The gist: The number of vulnerabilities patched monthly has become the new norm — AI-driven vulnerability scanning tools are dramatically accelerating discovery and forcing faster remediation processes.
Microsoft’s June updates address over 200 CVEs, including three zero-days and 32 critical patches. SAP also patched four critical security flaws in its enterprise products.
Microsoft’s June Patch Tuesday addresses over 200 CVEs, of which 32 are classified as critical. Among these are three publicly known zero-days. Microsoft recommends immediate action for CVE-2026-49160, a denial-of-service vulnerability (CVSS 7.8) in the Windows HTTP Protocol Stack, and warns of active exploitation of CVE-2026-42897 in Exchange Server, which was already disclosed in May but only addressed with workarounds.
Particular attention is required for 15 vulnerabilities for which Microsoft indicates “likely exploitation”. Chief among them is CVE-2026-47291 — a critical remote code execution in http.sys with CVSS score 9.8, affecting IIS, WinRM, and Windows Admin Center. For on-premises environments, CVE-2026-47288 (RCE in Active Directory Kerberos) and CVE-2026-45648 (CVSS 8.8 in AD DS) are also relevant. Additionally, Microsoft addresses multiple Hyper-V VM escape flaws (CVE-2026-47652, CVE-2026-45641, CVE-2026-45607).
The increase is no coincidental event: Microsoft made clear in May that the number of monthly CVEs will continue to rise. Nirwan Dogra, Senior Software Engineer at Microsoft Security, characterizes the 200+ CVEs as the new baseline. AI-driven vulnerability discovery — such as fuzzing and static analysis — dramatically compresses the time gap between bug discovery. Particularly alarming: these tools increasingly find flaws in components like hypervisor code and Kerberos, which were previously considered too complex for manual audits. Dustin Childs of TrendMicro’s Zero Day Initiative describes the June status as “a warning signal — AI supercharges error detection at an uncontrolled scale.”
SAP’s June Patch Day comprises 15 updates for core products such as NetWeaver, Commerce Cloud, S/4HANA, and Business Objects BI Platform, four of which are classified as critical. Microsoft and SAP signal to organizations: manual, time-intensive test-deploy cycles will no longer suffice. The focus must be on risk-based prioritization, automated patch infrastructure, and targeted analysis of likely exploited flaws.
Source: www.csoonline.com · Published June 10, 2026
Lumi AI News — AI-assisted curation pursuant to Article 50 EU AI Act. Paraphrase and classification via Lumi News Pipeline v1.6.5.