Patch Tuesday June 2026: Microsoft Vulnerability Priorities and Deployment Guide

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
June 2026 Patch Tuesday landed on June 10, covering vulnerabilities across Windows client and server, Microsoft Office, Exchange Server, Azure-connected components, developer tooling, and Edge. The release follows the consistent pattern of mixed severity ratings where the CVSS score alone is an unreliable prioritization guide -- the patches that should ship first are those where either CISA has confirmed active exploitation in the KEV catalog, or where the vulnerability class and asset exposure create an unacceptable risk window.
This guide provides a tiered prioritization framework for the June 2026 cycle, organized by deployment urgency rather than severity rating.
Patch Tuesday triage: the right prioritization framework
Sorting the June 2026 release by CVSS score and patching from the top produces the wrong deployment order for most organizations. A CVE with a 9.8 CVSS score but no confirmed exploitation and no internet-exposed attack surface can wait behind a CVE with a 7.8 CVSS score that CISA has confirmed is actively exploited against unpatched systems today.
The correct triage sequence for any Patch Tuesday release:
Tier 1 -- Deploy within 24 hours: Any CVE added to the CISA Known Exploited Vulnerabilities catalog with this release. CISA confirms active exploitation before adding a CVE to KEV, meaning threat actors are already weaponizing the vulnerability against real organizations. For federal agencies this is a mandatory deadline under BOD 22-01; for private organizations it is a strong operational recommendation. Check the CISA KEV catalog at cisa.gov/known-exploited-vulnerabilities-catalog for the current list.
Tier 2 -- Deploy within 72 hours on internet-facing systems: Critical-rated CVEs in components with internet-accessible attack surfaces. For June 2026 this means Windows components reachable without authentication, Exchange Server vulnerabilities in organizations with internet-exposed Outlook Web Access, and RCE vulnerabilities in widely deployed web-facing services. Deploy to internet-facing systems first, then propagate to internal systems.
Tier 3 -- Deploy within 7 days: Critical-rated CVEs without confirmed exploitation where the attack vector requires network adjacency or local access, and Important-rated CVEs in commonly exploited product categories (Office, kernel privilege escalation, LSASS).
Tier 4 -- Normal change management (up to 30 days): Important-rated CVEs in lower-risk components, Moderate-rated CVEs across all components, and any CVE where your environment eliminates the attack vector (e.g., a SharePoint RCE if you do not run SharePoint).
Windows kernel and OS component patches: Tier 1 and 2
Windows kernel and core OS component patches receive the highest deployment urgency because successful exploitation typically means privilege escalation to SYSTEM on every affected machine in the environment. June 2026 follows the consistent pattern of kernel privilege escalation (LPE) CVEs that appear in Patch Tuesday releases.
Key deployment considerations for Windows OS patches:
Privilege escalation patches warrant accelerated deployment even when rated Important rather than Critical. The CVSS rating for LPE is typically lower than RCE because an attacker needs existing local access -- but in the context of an ongoing intrusion where an attacker has already achieved initial access, an LPE vulnerability is the last step before SYSTEM access and complete host compromise.
Windows Defender Credential Guard and LSA Protection must be verified as enabled before kernel patches are deployed in organizations running Credential Guard, as some kernel patches interact with these components and require a planned reboot sequence.
Test rollback procedures before deploying OS patches broadly. Windows cumulative updates are increasingly difficult to roll back on newer releases. If testing reveals application compatibility issues post-patch, a documented rollback procedure is essential to avoid an extended vulnerability window during troubleshooting.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Office and Exchange Server patches
Microsoft Office RCE vulnerabilities represent a consistent Patch Tuesday priority because Office documents are a primary initial access vector in enterprise intrusions. A previewed or opened malicious document that triggers an unpatched Office RCE provides initial code execution without any further user interaction beyond the preview.
Office Preview Pane vulnerabilities
Office vulnerabilities that trigger in the Preview Pane are rated more severely and should be patched first within the Office tier because exploitation does not require the user to fully open the document. Disabling the Preview Pane in Outlook is a temporary workaround that reduces exposure while patch deployment is in progress.
Exchange Server OWA-exposed deployments
Exchange Server vulnerabilities in organizations with internet-exposed Outlook Web Access move to Tier 2 deployment urgency regardless of Microsoft's severity rating. Internet-facing Exchange has been a primary ransomware and nation-state initial access vector since ProxyLogon in 2021. Patch internet-exposed Exchange deployments within 72 hours of release for any Exchange CVE rated High or Critical.
Click-to-Run vs MSI Office update channels
Organizations using Microsoft 365 Apps (Click-to-Run) receive Office security updates automatically through their configured update channel. Organizations using volume-licensed MSI-based Office installs must apply updates manually or via SCCM/WSUS. Confirm which deployment model your environment uses and verify the update channel cadence before assuming Office is current.
Edge, .NET, and developer tooling patches
Edge and .NET patches are lower urgency in most enterprise environments but deserve a systematic deployment process rather than indefinite delay.
Edge security updates: Microsoft releases Edge security updates on a more frequent schedule than Patch Tuesday (typically every 4-6 weeks). Patch Tuesday Edge updates should be incorporated into existing Edge update cadence rather than treated as a separate deployment project. Confirm that Enterprise Mode and update policies are not blocking automatic Edge updates in managed environments.
.NET Framework and .NET runtime patches: .NET patches affect any application built on the .NET stack. Deployment testing should verify that critical line-of-business applications built on .NET still function correctly after the update. Most .NET patches apply without application compatibility issues, but applications using deprecated APIs occasionally exhibit problems post-update.
Visual Studio and developer tooling: If your organization deploys Visual Studio to developer workstations via managed software, include developer tooling patches in the Patch Tuesday deployment cycle. Developer workstations that run privileged deployment pipelines are high-value targets and deserve the same patch priority as production servers.
Deployment and testing guidance
The failure mode for Patch Tuesday deployments is not installing patches -- it is deploying patches that break production systems and creating pressure to roll back, leaving systems vulnerable during the troubleshooting period. A structured testing approach eliminates most rollback scenarios.
Test on representative systems before broad deployment
Maintain a patch testing ring of at least 5-10 representative systems per OS version and application stack. Deploy Patch Tuesday updates to this ring first and observe for 24-48 hours. Confirm that business-critical applications launch correctly, authentication works, network connectivity is normal, and no unexpected kernel errors appear in the event log.
Deploy internet-facing systems before internal systems
After testing ring validation, sequence deployment with internet-facing systems first. They have the highest exploitation probability and should receive patches before internal systems where the attacker must already have network access to exploit the vulnerability.
Verify WSUS or MECM update deployment status
Confirm that WSUS or Microsoft Endpoint Configuration Manager (MECM/SCCM) reports successful update installation across all managed devices within your SLA window. Systems that fail to update (reboot not completed, update download failure, GPO conflict) remain vulnerable and require manual follow-up. Generate a compliance report against the patched KB numbers after each deployment wave.
Document exceptions and compensating controls
For systems that cannot be patched within SLA (production systems requiring extended maintenance windows, legacy systems with compatibility constraints), document the exception with the specific CVE, the compensating control in place (network isolation, application-layer WAF, monitoring), the risk owner who approved the exception, and the target patch date.
Patch Tuesday monitoring: building ongoing operational awareness
Responding effectively to each Patch Tuesday requires monitoring infrastructure that surfaces the most actionable information before your deployment window begins.
MSRC Security Update Guide (msrc.microsoft.com/update-guide): Microsoft's official source for CVE details, severity ratings, affected versions, and patch download links. Filter by product to see only CVEs relevant to your environment.
CISA KEV catalog: Check the catalog immediately after each Patch Tuesday release for any new additions corresponding to Microsoft CVEs. CISA adds exploited vulnerabilities on an ongoing basis, and a CVE released on Patch Tuesday can appear in KEV within hours if exploitation is already occurring.
Automatic notification: Subscribe to the MSRC Security Update Notifications (formerly known as security bulletins) via email at msrc.microsoft.com/update-guide/releaseNote to receive same-day notification when Patch Tuesday releases publish. Configure an additional alert for CISA KEV catalog additions via the CISA RSS feed or the CISA KEV JSON API.
For automated KEV monitoring and alert building, see the CISA KEV automated alert guide.
The bottom line
The June 2026 Patch Tuesday triage framework is the same framework that applies to every Patch Tuesday: check CISA KEV first, prioritize internet-facing attack surfaces, and use CVSS as a signal for testing urgency rather than a deployment ranking.
The organizations that consistently close their vulnerability windows fastest are not the ones with the largest patch management teams. They are the ones with a pre-defined priority framework, a tested ring-based deployment process, and a documented exception procedure so that every patch either gets deployed or gets tracked.
For prioritization beyond Patch Tuesday -- specifically how to balance CVSS scores against CISA KEV status -- see the CVSS vs. CISA KEV prioritization guide. For April 2026 Patch Tuesday coverage, see the April 2026 analysis.
Frequently asked questions
When is Patch Tuesday June 2026?
Patch Tuesday June 2026 is June 10, 2026. Microsoft releases security updates on the second Tuesday of every month. For the full release schedule, check the Microsoft Security Update Guide at msrc.microsoft.com/update-guide.
How do I find out which Patch Tuesday vulnerabilities are actively exploited?
Check the CISA Known Exploited Vulnerabilities catalog at cisa.gov/known-exploited-vulnerabilities-catalog immediately after each Patch Tuesday release. CISA adds CVEs with confirmed active exploitation, including Microsoft CVEs from Patch Tuesday, on an ongoing basis. A CVE appearing in the KEV catalog with this month's Patch Tuesday release is your highest deployment priority, regardless of its CVSS score.
What is the recommended SLA for Critical Patch Tuesday patches?
For CISA KEV-listed vulnerabilities: deploy within 24 hours for internet-facing systems. For Critical-rated CVEs with internet-facing attack surfaces but no confirmed exploitation: deploy within 72 hours. For Critical-rated CVEs requiring local or network-adjacent access: deploy within 7 days. For Important-rated CVEs with no confirmed exploitation: deploy within 30 days through normal change management. Document any exceptions with compensating controls and a target patch date.
How do I automate Patch Tuesday monitoring and alerts?
Subscribe to MSRC Security Update Guide email notifications at msrc.microsoft.com/update-guide/releaseNote for same-day Patch Tuesday alerts. For CISA KEV additions, use the CISA KEV JSON API (available at cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json) to poll for new additions and trigger SIEM or ticketing system alerts. The CISA KEV API is updated in real time as new entries are confirmed.
Should I patch servers or workstations first on Patch Tuesday?
Patch internet-facing servers first: Exchange Server with OWA exposed, web servers, VPN concentrators, and any server with a public-facing service. Then patch internal servers by criticality: domain controllers, authentication infrastructure, and data repositories before general-purpose servers. Patch workstations last, but within your defined SLA window. The deployment order should match your threat model: the systems most reachable by external attackers should be hardened first.
How do you validate that Patch Tuesday patches actually installed successfully across a mixed Windows fleet, including endpoints that were offline during the deployment window?
Query your patch management tool (WSUS, SCCM, or Intune) for the specific KB number associated with each critical Patch Tuesday update and filter for devices showing 'Pending reboot' or 'Failed' status -- those machines are not protected yet. For devices that were offline during the deployment window, confirm the update installed after they reconnected by cross-referencing the deployment report against your device inventory for any machine not checked in within the last 14 days. In Microsoft Intune, the Device compliance reports under Monitor show patch compliance status per update ring; filter to 'Not compliant' and export for ticketing. For servers not managed by Intune, use a scheduled task or a SCCM PowerShell script that queries the Windows Update Agent COM object (Get-HotFix) and reports installed KBs to a central log. Set a compliance threshold of 95% patched within SLA before marking a Patch Tuesday cycle closed -- the remaining 5% should each have a documented exception or an active remediation ticket.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
