Skip to content
⚖️ Risk Mgmt

Enterprise Guide: Prioritising the June 2026 Patch Tuesday Across 198 CVEs

Security teams face 198 CVEs from Microsoft's June 2026 Patch Tuesday plus concurrent advisories from SAP, Ivanti, Palo Alto, and CISA. This guide provides a decision framework for prioritising remediation across different infrastructure tiers — from internet-facing servers to workstations — with specific guidance for each of the highest-risk vulnerabilities.

4 min read
#patch-management#risk-management#microsoft#patch-tuesday#vulnerability-management#enterprise-security#remediation#cvss#2026
Article security-risk-management

The June 2026 Patch Tuesday delivered 198 vulnerabilities from Microsoft alone, alongside concurrent critical advisories from SAP, Ivanti, Palo Alto Networks, and three CISA KEV additions. No enterprise security team has the capacity to treat all 198 vulnerabilities as equal priorities. This guide provides a structured framework for decision-making across infrastructure tiers.

Tier 0: Emergency (Within 24 Hours)

These vulnerabilities justify emergency change management procedures and out-of-cycle patching:

CVE-2026-47291 — HTTP.sys wormable RCE (CVSS 9.8)

  • Affected: Any Windows Server running IIS, Exchange, SharePoint, WSUS, WinRM, or HTTP API applications
  • Action: Apply June 2026 cumulative update. Interim: Disable HTTP/2 via registry if patching is blocked
  • Why emergency: Wormable — no authentication, no user interaction required. Self-propagating potential. Comparable to EternalBlue in attack profile.

CVE-2026-45657 — Windows Kernel RCE (CVSS 9.8)

  • Affected: All Windows systems (workstations and servers)
  • Action: Apply June 2026 cumulative update
  • Why emergency: Actively exploited before patch release. SYSTEM-level code execution.

CVE-2026-47288 — Kerberos KDC RCE (CVSS Critical)

  • Affected: All Active Directory domain controllers
  • Action: Apply June 2026 Windows Server update to all DCs. Patch PDC Emulator first.
  • Why emergency: Domain controller compromise is equivalent to complete Active Directory compromise — all credentials, all systems, ransomware deployment capability.

CVE-2026-10520 — Ivanti Sentry pre-auth RCE (CVSS 10.0) [Ivanti advisory]

  • Affected: All Ivanti Sentry deployments
  • Action: Upgrade to Sentry 9.19.1
  • Why emergency: CVSS 10.0, actively exploited, internet-facing by design.

Tier 1: High Priority (Within 72 Hours)

Critical vulnerabilities that are not actively exploited but carry high exploitation probability within 72–96 hours of patch release:

CVE-2026-44815 — Windows DHCP Client RCE (CVSS 9.8)

  • Affected: All Windows systems using DHCP (essentially all workstations and most servers)
  • Interim control: Enable DHCP Snooping on access-layer switches if immediate endpoint patching is not feasible
  • Target: Apply June cumulative update within 72 hours

CVE-2026-44963 — Veeam Backup & Replication RCE (CVSS 9.4) [Veeam advisory]

  • Affected: All Veeam Backup & Replication deployments
  • Action: Upgrade to VBR 12.2
  • Why prioritised: Ransomware groups specifically target backup infrastructure. Active targeting expected within days of advisory.

CVE-2026-44748 — SAP NetWeaver SAML bypass (CVSS 9.9) [SAP advisory]

  • Affected: All SAP NetWeaver ABAP systems using SAML authentication
  • Action: Apply SAP Security Note 3578412

CVE-2026-0273 — PAN-OS command injection (CVSS High) [Palo Alto advisory]

  • Affected: PAN-OS 10.1–11.2
  • Action: Apply fixed PAN-OS version for your branch

Tier 2: Elevated Priority (Within Normal Patch Cycle — Compress Timeline)

Significant vulnerabilities to complete within the same week:

  • CVE-2026-45586 (CTFMON EoP, CVSS 7.8) — Used in post-exploitation toolkits. Patch all Windows endpoints.
  • CVE-2026-11645 (Chrome V8 zero-day, CVSS 8.8) — Actively exploited. Push Chrome update to all endpoints via Chrome Browser Cloud Management or Group Policy.
  • CVE-2026-50507 (BitLocker bypass, CVSS 6.8) — Patch all mobile devices. Enable TPM+PIN as lasting mitigation.
  • CVE-2026-23111 (Linux kernel nf_tables, CVSS 7.8) — Apply kernel update across all Linux distributions.

Tier 3: Standard Priority (Next Regular Patch Window)

All remaining CVEs from the June 2026 update that are not in Tier 0–2 above. Approximately 185 of the 198 CVEs fall into this category — they are real vulnerabilities but do not have the active exploitation, wormable potential, or critical infrastructure targeting that warrants compressing patch timelines.

Process Considerations

Emergency patch procedures: The number of Tier 0 and Tier 1 vulnerabilities in June 2026 is high enough that organisations without a documented emergency patch process will struggle. If your change management process requires 5+ business days for change approval, a Tier 0 vulnerability cannot be remediated on a safe timeline under that process. June 2026 is a reasonable moment to document and approve an expedited emergency patch procedure for CISA KEV and wormable-class vulnerabilities.

Testing time: The three CVSS 9.8 flaws are all in the cumulative Windows update — patching all three is a single update operation. The incremental testing burden for the “emergency” tier is one update per system type, not twelve separate changes.

Communication: Inform business stakeholders that emergency patching this week may cause unscheduled reboots and brief service interruptions. The alternative — providing ransomware operators 72 hours of additional window on three CVSS 9.8 vulnerabilities — is not an acceptable business risk.

Share this article

Related Intelligence

⚖️ Risk Mgmt

AI Workflow Builder Security Governance: Langflow CVE-2026-5027 and the Unmanaged AI Tool Problem

Langflow CVE-2026-5027's active exploitation is accelerating because many enterprise Langflow deployments are outside the formal IT security perimeter — deployed by data science and developer teams without security review, not in the CMDB, not in the vulnerability scanning scope. This article provides a governance framework for bringing AI workflow tools under security management.

#langflow +8
⚖️ Risk Mgmt

Verizon DBIR 2026: Vulnerability Exploitation Surpasses Phishing as Top Initial Access Vector — Enterprise Implications

Verizon's 2026 Data Breach Investigations Report, published mid-May, documents a structural shift in breach methodology: vulnerability exploitation has overtaken phishing as the most common initial access pathway in analysed breaches. The shift reflects a maturing attacker ecosystem that increasingly uses automated exploit delivery rather than requiring human interaction. Enterprise security programmes built around phishing awareness need recalibration.

#verizon-dbir +6
⚖️ Risk Mgmt

Q2 2026 Enterprise Threat Landscape: Unprecedented Vulnerability Density and What It Means for Security Programmes

Q2 2026 (April–June) has produced more simultaneous high-severity vulnerabilities in enterprise-critical infrastructure than any comparable period in recent years. Netlogon CVSS 9.8, three CVSS 10.0 in UniFi OS, AMD microarchitecture flaws, Linux kernel LPEs, and two Citrix exploitation waves — analysing the pattern reveals structural implications for how enterprises manage vulnerability risk.

#vulnerability-management +6