← CIO Briefings · Critical Impact ACTION REQUIRED

CIO Brief: Microsoft June 2026 Patch Tuesday — Three CVSS 9.8 Flaws Require Emergency Response

Microsoft's June 2026 Patch Tuesday includes three CVSS 9.8 remote code execution vulnerabilities — including a wormable HTTP.sys flaw — plus a Kerberos KDC RCE targeting domain controllers. This is the most critical single Microsoft patch event of 2026 and requires emergency-tier prioritisation across all Windows Server infrastructure.

2 min read

Situation

Microsoft’s June 2026 Patch Tuesday (9 June) addressed 198 vulnerabilities, including six zero-days and three critical remote code execution flaws scoring CVSS 9.8. The highest-risk vulnerability — CVE-2026-47291 in HTTP.sys — is wormable: unauthenticated, no user interaction required, potentially self-propagating across Windows Server infrastructure with IIS or any HTTP API service. A second critical flaw, CVE-2026-47288 in the Kerberos Key Distribution Centre, targets domain controllers — the highest-value systems in any Active Directory environment.

Microsoft confirms two of the six zero-days were actively exploited before the patch was released.

Business Impact

Any Windows Server with IIS, Exchange, SharePoint, WSUS, or Windows Admin Center is vulnerable to CVE-2026-47291 without the patch. A successful exploit achieves SYSTEM-level code execution — complete control of the server — from any attacker who can send an HTTP/2 request to the server.

Exploitation of CVE-2026-47288 on a domain controller gives an attacker the equivalent of Domain Administrator — access to all systems, all credentials, and all data in the Active Directory domain. From that position, ransomware deployment is a matter of hours.

These are not theoretical risks. The security community assesses the wormable HTTP.sys flaw as comparable to EternalBlue (MS17-010), which was used in the WannaCry and NotPetya attacks of 2017.

PriorityActionTimeline
IMMEDIATEApply June 2026 cumulative update to all Windows Server with HTTP servicesWithin 24 hours
IMMEDIATEApply June 2026 update to all Active Directory domain controllersWithin 24 hours
URGENTApply June 2026 update to all remaining Windows endpointsWithin 72 hours
INTERIMDisable HTTP/2 on IIS servers that cannot be immediately patchedSame day
STANDARDVerify DHCP Guard is enforced on all access-layer switchportsWithin one week

Executive Summary

The June 2026 Patch Tuesday is not routine. Three vulnerabilities — HTTP.sys (wormable RCE), Windows Kernel (actively exploited RCE), and Kerberos KDC (domain controller RCE) — require treatment as a security emergency, not a scheduled maintenance task. Delay in patching these vulnerabilities directly increases the probability of a network-wide ransomware incident. Security operations teams have been directed to compress timelines and escalate any obstacles to emergency patching to management immediately.