Microsoft Patches Critical Remote Desktop Client and HTTP.sys RCE Flaws
Microsoft’s June 2026 Patch Tuesday delivered a record-setting security release, with reports citing 206 to 208 CVEs addressed across Windows, Office, Azure, SQL Server, and other products, including 32 critical issues. Among the most urgent were multiple Remote Desktop Client remote code execution flaws—CVE-2026-42985, CVE-2026-47289, CVE-2026-44801, CVE-2026-44799, and CVE-2026-48563—that could let an attacker run code on a victim system if the user connected to a malicious Remote Desktop Server or accepted a specially crafted RDP certificate. Microsoft rated CVE-2026-42985 as more likely to be exploited, while the others were assessed as less likely at publication; several of the bugs were credited to Kyeongmin Kim of KAIST Hacking Lab.
Microsoft also disclosed CVE-2026-47291, a critical HTTP.sys remote code execution vulnerability with a CVSS 9.8 score that can be exploited remotely without authentication or user interaction by sending a specially crafted packet to a server using the Windows HTTP Protocol Stack. Microsoft said systems using the default MaxRequestBytes setting are not affected, but warned that servers with higher values may be vulnerable and advised administrators to set the registry value to a safe level and restart the HTTP service or host until patches are applied. Cisco Talos published Snort coverage for many of the newly disclosed flaws, while separate reporting also highlighted one actively exploited zero-day in Microsoft Defender and additional high-risk issues in Hyper-V, DHCP Client, Secure Boot, and UEFI components.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
9 events from the most recent confirmed update back to the earliest known activity.
Microsoft publishes CVE-2026-11824 advisory
Microsoft's Security Response Center published an advisory page for CVE-2026-11824 in its Update Guide. The existing timeline does not already include this specific vulnerability disclosure.
Microsoft publishes CVE-2025-49697 advisory
Microsoft's Security Response Center published an advisory page for CVE-2025-49697 in its Update Guide. The existing timeline does not already include this specific vulnerability disclosure.
Microsoft publishes CVE-2025-49673 advisory
Microsoft's Security Response Center published an advisory page for CVE-2025-49673 in its Update Guide. The existing timeline does not already include this specific vulnerability disclosure.
Microsoft publishes CVE-2025-48824 advisory
Microsoft's Security Response Center published an advisory page for CVE-2025-48824 in its Update Guide. The existing timeline does not already include this specific vulnerability disclosure.
Cisco Talos releases Snort coverage for June Patch Tuesday flaws
Following Microsoft's June 2026 Patch Tuesday disclosures, Cisco Talos published Snort coverage for many of the newly disclosed vulnerabilities. Talos specifically highlighted CVE-2026-42985, CVE-2026-47291, CVE-2026-44803, and CVE-2026-44812 as prominent issues and advised users to update to the latest rulesets.
Microsoft publishes CVE-2026-45607 for Windows Hyper-V
On 2026-06-09, Microsoft received and published CVE-2026-45607, an out-of-bounds read vulnerability in Windows Hyper-V that could allow local code execution. The entry referenced Microsoft's Security Response Center update guide and classified the issue as high severity.
Microsoft discloses critical HTTP.sys RCE and mitigation guidance
On 2026-06-09, Microsoft disclosed CVE-2026-47291, a critical Windows HTTP.sys remote code execution vulnerability that is network-exploitable without authentication or user interaction. Microsoft said exploitation was more likely, released a fix, and advised administrators to set MaxRequestBytes to a safe value and restart the HTTP service or system as a mitigation before patching.
Microsoft discloses multiple critical Remote Desktop Client RCE flaws
On 2026-06-09, Microsoft disclosed several critical Remote Desktop Client remote code execution vulnerabilities, including CVE-2026-42985, CVE-2026-44799, CVE-2026-44801, CVE-2026-47289, and CVE-2026-48563. Microsoft said fixes were available for these issues and stated they were not publicly disclosed or exploited at publication, while rating CVE-2026-42985 as more likely to be exploited.
Microsoft issues June 2026 Patch Tuesday security updates
On 2026-06-09, Microsoft released its June 2026 Patch Tuesday updates, addressing a record-breaking set of vulnerabilities across its product portfolio. Sources describe the release as fixing 206 Microsoft vulnerabilities, while another report counts 208 Microsoft CVEs and 571 total when Chromium and bundled third-party components are included.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
20 references tracked. Mallory keeps watching after this page renders.
Microsoft Releases Record-Breaking Patch Tuesday With 208 CVEs
securityaffairs.com
Open sourceMicrosoft Patch Tuesday for June 2026 - Snort rules and prominent vulnerabilities - Malware News - Malware Analysis, News and Indicators
malware.news
Open sourceCVE-2026-48563 - Security Update Guide - Microsoft - Remote Desktop Client Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceCVE-2026-44799 - Security Update Guide - Microsoft - Remote Desktop Client Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceMsrc Product Advisories
msrc.microsoft.com
Open sourceMsrc Product Advisories
msrc.microsoft.com
Open sourceMsrc Product Advisories
msrc.microsoft.com
Open sourceMsrc Product Advisories
msrc.microsoft.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft patches 206 flaws as exploited Exchange and Defender bugs draw urgency
Microsoft released its June 2026 security updates to fix **206 vulnerabilities** across Windows, Office, Exchange Server, SharePoint, Hyper-V, Remote Desktop Client, HTTP.sys, Active Directory, DHCP Client, Azure Kubernetes Service, and other products, including **33 critical flaws** and **three publicly disclosed zero-days**. JPCERT/CC warned that one of the patched issues, **`CVE-2026-42897`**, a spoofing vulnerability in **Microsoft Exchange Server**, was being actively exploited in the wild, while broader reporting said Microsoft Defender flaws **`CVE-2026-41091`** and **`CVE-2026-45498`** were also tied to real-world exploitation and added to CISA’s Known Exploited Vulnerabilities catalog. The release also addressed several high-risk bugs likely to matter to enterprise defenders, including the publicly disclosed **Windows CTFMON privilege-escalation flaw `CVE-2026-45586`** that can grant **SYSTEM** privileges, the publicly disclosed **BitLocker bypass `CVE-2026-50507`** that could expose encrypted data with physical access, and multiple **Remote Desktop Client** remote code execution bugs such as **`CVE-2026-47653`**, **`CVE-2026-47654`**, and **`CVE-2026-42913`** that can be triggered when a user connects to a malicious RDP server. Additional notable fixes included **HTTP.sys DoS `CVE-2026-49160`**, **Exchange information disclosure `CVE-2026-45503`**, **SharePoint RCE `CVE-2026-47298`**, and **Hyper-V RCE `CVE-2026-45641`**, while Windows 10 update **KB5094127** also introduced Secure Boot certificate monitoring changes and carried a warning that some systems may enter BitLocker recovery under certain policy configurations.
Jun 12, 2026
Microsoft ships record Patch Tuesday with 206 fixes and critical Windows flaws
Microsoft released its largest Patch Tuesday security update to date, fixing **206 vulnerabilities** across Windows, Azure, Office, SQL Server, SharePoint, Visual Studio, Copilot-related products, and other enterprise software. Reporting on the release said the bundle included **three publicly disclosed zero-days** that were not known to be actively exploited, at least one cloud-side issue already mitigated by Microsoft, and a broad set of critical and high-severity bugs. Among the most urgent issues highlighted by researchers were `CVE-2026-47291` in **Windows HTTP.sys** and `CVE-2026-44815` in the **Windows DHCP Client** service, both described as highly dangerous because they could enable unauthenticated remote compromise at scale, while `CVE-2026-48567` in **Azure HorizonDB** carried a maximum **CVSS 10.0** score but required no customer action because Microsoft had already mitigated the service. Microsoft also published fixes for several notable Windows weaknesses, including `CVE-2026-50507`, a **BitLocker** security feature bypass that could let an attacker with physical access bypass device encryption and access data, and `CVE-2026-45586`, a **CTFMON** elevation-of-privilege flaw that could allow a low-privileged local user to gain **SYSTEM** rights. Remote Desktop Client bugs `CVE-2026-42909` and `CVE-2026-42992` added further concern because they could allow code execution when a victim connects to a malicious Remote Desktop server. Microsoft rolled the fixes into Windows 11 cumulative updates `KB5094126` and `KB5093998` and the Windows 10 ESU update `KB5094127`, while warning that some systems may still encounter **BitLocker recovery** prompts tied to Secure Boot and certificate rollout changes.
Jun 13, 2026
Microsoft fixes exploited SharePoint flaw in massive Patch Tuesday release
Microsoft released fixes for **165 vulnerabilities** across Windows, Office, SharePoint, Defender, SQL Server, Azure, .NET, and other products in one of its largest Patch Tuesday updates on record. The most urgent issue was **CVE-2026-32201**, an **actively exploited** improper input validation flaw in **SharePoint Server** that enables unauthenticated network-based spoofing and was immediately added to **CISA's Known Exploited Vulnerabilities** catalog. Microsoft also patched **CVE-2026-33825**, a publicly known **Microsoft Defender** privilege-escalation bug with proof-of-concept code, and **CVE-2026-33824**, a critical **remote code execution** flaw in **Windows IKE Service Extensions** affecting IPsec/VPN infrastructure. Researchers flagged **CVE-2026-33827** in **Windows TCP/IP** as potentially **wormable** under certain IPv6 and IPSec configurations. Other high-impact fixes include **CVE-2026-33120**, a **SQL Server remote code execution** flaw that paired with a separate privilege escalation bug (**CVE-2026-32176**) could enable full server compromise, and **CVE-2026-32220**, a **UEFI Secure Boot bypass** that could allow untrusted code to load during the boot process. The release also addressed elevation of privilege flaws across Desktop Window Manager, WinSock, TDI Translation Driver, Windows Push Notifications, Function Discovery Service, WSUS, Remote Desktop Licensing, Azure Monitor Agent, and Windows kernel components; security feature bypasses in Windows Hello, PowerShell, BitLocker, and Windows Shell; information disclosure bugs in Windows GDI, Print Spooler, Web Account Manager, UPnP Device Host, and the Windows kernel; and denial-of-service issues in .NET/Visual Studio and Windows RDBSS. Cumulative updates for Windows Server 2022 and 23H2 bundled security hardening for Kerberos, RDP, Secure Boot, and WDS, with Microsoft warning that Secure Boot certificates begin expiring in June 2026.
Apr 15, 2026