June Patch Tuesday marks a ‘new normal’ with over 200 CVEs, 32 rated ‘critical’

June’s Patch Tuesday security updates have arrived, with SAP fixing four critical vulnerabilities and Microsoft addressing over 200 CVEs. Microsoft’s to-do list includes fixes for three zero days, 32 patches rated as ‘critical’, and a batch of other high-risk vulnerabilities that need urgent assessment. There’s also one older flaw under exploit, and some patches affecting enterprise products for which Microsoft says exploitation is likely. Adobe, too, fixed critical vulnerabilities in enterprise software.

Vulnerability surge

It’s a record haul for Patch Tuesday CVEs — and that’s not counting the other exploited vulnerabilities Microsoft has patched out-of-band since its May update.

Microsoft recently told customers it expects the number of vulnerabilities in monthly updates to continue rising, influenced by the growing use of AI tools. As a May post by the Microsoft Security Response Center put it: “As larger releases settle in as a norm, the way we deliver and decide on updates remains consistent. Patch Tuesday continues as our predictable rhythm for on-premises software,” Going forward, customers should brace themselves for more out-of-band updates, it added.

According to Nirwan Dogra, a Senior Software Engineer at Microsoft Security, May and June 2026 represent a new norm that will challenge traditional, slower test-and-deploy patching.

“The 200+ CVE count isn’t an anomaly. It’s the new baseline. AI-assisted vulnerability discovery (fuzzing, static analysis, variant hunting) is compressing the timeline between ‘a bug exists’ and ‘bug is found’ dramatically,” he said via email.

Ominously, according to Dogra, AI tools used were also resulting in more flaws being uncovered in components previous seen as too complex for manual audit such as hypervisor code and Kerberos. He recommended that organizations move towards risk-based vulnerability prioritization, automated patching pipelines, and a focus on the flaws that were likely to be exploited.

Dustin Childs, Head of Threat Awareness for TrendAI’s Zero Day Initiative (ZDI) agreed: “We are heading into a high-stakes summer for cybersecurity. June’s record-shattering drop of 210 Microsoft vulnerabilities is a stark warning that AI is supercharging flaw discovery at an uncontrollable scale,” he said.

Microsoft’s high-priority fixes

Three vulnerabilities are rated as zero days because they have been publicly disclosed. Two are connected to adversarial disclosures affecting Windows by the researcher Nightmare Eclipse which have attracted a lot of attention: CVE-2026-45586 (CTFMON) and CVE-2026-50507 (BitLocker bypass). The third is CVE-2026-49160, a CVSS 7.8-rated denial of service zero day vulnerability in the Windows HTTP Protocol Stack used by various Windows services.

Security teams should also note the patch for CVE-2026-42897, an Exchange Server flaw under active exploitation originally disclosed in May. This was originally addressed using workarounds but has now been patched.

The list of 15 vulnerabilities where exploitation is said to be “more likely” is headlined by CVE-2026-47291, a dangerous CVSS 9.8-rated kernel-level RCE flaw in http.sys that attackers could use to target multiple important enterprise applications, for IIS, WinRM, or Windows Admin Center.

Also worth paying attention to are a series of ‘high’ rated Hyper-V VM escape flaws, CVE-2026-47652, CVE-2026-45641, and CVE-2026-45607. Anyone running on-premises networks will also be interested in CVE-2026-47288, an RCE affecting the Active Directory Kerberos core, and CVE-2026-45648, a CVSS 8.8 affecting Active Directory Domain Services (AD DS).

Four critical SAP vulnerabilities

SAP’s Security Patch Day haul for June comprises 15 patches across a range of core enterprise products including, prominently, NetWeaver, Commerce Cloud, SAP S/4HANA, and the Business Objects Business Intelligence Platform.

Four of these are rated ‘critical’, the most eye-catching of which is CVE-2026-27671, a CVSS 9.8 memory corruption vulnerability in Application Server ABAP and ABAP Platform. The problem here, said Jonathan Stross, SAP security analyst at security company Pathlock, is that it “requires no authentication and can affect confidentiality, integrity, and availability at the same time. A successful exploit can undermine the trustworthiness of the entire ABAP instance and everything connected to it.”

“This is one of the most serious notes in the batch because the attack requires no authentication and can affect confidentiality, integrity, and availability at the same time. A successful exploit can undermine the trustworthiness of the entire ABAP instance and everything connected to it.

Not far behind it is CVE-2026-44748, a CVSS 9.9 XML Signature Wrapping in SAML Authentication vulnerability in the SAP NetWeaver Application Server ABAP and ABAP Platform. This allows authenticated attacker with low-level user privileges to capture a signed SAML message and modify and submit an XML payload with a forged identity data.

The final critical-rated flaws are CVE-2026-22732, a CVSS 9.1 Spring Security weakness within SAP Commerce Cloud and SAP Data Hub, and CVE-2026-40128, a CVSS 9.0 directory traversal vulnerability in the Application Server Java (Web Container).

This month’s update also patches two vulnerabilities marked ‘high’, the CVSS 7.4 CVE-2026-29145, addressing multiple weaknesses in Apache Tomcat within SAP Commerce Cloud, and CVE-2026-44751, a missing authorization check affecting Application Server ABAP of SAP NetWeaver and ABAP Platform.

Adobe patches enterprise vulnerabilities

Adobe’s June update addresses 123 vulnerabilities across Reader, ColdFusion, Experience Manager Forms, InDesign, InCopy, Substance 3D Sampler, Content Credentials SDK, Dreamweaver, Format Plugins, and Adobe Campaign Classic.

Of note are the two CVSS 10-rated CVEs (APSB26-66) in the Adobe Campaign Classic enterprise marketing platform, the seven mostly ‘critical’ or ‘high’-rated CVEs affecting ColdFusion (APSB26-64), and a total of 20 CVEs affecting Reader (APSB26-63). It’s also a busy month for InDesign, which features 12 vulnerabilities (APSB26-58), and Experience Manager which features three (APSB26-57).