The biggest Patch Tuesday in Microsoft history dropped yesterday: 200 vulnerabilities. 33 Critical. 3 disclosed zero-days.
The biggest Patch Tuesday in Microsoft history dropped yesterday: 200 vulnerabilities. 33 Critical. 3 disclosed zero-days. And then â hours after the patches shipped â a researcher published an unpatched one that works on fully updated Windows 10 and 11.
You patched everything available. You still have a gap.
Here is what the June 9 release actually requires from your team.
CVE-2026-50507 â BitLocker bypass (YellowKey). A physical attacker places crafted files on a USB drive or EFI partition, boots into Windows Recovery Environment, holds CTRL, and gets unrestricted access to drives encrypted with TPM-only BitLocker. No password, no key, no BitLocker. Affects Windows 11 and Server 2022/2025 with TPM-only configurations. Microsoft rates it “Exploitation More Likely.” If your NIS2 or ISO 27001 compliance relies on “encrypted at rest” through BitLocker without a PIN, that control is no longer reliable on any machine someone can physically reach.
CVE-2026-42897 â Exchange Server OWA finally gets its permanent fix. It had been actively exploited since May 14 with only a temporary mitigation available. Any on-premises Exchange organization still on the temp fix needed Tuesday’s update.
Remote Desktop Client: 11 vulnerabilities patched, 4 Critical RCE. PoC exploits for RDP CVEs typically surface within 72 hours of Patch Tuesday.
RoguePlanet (no patch yet): A frustrated researcher dropped a local privilege escalation exploit publicly â hours after Patch Tuesday â that grants SYSTEM access on fully patched machines through a Microsoft Defender race condition. Microsoft has not issued a patch or advisory.
Next 48 hours:
Audit BitLocker configurations. Any machine running TPM-only without a PIN is exposed to YellowKey. Add TPM+PIN now. Physical security controls are the interim mitigation for RoguePlanet until Microsoft patches.
Patch Remote Desktop Client before the weekend. Four Critical RCE CVEs â exploitation historically follows Patch Tuesday by days, not weeks.
For on-premises Exchange, apply the June 9 update to permanently close CVE-2026-42897. The EM Service temporary fix is no longer sufficient.
Links for a deeper technical dive are in the comments.
For those who want a deeper dive into this topic:
