Microsoft patches 200 flaws as BitLocker zero-day and Defender RoguePlanet emerge
Microsoft released its largest Patch Tuesday update on record, fixing 200 vulnerabilities across Windows, Office, Azure, Exchange Server, .NET Framework, Hyper-V, Remote Desktop Services, and HTTP.sys, including 33 critical flaws and three publicly disclosed zero-days. The disclosed issues include CVE-2026-50507, a BitLocker security feature bypass that can let an attacker with physical access recover data from affected Windows devices; CVE-2026-49160, an HTTP/2 denial-of-service flaw affecting IIS and services built on HTTP.sys; and CVE-2026-45586, a Windows CTFMON privilege-escalation bug that can give a logged-in attacker SYSTEM privileges. Researchers also highlighted CVE-2026-45657, a wormable Windows kernel use-after-free vulnerability rated CVSS 9.8 that could enable remote, unauthenticated code execution as SYSTEM.
At the same time, security researcher Nightmare Eclipse publicly released RoguePlanet, a separate unpatched Microsoft Defender zero-day exploit that reportedly works on fully updated Windows 10 and Windows 11 systems by abusing a race condition to spawn a SYSTEM-level shell, though reports say it is unreliable and does not currently work on Windows Server in its present form. The BitLocker flaw was disclosed before patches were available and is considered more likely to be exploited, with particular concern for TPM-only deployments because possession of a device may be enough to access protected data. Defenders were urged to rapidly deploy the June cumulative updates, prioritize internet-facing Windows and IIS systems, verify patch compliance, review BitLocker configurations, consider TPM+PIN, and monitor endpoint telemetry for suspicious privilege escalation and activity tied to mounted ISO images.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
11 events from the most recent confirmed update back to the earliest known activity.
Microsoft condemned uncoordinated zero-day disclosures
Following the RoguePlanet publication, Microsoft publicly criticized uncoordinated disclosures as unjustifiable and risky to customers, while also saying it did not intend to pursue legal action against people merely conducting or publishing security research.
June Patch Tuesday fixed MiniPlasma zero-day
On 2026-06-10, Microsoft’s June 2026 Patch Tuesday updates patched MiniPlasma, a publicly disclosed local privilege escalation flaw in the Cloud Files Mini Filter Driver that could grant SYSTEM privileges on fully patched systems. Reporting tied the flaw to researcher Nightmare Eclipse and grouped it with the already noted YellowKey and GreenPlasma disclosures.
June Patch Tuesday fixed GreenPlasma and YellowKey
Reports on the RoguePlanet disclosure said Microsoft's June 2026 Patch Tuesday updates fixed two earlier flaws, GreenPlasma and YellowKey, previously disclosed by the same researcher. This tied the new disclosure to earlier Defender-related issues addressed in the same patch cycle.
Microsoft disclosed exploited Exchange zero-day CVE-2026-42897
On 2026-06-10, Microsoft identified CVE-2026-42897, an Exchange Server flaw that could enable arbitrary JavaScript execution in a victim’s browser via a crafted email opened in Outlook Web Access under certain conditions, as under active exploitation. The company said a full patch was still in development and that temporary protections were being deployed through the Exchange Emergency Mitigation Service.
Microsoft added MaxHeadersCount mitigation for HTTP2/Bomb abuse
On 2026-06-10, Microsoft introduced a new MaxHeadersCount registry setting while addressing CVE-2026-49160, a publicly disclosed HTTP.sys denial-of-service flaw associated with the HTTP2/Bomb technique. The change was described as a mitigation against header-based HTTP/2 and HTTP/3 abuse.
Microsoft patched actively exploited Defender flaw CVE-2026-41091
On 2026-06-10, Microsoft’s June 2026 Patch Tuesday updates included a fix for CVE-2026-41091, a Microsoft Defender elevation-of-privilege vulnerability reported as under active exploitation. The flaw had already been added to CISA’s Known Exploited Vulnerabilities catalog, marking it as a significant in-the-wild issue addressed in the release.
Microsoft released June 2026 Patch Tuesday fixes
On 2026-06-10, Microsoft released its June 2026 Patch Tuesday updates, fixing 200 vulnerabilities across products including Windows, Office, Azure, Exchange Server, .NET Framework, Hyper-V, Remote Desktop Services, and HTTP.sys. The release included 33 critical flaws and fixes for publicly disclosed issues including CVE-2026-50507.
Researcher publicly released RoguePlanet Defender zero-day
On 2026-06-09, security researcher Nightmare Eclipse publicly released the RoguePlanet proof-of-concept exploit targeting a Microsoft Defender race condition that can yield SYSTEM privileges on fully patched Windows 10 and Windows 11 systems. Multiple reports said the exploit was reproduced on patched Windows 11, though it was described as unreliable and not currently working on Windows Server in its present form.
Microsoft disclosed BitLocker zero-day CVE-2026-50507
On 2026-06-09, Microsoft disclosed CVE-2026-50507, a BitLocker security feature bypass vulnerability requiring physical access that could allow unauthorized access to data on affected devices. Microsoft said the flaw had been publicly disclosed before patches were available and that proof-of-concept code existed, though no active exploitation had been observed at release.
Microsoft hardened Defender in mid-May, blocking some RoguePlanet paths
Nightmare Eclipse said Microsoft changed Defender in mid-May 2026 in a way that blocked some attack paths for the exploit that later became known as RoguePlanet.
Microsoft patched Brokering File System flaw CVE-2025-49693
Microsoft released a security update for CVE-2025-49693, a local privilege escalation vulnerability in the Microsoft Brokering File System caused by a double free condition that could let an authenticated attacker gain SYSTEM privileges. The update changed memory management behavior to prevent memory from being freed multiple times, and the reference ties detection to systems missing July 2025 update KB5062553.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
27 references tracked. Mallory keeps watching after this page renders.
Patch Tuesday: June 2026 (Expel’s version) | Expel
expel.com
Open sourcePatch Tuesday juin 2025 : Microsoft établit un record avec 198 fa ...
zdnet.fr
Open sourceMicrosoft исправила более 200 уязвимостей и шесть 0-day в своих продуктах - Хакер
xakep.ru
Open sourceИБ-исследователь Nightmare Eclipse раскрыл 0-day-уязвимость в Microsoft Defender - Хакер
xakep.ru
Open sourceMicrosoft Defender 'RoguePlanet' zero-day grants SYSTEM privileges
bleepingcomputer.com
Open sourceNightmare Eclipse: RoguePlanet, a quick history
deadeclipse666.blogspot.com
Open sourceMicrosoft Brokering File System Double Free Vulnerability: A Deep Look into CVE-2025-49693 - ZeroPath Blog | ZeroPath
zeropath.com
Open sourceMsrc Product Advisories
msrc.microsoft.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft ships record Patch Tuesday with 206 fixes and critical Windows flaws
Microsoft released its largest Patch Tuesday security update to date, fixing **206 vulnerabilities** across Windows, Azure, Office, SQL Server, SharePoint, Visual Studio, Copilot-related products, and other enterprise software. Reporting on the release said the bundle included **three publicly disclosed zero-days** that were not known to be actively exploited, at least one cloud-side issue already mitigated by Microsoft, and a broad set of critical and high-severity bugs. Among the most urgent issues highlighted by researchers were `CVE-2026-47291` in **Windows HTTP.sys** and `CVE-2026-44815` in the **Windows DHCP Client** service, both described as highly dangerous because they could enable unauthenticated remote compromise at scale, while `CVE-2026-48567` in **Azure HorizonDB** carried a maximum **CVSS 10.0** score but required no customer action because Microsoft had already mitigated the service. Microsoft also published fixes for several notable Windows weaknesses, including `CVE-2026-50507`, a **BitLocker** security feature bypass that could let an attacker with physical access bypass device encryption and access data, and `CVE-2026-45586`, a **CTFMON** elevation-of-privilege flaw that could allow a low-privileged local user to gain **SYSTEM** rights. Remote Desktop Client bugs `CVE-2026-42909` and `CVE-2026-42992` added further concern because they could allow code execution when a victim connects to a malicious Remote Desktop server. Microsoft rolled the fixes into Windows 11 cumulative updates `KB5094126` and `KB5093998` and the Windows 10 ESU update `KB5094127`, while warning that some systems may still encounter **BitLocker recovery** prompts tied to Secure Boot and certificate rollout changes.
Jun 13, 2026
Microsoft patches 206 flaws as exploited Exchange and Defender bugs draw urgency
Microsoft released its June 2026 security updates to fix **206 vulnerabilities** across Windows, Office, Exchange Server, SharePoint, Hyper-V, Remote Desktop Client, HTTP.sys, Active Directory, DHCP Client, Azure Kubernetes Service, and other products, including **33 critical flaws** and **three publicly disclosed zero-days**. JPCERT/CC warned that one of the patched issues, **`CVE-2026-42897`**, a spoofing vulnerability in **Microsoft Exchange Server**, was being actively exploited in the wild, while broader reporting said Microsoft Defender flaws **`CVE-2026-41091`** and **`CVE-2026-45498`** were also tied to real-world exploitation and added to CISA’s Known Exploited Vulnerabilities catalog. The release also addressed several high-risk bugs likely to matter to enterprise defenders, including the publicly disclosed **Windows CTFMON privilege-escalation flaw `CVE-2026-45586`** that can grant **SYSTEM** privileges, the publicly disclosed **BitLocker bypass `CVE-2026-50507`** that could expose encrypted data with physical access, and multiple **Remote Desktop Client** remote code execution bugs such as **`CVE-2026-47653`**, **`CVE-2026-47654`**, and **`CVE-2026-42913`** that can be triggered when a user connects to a malicious RDP server. Additional notable fixes included **HTTP.sys DoS `CVE-2026-49160`**, **Exchange information disclosure `CVE-2026-45503`**, **SharePoint RCE `CVE-2026-47298`**, and **Hyper-V RCE `CVE-2026-45641`**, while Windows 10 update **KB5094127** also introduced Secure Boot certificate monitoring changes and carried a warning that some systems may enter BitLocker recovery under certain policy configurations.
Jun 12, 2026
Microsoft Patches 163 Flaws Including Exploited SharePoint Bug and Defender Zero-Day
Microsoft released fixes for **163 vulnerabilities** in its April Patch Tuesday update, marking one of its largest security releases on record. The bundle includes **8 Critical** flaws, **154 Important** issues, and **1 Moderate** bug, with seven of the Critical vulnerabilities enabling remote code execution across products and components including **Windows TCP/IP**, **Windows IKE Service Extensions**, **Active Directory**, **Remote Desktop Client**, **Microsoft Office**, and **Microsoft Word**. Belgian authorities urged organizations to apply the updates immediately. The most urgent issues include **`CVE-2026-32201`**, an actively exploited **Microsoft SharePoint Server** vulnerability that was added to CISA’s Known Exploited Vulnerabilities catalog, and **`CVE-2026-33825`** in **Microsoft Defender**, a publicly disclosed zero-day tied to proof-of-concept code associated with the **BlueHammer** exploit. Microsoft also shipped Windows 11 cumulative updates with security hardening changes, including safer handling of **`.rdp`** files and improved visibility into **Secure Boot** certificates, while the broader patch set addressed numerous elevation-of-privilege and security feature bypass flaws that could support post-compromise escalation.
Apr 22, 2026