Microsoft shipped its June 2026 security updates on June 9. If you run Windows fleets, the headline is volume without a fire drill: the June CVRF lists 683 CVE entries, but 407 of them are Chromium re-tracks that Edge inherits from Google's own release. That leaves 276 Microsoft-specific CVEs, of which 39 carry a Critical severity rating. Nothing in the release is flagged as exploited in the wild, and three items are publicly disclosed but not yet seen under attack.

The absence of an active zero-day changes how you triage. There is no single patch you have to push tonight. Sort by exposure instead: the network-reachable RCEs first, then the domain-controller bugs, then the normal ring cadence for everything else.

Three RCEs sit at CVSS 9.8 with the same network-no-privileges-no-interaction profile (AV:N/AC:L/PR:N/UI:N). CVE-2026-47291 is an HTTP.sys RCE — the kernel-mode HTTP stack behind IIS, WinRM, and a long tail of Windows services that listen on HTTP. CVE-2026-44815 is a DHCP Client Service RCE, reachable on any segment where a host accepts DHCP offers. CVE-2026-45657 is a Windows Kernel RCE. None is confirmed exploited, but all three are network-reachable and need no authentication or user interaction.

Two more belong on the domain-controller list. CVE-2026-45648 is an Active Directory Domain Services RCE at CVSS 8.8, and CVE-2026-47288 is a Kerberos KDC RCE at CVSS 7.1. For Exchange tenants, CVE-2026-48579 is an Exchange Online information-disclosure bug rated CVSS 9.1. The month's only CVSS 10.0 is an Azure HorizonDB elevation-of-privilege issue (CVE-2026-48567) that Microsoft services on its side — nothing for you to patch.

The three publicly disclosed bugs are lower-severity and need a local or physical attacker, not a network path: a Windows CTFMON elevation-of-privilege flaw (CVE-2026-45586, CVSS 7.8), an HTTP.sys denial-of-service (CVE-2026-49160, CVSS 7.5), and a BitLocker security-feature bypass (CVE-2026-50507, CVSS 6.8). Public disclosure raises the odds of exploitation — treat them as priority-two, not background.

Two clusters explain the bulk: the Remote Desktop Client accounts for 11 of this month's CVEs and Hyper-V for another four — guest-to-host escape territory. Neither is exploited, but both warrant a targeted look if RDP or Hyper-V is in your stack.

What to do this week:

1. Patch the three network-facing 9.8 RCEs on exposed hosts first. Any internet-reachable or service-segment Windows host running IIS, WinRM, or another HTTP.sys listener gets the HTTP.sys fix first; the DHCP Client and Kernel RCEs follow on the same hosts.
2. Schedule the AD DS and Kerberos RCEs onto your domain controllers in the next maintenance window. A DC RCE is a tier-0 problem even without active exploitation.
3. Ride your normal ring cadence for the rest of the June release. With nothing flagged exploited, you do not need to break change control — just make sure the June cumulative lands in your standard rollout this week, not next month.
4. Confirm Edge picks up the Chromium re-tracks. The 407 Chromium entries close in Edge on Microsoft's own cadence — verify your managed Edge fleet is updating, not assuming the Windows cumulative covered the browser.

Advisories

Check Point VPN authentication bypass is on KEV and exploited in attacks linked to Qilin ransomware

If you run Check Point Security Gateways with Remote Access or Mobile Access VPN on the deprecated IKEv1 key exchange, patch this week. CISA added CVE-2026-50751 to the Known Exploited Vulnerabilities catalog on June 8 with a remediation due date of June 11 and the knownRansomwareCampaignUse flag set to Known. NVD rates it CVSS 9.3, CWE-287, for a "logic flow weakness in Remote Access and Mobile Access certificate validation in deprecated IKEv1 key exchange" that allows "an unauthenticated remote attacker to bypass user authentication and establish a remote access VPN connection without a valid user password." Check Point's advisory puts the earliest observed exploitation at May 7, says it launched its investigation on June 4, and reports "the observed exploitation has been limited to a few dozen targeted organizations globally." It assesses the actor with medium confidence as financially motivated and notes the actor "uses Qilin ransomware."

Action: apply the Check Point hotfix per sk185033 to every affected Gateway now — the fix shipped, and the due date is June 11. Check Point also disclosed a related site-to-site MitM bug, CVE-2026-50752 (CVSS 7.4), in the same IKEv1 path, so move site-to-site tunnels off IKEv1 where you can. After patching, hunt VPN logs for sessions with no matching authentication event, as you would after the PAN-OS GlobalProtect bypass — a bypassed VPN login is an internal foothold, not just a bad sign-in.

Chrome ships 74 fixes; the V8 bug lands on KEV the next day

Google shipped Chrome Stable 149.0.7827.102/.103 for Windows and Mac (149.0.7827.102 for Linux) on June 8. Per the release post, "this update includes 74 security fixes," and the list includes CVE-2026-11645, an "out of bounds memory access in V8." CISA added CVE-2026-11645 to the KEV catalog on June 9 with a June 23 due date — the V8 engine is shared, so the same bug reaches Microsoft Edge, Opera, and other Chromium browsers.

Action: confirm managed Chrome fleets are on 149.0.7827.102 or newer and push a relaunch rather than waiting for users to restart. Watch for the matching Edge Stable build and enforce its update on the same schedule — Edge inherits the V8 CVE within days.

LiteLLM command injection on KEV — low-privilege key to host RCE

If you or your clients run a self-hosted BerriAI LiteLLM proxy in front of model providers, check your version. CISA added CVE-2026-42271 to the KEV catalog on June 8 (due June 22) for a command injection that, per the catalog, allows "any authenticated user, including holders of low-privilege internal-user keys, to run arbitrary commands on the host." A LiteLLM proxy is often the single AI egress point for a tenant, which makes its host a high-value target.

Action: update LiteLLM to the fixed release, and treat the gateway host as sensitive — it brokers every model call and often holds provider API keys. Rotate internal-user keys issued before the patch, and put the proxy behind authentication you control rather than exposing it directly.

KEV also added Cisco SD-WAN Manager, SolarWinds Serv-U, and Arista EOS

The same KEV window picked up three more entries worth scanning your estate for. CVE-2026-20245 in Cisco Catalyst SD-WAN Manager (added June 9, due June 23) allows "an authenticated, local attacker to execute arbitrary commands as root by supplying a crafted file" — authenticated and local, so lower urgency than the controller bypass we covered in issue #006, but still a root-level escalation. CVE-2026-28318 in SolarWinds Serv-U (added June 5, due June 19) is an unauthenticated denial-of-service: "a crafted POST request using the Content-Encoding: deflate header" crashes the service. CVE-2026-7473 in Arista EOS (added June 9, due June 23) is a packet-decapsulation flaw on switches configured for tunnel termination.

Action: if Serv-U is internet-facing, patch the DoS and put its management surface behind a VPN. Schedule the Cisco SD-WAN Manager and Arista EOS fixes into your network-gear maintenance window — both due June 23.

Product changes

Defender XDR's AgentsInfo table replaces AIAgentsInfo — update hunting queries before July 1

If you run advanced-hunting queries against AI-agent telemetry in Defender XDR, you have a deadline. The June 2026 Defender XDR What's new entries introduce the AgentsInfo table (Preview) as a unified schema covering all agent types — Copilot Studio, Microsoft Foundry, Microsoft 365 Copilot, third-party, and endpoint-discovered agents. The older AIAgentsInfo table is transitioning to it. Per the entry: "The AIAgentsInfo table remains accessible until July 1, 2026. Update your queries to use AgentsInfo before this date."

Action: grep your saved hunting queries, custom detection rules, and workbooks for AIAgentsInfo and migrate them to AgentsInfo now. A detection rule that silently stops returning rows after July 1 is worse than one that errors loudly — verify the migrated queries match before the old table goes away.

Entra Connect Sync config changes will require interactive admin authentication

For MSPs running hybrid identity, a change to Entra Connect Sync is coming that will break unattended config edits. The Entra What's new page lists an Upcoming Change, "Enhanced admin authorization for Microsoft Entra Connect Sync configuration changes": "changes to sync configuration settings will require interactive authentication from an authorized cloud administrator." Sync itself keeps running unattended; the gate is on changing its configuration.

Action: audit any automation that edits Connect Sync configuration — scheduled rule changes, scripted attribute-flow edits, infrastructure-as-code that touches sync settings. Those will need an interactive admin sign-in once the change lands. Plan a human-in-the-loop step, and make sure the cloud admin account you would use is not itself dependent on the sync you are reconfiguring.

Entra device objects get a recoverable soft-delete in preview

The same Entra What's new page adds soft-delete for Entra Device objects in public preview, which "enables administrators to safely remove device objects by moving them to a recoverable state instead of permanently deleting them." For anyone who has hard-deleted a device record during a cleanup and then had to re-enroll it, this is a useful undo.

Action: if you run periodic stale-device cleanups, pilot soft-delete on a test tenant before changing your bulk-delete runbooks. A recoverable state makes a mistaken sweep reversible — but confirm the recovery window and admin steps before you rely on it.

Compliance

Six of this week's seven KEV additions are due inside the next two weeks

For any client scoped to CISA BOD 22-01 — and as a practical SLA for everyone else — the KEV catalog added seven entries this week with tight remediation dates. Check Point CVE-2026-50751 is due June 11, the three June 9 additions (Cisco SD-WAN Manager, Arista EOS, Chrome V8) are due June 23, the LiteLLM bug is due June 22, and SolarWinds Serv-U is due June 19. The Mirasvit Full Page Cache Warmer deserialization bug (CVE-2026-45247) was added June 3 with a June 6 due date that has already passed.

Action: map this week's KEV adds against your managed estate today. The Check Point due date is tomorrow, so confirm it closed first. For products you do not run, document the negative — "not present in environment" is the answer an auditor wants, and it is faster to record now than to reconstruct later.

Field notes

Microsoft details attackers using AI brand names as phishing bait

Microsoft published an analysis on June 8 of threat actors impersonating popular AI platforms — ChatGPT, Microsoft Copilot, Claude, and DeepSeek — across phishing, malvertising, and GitHub-hosted malware to steal credentials and deploy info-stealers including Vidar Stealer, Lumma Stealer, Hijack Loader, Oyster, and GhostSocks. The campaigns are not small: Microsoft cites one day with "100,000 emails," a March 2026 campaign that targeted "66,000 devices," and a Claude-themed phishing run against "2,000 organizations."

Action: users searching for "free ChatGPT" or a Claude installer are the soft target here. Add the impersonated-brand lure to your security-awareness talking points, and check your endpoint and email controls flag the named stealer families. For clients piloting AI tools, give staff one official download path per tool so a malvertising result is obviously wrong.

Microsoft flags a CI/CD secret-exposure path in the Claude Code GitHub Action

If your team or your clients run Anthropic's Claude Code GitHub Action in CI/CD, review how it handles untrusted input. Microsoft reported on June 5 that the action could expose CI/CD workflow secrets when it processes untrusted GitHub content through prompt injection, exploiting the Read tool's lack of sandboxing — attacker-controlled text in an issue or pull request could steer the agent into surfacing the workflow's secrets.

Action: scope the secrets any agentic GitHub Action can see to the minimum the job needs, and do not run the action against untrusted pull requests with repository secrets in scope. Treat AI-driven CI steps like any step that executes attacker-influenced input — least privilege on the token, and a human gate before the agent touches production secrets.