On June 9, Microsoft released its June 2026 Patch Tuesday — and it's a big one. The release addresses 206 vulnerabilities, including 33 critical and 167 important-severity issues, plus three publicly disclosed zero-day vulnerabilities. The headline risk for small businesses: a critical Outlook flaw that can fire off malicious code the moment an email loads in the preview pane — no clicking required.
What got patched and why it matters
Microsoft's June 2026 rollout, published on June 9, 2026, addresses 198 vulnerabilities and includes three zero-day vulnerabilities that were actively exploited or publicly known before a fix was available. Coverage spans the products small businesses actually use every day — Windows, Microsoft Office, Outlook, Word, Exchange Server, Remote Desktop, Hyper-V, and Microsoft 365 components.
The most dangerous flaw for a typical small office is CVE-2026-47635, a critical Remote Code Execution vulnerability in Microsoft Outlook and Word caused by a type confusion bug in Microsoft Office; Microsoft states that the attack vector is the preview pane of Outlook (classic), and this vulnerability can be exploited when rendering emails in Outlook (classic), as the email rendering in Outlook (classic) utilizes Microsoft Word functionality. In plain English: an attacker just has to get an email into your inbox. If you click it — or even just let the preview pane show it — their code can run on your PC.
The other zero-days include CVE-2026-50507, a Windows BitLocker Security Feature Bypass rated Important, which could allow an attacker with physical or local access to circumvent BitLocker's full-disk encryption protections, undermining a control that many organizations treat as a last line of defense for lost or stolen devices, and an HTTP.sys denial-of-service flaw.
Remote Desktop and Hyper-V also took heavy hits
Beyond Outlook, this Patch Tuesday clusters around two pieces of infrastructure that a lot of small businesses depend on for remote work and server consolidation. This cycle contains 54 RCE vulnerabilities, of which a notable subset is rated Critical. Remote Desktop Client received the most concentrated cluster of RCE patches, with 11 total CVEs, including Critical-rated CVE-2026-44801, CVE-2026-44799, CVE-2026-42992, and CVE-2026-42985. Windows Hyper-V was also significantly impacted by Critical RCE vulnerabilities CVE-2026-47652, CVE-2026-45641, and CVE-2026-45607 all capable of allowing VM guest escape and code execution on the host.
The Remote Desktop cluster is the one to watch if your team connects back to the office from home or a client site. CVE-2026-48563 is a critical Remote Code Execution vulnerability due to a heap-based buffer overflow in Windows Remote Desktop Client that allows an unauthorized attacker to execute code over a network. In the case of a Remote Desktop connection, an attacker who controls a Remote Desktop Server could initiate a remote code execution on the machine when a victim connects to the attacking server using the vulnerable Remote Desktop Client. Translation: a poisoned RDP server can hijack the laptop that connects to it.
What your managed-IT provider should be doing this week
This is a textbook "deploy now, don't wait" cycle. Your IT provider should already be testing the June updates in a small ring of machines this week and rolling them out to the rest of your fleet by next week at the latest. Given three actively known zero-days and multiple Critical RCEs, security teams should test and deploy this month's updates without delay, prioritizing BitLocker, HTTP.sys, Remote Desktop, and Hyper-V hosts. Where immediate patching is not possible, network segmentation and restricting RDP exposure can reduce risk until updates are applied.
For the Outlook preview-pane bug specifically, ask your provider three questions: Are all our Office and Outlook installs patched to the June build? Is our email filtering blocking the kinds of malformed attachments that trigger this class of flaw? And do we have endpoint detection that would catch code execution kicked off by Outlook itself? Disciplined monthly patching, mail filtering, and endpoint monitoring are the unglamorous work that York Computer's managed IT services handle on a schedule so a Patch Tuesday like this one isn't a fire drill — it's a Tuesday.
What York Businesses Should Do
If you run a small business in York County and you're not sure who is responsible for installing this month's Microsoft updates on every workstation and server, that is the gap. Get a written answer to that question this week — before the next phishing email lands in someone's preview pane.