ProBackend
cybersecurity
3 hours ago6 min read

June 2026 Patch Tuesday: Six Zero-Days, One Exchange Exploit, and the Researcher Who Broke the System

Microsoft fixed 200 flaws this Patch Tuesday—but the real story is how a single researcher’s protest exposed a broken security culture, and why Defender, BitLocker, and HTTP.sys are all now weapons in the wrong hands.

You patched. You’re not safe.

Microsoft shipped 200 fixes on June 9. Thirty-three were Critical. Six were zero-days. One—CVE-2026-42897—was already being used to run JavaScript in your users’ browsers through Outlook Web Access.

And you still shouldn’t breathe easy.

Because this wasn’t just a patch Tuesday. It was a public reckoning. A researcher named Nightmare Eclipse didn’t just report bugs—they weaponized Microsoft’s own silence. And now, every system you manage has been exposed by a flaw that shouldn’t have existed in the first place.

This isn’t about how many vulnerabilities Microsoft fixed. It’s about how many they ignored until it was too late.

You patched. You’re not safe

The Exchange Exploit: A Ghost in the Webmail

CVE-2026-42897 is the one that should have you checking your Exchange logs right now.

It’s not a buffer overflow. Not a memory leak. Not even a complex chain of exploits.

It’s a spoofing flaw. An attacker sends a crafted email. When you open it in Outlook Web Access—yes, even if you’re careful—certain conditions trigger arbitrary JavaScript execution in your browser. Not in a sandbox. Not in a preview pane. In the context of your authenticated session.

Microsoft patched it on June 9. But they didn’t have a full fix ready. Instead, they deployed mitigations through the Exchange Emergency Mitigation Service (EEMS). If you’re running Exchange Server 2016, 2019, or Subscription Edition, and you haven’t verified that EEMS is active, you’re still exposed.

And here’s the kicker: Microsoft hasn’t disclosed who found this flaw. Or how it’s being used. That’s terrifying. When a vulnerability like this is exploited in the wild, you want to know the playbook. Instead, you’re left guessing.

The fact that CISA added this to their Known Exploited Vulnerabilities list should be enough to make you panic. But it’s not even the worst of it.

The Exchange Exploit: A Ghost in the Webmail

The BitLocker Backdoors: Two Keys, One Door

Two flaws, CVE-2026-45585 and CVE-2026-50507, let an attacker with physical access bypass BitLocker encryption entirely.

The first, called "YellowKey," was disclosed by Nightmare Eclipse. It exploits the Windows Recovery Environment (WinRE). All you need is a USB drive with specially crafted files, a reboot, and holding down the CTRL key during boot. Suddenly, you’re in a command shell with full access to encrypted drives.

Microsoft had warned about this in May—enable TPM+PIN instead of TPM-only. But they didn’t patch it until now. And they didn’t tell you how fragile the fix was.

The second, "bitskrieg," was disclosed by Windows security expert Jonas Lykkegaard on X. Will Dormann from Tharros confirmed Microsoft patched it in CVE-2026-50507. But Dormann also warned: the patch might break your boot process. You could get an error saying "A required file couldn’t be accessed because your BitLocker key wasn’t loaded correctly."

If that happens, the fix is simple: run reagentc /disable then reagentc /enable in an elevated command prompt. But that’s not a patch. That’s a workaround. A bandage on a severed artery.

And both flaws target the same assumption: that physical access is a non-issue. It’s not. If your laptop is ever left unattended in a hotel room, a conference hall, or a car, your encrypted data is just a reboot away from being stolen.

The HTTP/2 Bomb: A Denial-of-Service That Costs Nothing

Calif. researchers Quang Luong and Codex found a flaw in HTTP.sys they called the "HTTP/2 Bomb." It’s terrifying in its simplicity.

HTTP/2 is designed to be efficient. It compresses headers to reduce bandwidth. The attackers abuse that efficiency. They send tiny, malformed requests that force the server to allocate massive amounts of memory. Then they hold the connection open, manipulating flow-control settings to prevent the server from freeing that memory.

The result? Performance degradation. Or full outage.

Microsoft responded with a new registry setting: MaxHeadersCount. It limits how many headers an HTTP/2 or HTTP/3 request can contain. If you run IIS or any HTTP.sys-dependent service, you need to configure this now. The patch is in KB5102602.

But here’s what’s wrong with this fix: it’s reactive. The flaw was known for weeks. Researchers disclosed it. Microsoft waited until Patch Tuesday to act. That’s not security. That’s damage control.

GreenPlasma and MiniPlasma: Two Privilege Escalations, One Broken Trust

Nightmare Eclipse didn’t just report these—they shouted them into the void.

CVE-2026-45586, GreenPlasma, exploits the Windows Collaborative Translation Framework (CTFMON). It’s a legacy service Microsoft should have killed years ago. But it’s still there. And now, it grants SYSTEM privileges to any local attacker.

CVE-2020-17103, MiniPlasma, is even worse. It was originally reported to Microsoft by Google Project Zero’s James Forshaw in September 2020. Microsoft patched it in December 2020. But Nightmare Eclipse says it’s still exploitable. Did Microsoft never fully fix it? Or did they silently reintroduce the vulnerability?

Either way, this is a betrayal. You patch because you trust Microsoft to fix things properly. But if a flaw from 2020 is still exploitable in 2026, that trust is broken.

The Researcher Who Broke the System

Nightmare Eclipse didn’t sell these exploits. Didn’t leak them to ransomware gangs. Didn’t even ask for a bounty.

They disclosed them publicly because Microsoft wouldn’t respond.

For months, they submitted reports through Microsoft’s official channels. Got silence. Got ignored. Got their repositories deleted from GitHub and GitLab.

So they went public. And they didn’t stop at six. They’d already disclosed BlueHammer, RedSun, UnDefend, and YellowKey before this Patch Tuesday.

Microsoft’s first response? Threats of legal action. Their Digital Crimes Unit would pursue these "actors" and those who "enable their criminal activity."

The backlash was immediate. The security community—researchers, analysts, even Microsoft’s own partners—rose up. Katie Moussouris, a pioneer in vulnerability disclosure, called it "arrogance." Kevin Beaumont said Microsoft was "weaponizing law enforcement."

Eight days later, Microsoft walked it back. They said they had "no intention to pursue action against individuals conducting or publishing their security research."

That’s not a policy change. That’s a retreat under fire.

And now, every zero-day we patch is tainted by the knowledge that Microsoft didn’t fix it because they cared about security. They fixed it because they got caught.

What You Should Do Now

You can’t patch everything. But you can protect what matters.

  1. Verify EEMS on all Exchange servers. Run Get-ExchangeServer | Select Name, AdminDisplayVersion and confirm you’re on the latest build. Check your EEMS status in the Exchange Admin Center.

  2. Disable WinRE if you don’t need it. Run reagentc /disable on all Windows 11 and Server 2022/2025 machines. If you need recovery, re-enable it after patching.

  3. Configure MaxHeadersCount on all IIS servers. Add the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\MaxHeadersCount and set it to 1000 or lower. Reboot.

  4. Block CTFMON. Remove the CTFMON entry from HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run via Group Policy. This service has no legitimate use in modern Windows.

  5. Enable application allowlisting. If you’re not using it, start now. RoguePlanet—a separate zero-day that dropped hours after Patch Tuesday—can be blocked by preventing unauthorized code execution. ThreatLocker confirmed this works.

  6. Assume your systems are compromised. If you’re running Windows 11 or Server 2022/2025, assume your BitLocker keys are exposed. If you’re running Exchange, assume your users’ sessions are at risk. Monitor for unusual PowerShell or cmd.exe spawns from MsMpEng.exe.

This isn’t about being paranoid. It’s about being realistic.

The Bigger Picture

Microsoft’s Secure Future Initiative promised a new era of security. But this Patch Tuesday exposed the lie.

They didn’t build security into their products. They built a system where flaws are discovered by outsiders, exposed by researchers, and patched only when the public shames them into action.

The real vulnerability isn’t in CTFMON or HTTP.sys or BitLocker.

It’s in the culture.

Nightmare Eclipse didn’t break Microsoft. They exposed what was already broken.

And until Microsoft stops treating security researchers like criminals and starts treating them like partners, every Patch Tuesday will be another warning sign.

We’re not fixing vulnerabilities anymore.

We’re just managing the fallout.

More blogs