Source: June Patch Tuesday marks a ‘new normal’ with over 200 CVEs, 32 rated ‘critical’ | CSO Online
Author: unknown
URL: https://www.csoonline.com/article/4183632/june-patch-tuesday-marks-a-new-normal-with-over-200-cves-32-rated-critical.html
ONE SENTENCE SUMMARY:
June Patch Tuesday delivered record vulnerability volumes, including Microsoft’s 200+ CVEs, critical SAP flaws, and Adobe enterprise patches amid AI-accelerated discovery.
MAIN POINTS:
- Microsoft released fixes for over 200 CVEs, including three publicly disclosed zero days.
- Thirty-two Microsoft patches are rated critical, with additional high-risk flaws needing urgent assessment.
- Microsoft warns monthly CVE counts will keep rising and expects more out-of-band updates.
- AI-assisted discovery is shrinking time between bug existence and detection, pressuring patch cycles.
- Previously hard-to-audit areas like hypervisor code and Kerberos are yielding more vulnerabilities.
- Exchange Server CVE-2026-42897 moved from workaround guidance to an active-exploit patch.
- Microsoft flagged 15 flaws as “more likely” to be exploited, including http.sys kernel RCE CVE-2026-47291.
- High-rated Hyper-V VM escape vulnerabilities demand attention in virtualized enterprise environments.
- SAP issued 15 patches, including four critical vulnerabilities across core enterprise products.
- Adobe patched 123 vulnerabilities, highlighted by CVSS 10 issues in Campaign Classic and critical ColdFusion bugs.
TAKEAWAYS:
- Shift from slow patch testing to risk-based prioritization aligned with exploitation likelihood.
- Automate patching pipelines to handle sustained, “new baseline” vulnerability volumes.
- Treat internet-facing Windows services using http.sys as urgent remediation targets.
- Prioritize SAP ABAP/NetWeaver criticals due to high impact and low/no-auth attack paths.
- Include Adobe enterprise platforms (Campaign Classic, ColdFusion, Reader) in rapid patch SLAs.