ProBackend
cloud security incidents
2 hours ago8 min read

Six Zero-Days Hit Patch Tuesday: Exchange Exploit, BitLocker Bypasses, and the HTTP/2 Bomb

Microsoft June 2026 Patch Tuesday fixes 200 vulnerabilities including six zero-days: an actively exploited Exchange Server spoofing flaw, two BitLocker physical-access bypasses (YellowKey and bitskrieg), the HTTP/2 Bomb DoS, and two Nightmare Eclipse privilege escalations.

The Numbers Don't Lie

Microsoft shipped 200 security fixes on June 9, 2026. Thirty-three of them are rated Critical — meaning they can be exploited remotely without any user interaction to take over a system. Twenty-eight of those Critical flaws are remote code execution bugs. That's not a typo. Nearly every Critical vulnerability this month lets an attacker run arbitrary code on your machines from across the network.

But the real story isn't the volume. It's that six of these flaws were already being exploited or publicly disclosed before Microsoft had a patch ready. Six zero-days. Five were announced ahead of time, and one — an Exchange Server spoofing bug — was actively being weaponized in the wild.

If you haven't patched yet, this is the month where "next Tuesday" stops being a defensible answer.

The Numbers Don't Lie

The Active Exploit: Exchange Server Spoofing

CVE-2026-42897 is the one that should keep you up tonight. Microsoft confirmed it's actively exploited, and they still don't have a full patch ready.

Here's how it works: an attacker sends a specially crafted email to someone who uses Outlook Web Access. If the user opens that email and meets certain interaction conditions, arbitrary JavaScript runs in their browser — in the context of the Exchange server. That's not a sandboxed preview pane. That's full execution.

Microsoft is pushing mitigations through the Exchange Emergency Mitigation Service, which should be enabled by default on most deployments. But if you run Exchange Server and haven't verified your EEM status, check it now. The vendor hasn't disclosed who found this flaw or how attackers are using it beyond the JavaScript execution vector, which makes me nervous. Usually they give us more to work with.

For a deeper technical breakdown of this specific CVE and the active exploitation chain, see our Exchange Server Zero-Day CVE-2026-42897 coverage.

The Active Exploit: Exchange Server Spoofing

YellowKey and bitskrieg: Two BitLocker Bypasses

Two separate BitLocker vulnerabilities landed in this update, and both share the same nightmare scenario: an attacker with physical access to your device walks away with your data.

CVE-2026-45585 (YellowKey) — This one was disclosed by Nightmare Eclipse, the researcher who's been on a tear against Microsoft's bug bounty program. The exploit is elegant in its simplicity: drop crafted files onto a USB drive or the EFI partition, boot into Windows Recovery Environment, hold CTRL to get a command shell, and your BitLocker-protected drive is wide open. It only affects TPM-only setups on Windows 11 and Server 2022/2025 — meaning if you're relying on TPM without a PIN, you were already in the danger zone.

Microsoft had shared mitigations back in May (enable TPM+PIN instead of TPM-only), but this is the actual fix.

CVE-2026-50507 (bitskrieg) — Jonas Lykkegaard disclosed this one on X last Friday, and Will Dormann at Tharros confirmed Microsoft's patch addresses it. Same attack model: physical access, encrypted drive exposed. But here's where it gets ugly — Dormann is warning that the fix itself might trigger an error message saying "A required file couldn't be accessed because your BitLocker key wasn't loaded correctly."

If you see that after patching, the workaround is straightforward: run reagentc /disable followed by reagentc /enable in an elevated command prompt. Still, a patch that breaks your boot experience is the kind of thing that makes patch management teams question their life choices.

The HTTP/2 Bomb

Calif. security firm researchers Quang Luong and Codex found a denial-of-service flaw in HTTP.sys that's genuinely clever. They call it the "HTTP/2 Bomb," and it abuses how HTTP/2 compresses and manages web traffic headers.

The attack is asymmetric in the worst way: attackers send tiny amounts of data that force servers to allocate disproportionately large chunks of memory. And they can keep that memory tied up by manipulating flow-control settings, preventing the server from ever freeing those resources. The result? Performance degradation or full outage, depending on how long the attacker holds the connection open.

Microsoft's response is a new registry setting called MaxHeadersCount that limits how many headers HTTP/2 and HTTP/3 requests will accept. The details are in KB5102602, along with a support bulletin on how to configure it. If you run IIS or any HTTP.sys-dependent service, this is worth implementing before the next Patch Tuesday — especially since denial-of-service flaws tend to get exploited well before vendors ship fixes.

GreenPlasma and Mini-Plasma: Nightmare Eclipse's Revenge Tour

Nightmare Eclipse has been publicly disclosing zero-days as protest against Microsoft's handling of its vulnerability disclosure program. This month they contributed GreenPlasma and Mini-Plasma to Patch Tuesday, joining earlier disclosures like BlueHammer, RedSun, and UnDefend.

CVE-2026-45586 (GreenPlasma) — An elevation of privilege in the Windows Collaborative Translation Framework (CTFMON). The technical description is dry: "Improper link resolution before file access ('link following') in Windows Collaborative Translation Framework allows an authorized attacker to elevate privileges locally." What that actually means: you get a shell with SYSTEM permissions. Microsoft credited an anonymous researcher but BleepingComputer confirmed this is the GreenPlasma flaw.

CVE-2026-45583 (Mini-Plasma) — This one has history. Google Project Zero's James Forshaw originally reported it to Microsoft back in September 2020. It was assigned CVE-2020-17103 and supposedly fixed in December 2020. But Nightmare Eclipse says it's still exploitable. The uncomfortable question hangs in the air: did Microsoft never fully patch it, or did they silently reintroduce the vulnerable code at some point?

Both flaws grant SYSTEM privileges. Both are elevation of privilege, meaning you need some level of access first — but once you're in, you own the machine.

The Critical Non-Zero-Day Highlights

Not everything that matters is a zero-day. A few other Critical flaws deserve attention:

Azure Kubernetes Service (CVE-2026-32193) — Remote code execution in AKS. If you're running containers on Azure and haven't patched, your clusters are exposed to remote takeover.

Active Directory Domain Services (CVE-2026-45648) — Another RCE, this time in AD DS. Active Directory is the crown jewel of most Windows environments, and a remote code execution flaw there is essentially an invitation. See our analysis of exposed Netlogon protocols putting AD control planes at risk for related context on Active Directory attack surfaces.

Microsoft Office — Three Critical RCE vulnerabilities (CVE-2026-45463, CVE-2026-45474, CVE-2026-45472). Office flaws are almost always triggered by opening a document, so social engineering remains the primary attack vector. But Critical severity means the exploit code is likely robust enough that even cautious users could be caught.

Azure Attestation (CVE-2026-45642) — Elevation of privilege in the Azure Attestation service. If you're using device health attestation for zero-trust enforcement, this one undermines the trust model itself.

What This Patch Tuesday Doesn't Cover

A few things to be clear about. The 200 flaws don't include vulnerabilities Microsoft fixed earlier in May — things like Mariner, Azure HorizonDB, Copilot products, Exchange Online, and Microsoft Graph. Those got their own separate update cycle.

The 360 Edge/Chromium flaws fixed by Google this month are also excluded. Microsoft's Patch Tuesday count is strictly what ships on the day, not everything that landed in the ecosystem.

And for Windows 10 users: Microsoft quietly extended free Extended Security Update support to October 2027. That's a separate announcement, but it means you've got more time than you might have thought before having to pay for ESU or migrate.

The broader trend of record-breaking CVE counts on Patch Tuesday continues — see our coverage of how AI-accelerated vulnerability discovery is reshaping the patching landscape for context on why these numbers keep climbing.

Other Vendors Had a Busy Month Too

While Microsoft was busy with 200 flaws, other vendors weren't sitting still:

  • Google fixed 124 Android flaws (including one active zero-day) and a Chrome zero-day exploited in attacks
  • Cisco patched an SD-WAN zero-day actively used in the wild, plus a Unified CM flaw with a public PoC
  • Fortinet addressed multiple FortiOS, FortiSandbox, and FortiProxy flaws
  • Check Point fixed a Remote Access VPN vulnerability exploited in Qilin ransomware attacks
  • Ivanti patched EPMM and Sentry vulnerabilities (none exploited in the wild, thankfully)
  • Ubiquiti addressed three maximum-severity RCE flaws in their networking gear
  • Veeam patched a critical Backup & Replication RCE that could compromise domain-joined backup servers
  • SAP shipped fixes for four critical flaws
  • Acer warned about two unpatched maximum-severity router flaws
  • Adobe released updates across Experience Manager, InDesign, Reader, ColdFusion, and more

The broader picture: if you're only patching Windows, you've got a lot of catching up to do.

What to Do Now

Install the updates. Windows 11 gets KB5094126 and KB5093998. Windows 10 ESU gets KB5094127. If you're running Exchange Server, verify your Exchange Emergency Mitigation Service is enabled — that's your only defense against CVE-2026-42897 until a full patch ships.

For the HTTP/2 Bomb, configure MaxHeadersCount per KB5102602 if you run IIS or HTTP.sys services.

And if you get that BitLocker key error after applying the bitskrieg fix, don't panic. reagentc /disable then reagentc /enable in an elevated prompt, and you'll be back to normal.

The Bigger Picture

Nightmare Eclipse's campaign of public zero-day disclosures is a symptom, not the disease. The researcher is protesting Microsoft's bug bounty and vulnerability disclosure practices, and they're using public exposure as leverage. That's a pattern we've seen before with other researchers who feel the system isn't working for them.

But the result is the same regardless of motivation: organizations get hit with multiple zero-days in a single Patch Tuesday, and the window between disclosure and patch shrinks to nearly zero. Microsoft's doing the right thing by fixing six zero-days in one cycle — that's more than most months — but the underlying tension between disclosure timelines and patch readiness isn't going away.

For defenders, the takeaway is simple: this month's updates aren't optional. Thirty-three Critical flaws, six zero-days, and an actively exploited Exchange vulnerability don't leave much room for "I'll get to it next week."

Related blogs

cloud security incidents

When Disclosure Becomes a Death Sentence: The 24-Hour Exploit Clock Is Real

Cisco CUCM and Ivanti flaws weaponized within hours of disclosure. Microsoft's Patch Tuesday hit 206 CVEs. HTTP/2 bombs target telcos. SprySOCKS hides in kernel drivers. The exploit timeline has collapsed, and most security teams are not ready for what comes next.

1 hour ago · 6 mincloud security incidents

The PeopleSoft Backdoor: How ShinyHunters Turned a Legacy System Into a National Security Risk

ShinyHunters exploited an unauthenticated zero-day in Oracle PeopleSoft to breach American universities, stealing gigabytes of student records.

1 hour ago · 4 mincloud security incidents

Undocumented SprySOCKS Windows Backdoors Reveal FishMonger's Expanded Espionage Reach

FishMonger expands operations by deploying undocumented Windows variants of the SprySOCKS backdoor against government targets using kernel stealth and spooler abuse.

2 hours ago · 5 min
More engineering analysis and backend guidance from ProBackend.
More blogs