of the vendor releasing them. For the 9 June 2026 release, that meant the fixes had to be deployed by 23 June 2026. Any business seeking or holding certification that missed that window is non-compliant on the patching control, which is one of the five core technical controls an IASME assessor examines. In practice this means the 14-day clock is a hard operational SLA, not a guideline.
What is ‘Exploit Wednesday’ and should I worry about it?
Exploit Wednesday is the informal name for the day after Patch Tuesday, when attackers reverse-engineer Microsoft’s fixes to build working exploits aimed at organisations that have not yet patched. Historically, mass scanning for the most severe flaws begins within 24 to 72 hours of release. With June’s combination of unauthenticated, no-interaction remote code execution and public proof-of-concept code, the risk to unpatched estates is unusually high — which is why the gap between release and deployment matters so much, and why a proactive cycle that closes that gap quickly is worth the investment.
We’re a small business with no IT team — how do we cope with 206 patches?
You do not patch 206 things by hand one at a time; you deploy Microsoft’s cumulative updates (such as KB5094126 for Windows 11 24H2 or KB5094127 for Windows 10), which bundle the fixes. The real challenge for a small business is not the mechanics but the discipline: knowing what you have, sequencing deployment sensibly, verifying it worked and documenting it. That is exactly what a managed IT administration service provides — a scheduled administrator who runs the cycle for you, so a record month is absorbed as routine work rather than becoming a weekend emergency for whoever is least unwilling.
Why does the DHCP Client vulnerability matter more on small networks?
CVE-2026-44815 is a stack buffer overflow reachable when a Windows client requests an IP address from a malicious DHCP server on the same network segment. On a properly segmented network with VLANs, the blast radius of a single rogue device is contained. But many UK SMEs run a single flat network where every workstation, printer and visitor device shares one broadcast domain — so one compromised or rogue device could reach every Windows machine at once. That is why we pair patching (step 6) with network segmentation (step 7) in the action plan; the patch fixes the flaw, and segmentation limits what any future flaw can reach.
Should we test these patches before deploying them everywhere?
Yes, but proportionately. Deploy to a small pilot ring of representative machines first, confirm your line-of-business applications still function, then expand in waves. Always take a verified backup before mass deployment so you have a clean rollback path if something conflicts. The balance to strike is between the small risk of an update breaking an application and the far larger risk of leaving unauthenticated CVSS 9.8 flaws unpatched for weeks. For the critical, actively targeted CVEs, err toward speed; for lower-severity fixes, a short validation pass is sensible.
How is IT Admin different from ordinary IT support?
IT support is largely reactive — you raise a ticket when something breaks and an engineer fixes it. IT administration is proactive and scheduled: a dedicated administrator visits or connects on a set cadence (weekly, fortnightly or monthly depending on size) to run health checks, apply and verify patches, review security, test backups and update documentation before anything goes wrong. On patching specifically, that means Patch Tuesday is caught the week it lands and closed inside the 14-day window, rather than being noticed weeks later. Most Cloudswitched clients use both: support for the unexpected, administration to prevent it.
Does patching alone make us Cyber Essentials compliant?
No — patch management is one of five technical controls, alongside firewalls and internet gateways, secure configuration, user access control and malware protection. But it is the control most directly tested by a month like June 2026, and the one where evidence of a documented 14-day cycle carries real weight with an assessor. Proactive administration produces that evidence as a by-product: an inventory, a deployment record and verification reports. If you are working toward certification, pairing IT administration with a managed Cyber Essentials engagement is the most efficient route, because the administration routine generates most of the audit evidence automatically.
What happens if we simply do nothing?
Doing nothing leaves unauthenticated remote code execution flaws open on your network at a time when working exploits are actively circulating. The DSIT Cyber Security Breaches Survey found 43% of UK businesses — around 612,000 — were breached in the prior year, and unpatched systems are among the most common entry points. Beyond the direct risk of ransomware, data theft or business interruption, you also fall outside Cyber Essentials, which increasingly affects eligibility for public-sector contracts, cyber insurance and supply-chain relationships. With the Cyber Security and Resilience Bill progressing through Parliament, the regulatory expectation on patch discipline is tightening, not loosening. The pragmatic move is to close June out now and put a scheduled cycle in place so the next record month is uneventful.

Make the next record Patch Tuesday a non-event

206 CVEs was a stress test of patch discipline, and most UK SMEs did not pass it. Cloudswitched IT Admin gives you a dedicated administrator, a scheduled cycle and documented, Cyber Essentials-ready evidence — so exposure is closed inside the window, every month, without the scramble.

Talk to us about IT Admin Services
Tags:Network AdminCyber SecurityIT SupportMicrosoft 365
CloudSwitched

London-based managed IT services provider offering support, cloud solutions and cybersecurity for SMEs.

CloudSwitched Service

Network Admin Services

Server administration, infrastructure ops and proactive network management for UK businesses

Learn More

Technology Stack

Powered by industry-leading technologies including SolarWinds, Cloudflare, BitDefender, AWS, Microsoft Azure, and Cisco Meraki to deliver secure, scalable, and reliable IT solutions.

SolarWinds
Cloudflare
BitDefender
AWS
Hono
Opus
Office 365
Microsoft
Cisco Meraki
Microsoft Azure

Latest Articles

14
  • Google Ads & PPC

How to Create Landing Pages That Convert PPC Traffic

14 May, 2026

Read more
20
  • AI

AI Data Analysis Tools for Small Business

20 Mar, 2026

Read more
20
  • AI

How AI Can Reduce Business Costs

20 Mar, 2026

Read more

Enquiry Received!

Thank you for getting in touch. A member of our team will review your enquiry and get back to you within 24 hours.