Microsoft Patches Critical Remote Desktop Client and HTTP.sys RCE Flaws
Microsoft’s June 2026 Patch Tuesday delivered a record-setting security release, with reports citing 206 to 208 CVEs addressed across Windows, Office, Azure, SQL Server, and other products, including 32 critical issues. Among the most urgent were multiple Remote Desktop Client remote code execution flaws—CVE-2026-42985, CVE-2026-47289, CVE-2026-44801, CVE-2026-44799, and CVE-2026-48563—that could let an attacker run code on a victim system if the user connected to a malicious Remote Desktop Server or accepted a specially crafted RDP certificate. Microsoft rated CVE-2026-42985 as more likely to be exploited, while the others were assessed as less likely at publication; several of the bugs were credited to Kyeongmin Kim of KAIST Hacking Lab.
Microsoft also disclosed CVE-2026-47291, a critical HTTP.sys remote code execution vulnerability with a CVSS 9.8 score that can be exploited remotely without authentication or user interaction by sending a specially crafted packet to a server using the Windows HTTP Protocol Stack. Microsoft said systems using the default MaxRequestBytes setting are not affected, but warned that servers with higher values may be vulnerable and advised administrators to set the registry value to a safe level and restart the HTTP service or host until patches are applied. Cisco Talos published Snort coverage for many of the newly disclosed flaws, while separate reporting also highlighted one actively exploited zero-day in Microsoft Defender and additional high-risk issues in Hyper-V, DHCP Client, Secure Boot, and UEFI components.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
9 events from the most recent confirmed update back to the earliest known activity.
Microsoft publishes CVE-2026-11824 advisory
Microsoft's Security Response Center published an advisory page for CVE-2026-11824 in its Update Guide. The existing timeline does not already include this specific vulnerability disclosure.
Microsoft publishes CVE-2025-49697 advisory
Microsoft's Security Response Center published an advisory page for CVE-2025-49697 in its Update Guide. The existing timeline does not already include this specific vulnerability disclosure.
Microsoft publishes CVE-2025-49673 advisory
Microsoft's Security Response Center published an advisory page for CVE-2025-49673 in its Update Guide. The existing timeline does not already include this specific vulnerability disclosure.
Microsoft publishes CVE-2025-48824 advisory
Microsoft's Security Response Center published an advisory page for CVE-2025-48824 in its Update Guide. The existing timeline does not already include this specific vulnerability disclosure.
Cisco Talos releases Snort coverage for June Patch Tuesday flaws
Following Microsoft's June 2026 Patch Tuesday disclosures, Cisco Talos published Snort coverage for many of the newly disclosed vulnerabilities. Talos specifically highlighted CVE-2026-42985, CVE-2026-47291, CVE-2026-44803, and CVE-2026-44812 as prominent issues and advised users to update to the latest rulesets.
Microsoft publishes CVE-2026-45607 for Windows Hyper-V
On 2026-06-09, Microsoft received and published CVE-2026-45607, an out-of-bounds read vulnerability in Windows Hyper-V that could allow local code execution. The entry referenced Microsoft's Security Response Center update guide and classified the issue as high severity.
Microsoft discloses critical HTTP.sys RCE and mitigation guidance
On 2026-06-09, Microsoft disclosed CVE-2026-47291, a critical Windows HTTP.sys remote code execution vulnerability that is network-exploitable without authentication or user interaction. Microsoft said exploitation was more likely, released a fix, and advised administrators to set MaxRequestBytes to a safe value and restart the HTTP service or system as a mitigation before patching.
Microsoft discloses multiple critical Remote Desktop Client RCE flaws
On 2026-06-09, Microsoft disclosed several critical Remote Desktop Client remote code execution vulnerabilities, including CVE-2026-42985, CVE-2026-44799, CVE-2026-44801, CVE-2026-47289, and CVE-2026-48563. Microsoft said fixes were available for these issues and stated they were not publicly disclosed or exploited at publication, while rating CVE-2026-42985 as more likely to be exploited.
Microsoft issues June 2026 Patch Tuesday security updates
On 2026-06-09, Microsoft released its June 2026 Patch Tuesday updates, addressing a record-breaking set of vulnerabilities across its product portfolio. Sources describe the release as fixing 206 Microsoft vulnerabilities, while another report counts 208 Microsoft CVEs and 571 total when Chromium and bundled third-party components are included.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
20 references tracked. Mallory keeps watching after this page renders.
Microsoft Releases Record-Breaking Patch Tuesday With 208 CVEs
securityaffairs.com
Open sourceMicrosoft Patch Tuesday for June 2026 - Snort rules and prominent vulnerabilities - Malware News - Malware Analysis, News and Indicators
malware.news
Open sourceCVE-2026-48563 - Security Update Guide - Microsoft - Remote Desktop Client Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceCVE-2026-44799 - Security Update Guide - Microsoft - Remote Desktop Client Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceMsrc Product Advisories
msrc.microsoft.com
Open sourceMsrc Product Advisories
msrc.microsoft.com
Open sourceMsrc Product Advisories
msrc.microsoft.com
Open sourceMsrc Product Advisories
msrc.microsoft.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft fixes exploited SharePoint flaw in massive Patch Tuesday release
Microsoft released fixes for **165 vulnerabilities** across Windows, Office, SharePoint, Defender, SQL Server, Azure, .NET, and other products in one of its largest Patch Tuesday updates on record. The most urgent issue was **CVE-2026-32201**, an **actively exploited** improper input validation flaw in **SharePoint Server** that enables unauthenticated network-based spoofing and was immediately added to **CISA's Known Exploited Vulnerabilities** catalog. Microsoft also patched **CVE-2026-33825**, a publicly known **Microsoft Defender** privilege-escalation bug with proof-of-concept code, and **CVE-2026-33824**, a critical **remote code execution** flaw in **Windows IKE Service Extensions** affecting IPsec/VPN infrastructure. Researchers flagged **CVE-2026-33827** in **Windows TCP/IP** as potentially **wormable** under certain IPv6 and IPSec configurations. Other high-impact fixes include **CVE-2026-33120**, a **SQL Server remote code execution** flaw that paired with a separate privilege escalation bug (**CVE-2026-32176**) could enable full server compromise, and **CVE-2026-32220**, a **UEFI Secure Boot bypass** that could allow untrusted code to load during the boot process. The release also addressed elevation of privilege flaws across Desktop Window Manager, WinSock, TDI Translation Driver, Windows Push Notifications, Function Discovery Service, WSUS, Remote Desktop Licensing, Azure Monitor Agent, and Windows kernel components; security feature bypasses in Windows Hello, PowerShell, BitLocker, and Windows Shell; information disclosure bugs in Windows GDI, Print Spooler, Web Account Manager, UPnP Device Host, and the Windows kernel; and denial-of-service issues in .NET/Visual Studio and Windows RDBSS. Cumulative updates for Windows Server 2022 and 23H2 bundled security hardening for Kerberos, RDP, Secure Boot, and WDS, with Microsoft warning that Secure Boot certificates begin expiring in June 2026.
Apr 15, 2026
Microsoft Patches 163 Flaws Including Exploited SharePoint Bug and Defender Zero-Day
Microsoft released fixes for **163 vulnerabilities** in its April Patch Tuesday update, marking one of its largest security releases on record. The bundle includes **8 Critical** flaws, **154 Important** issues, and **1 Moderate** bug, with seven of the Critical vulnerabilities enabling remote code execution across products and components including **Windows TCP/IP**, **Windows IKE Service Extensions**, **Active Directory**, **Remote Desktop Client**, **Microsoft Office**, and **Microsoft Word**. Belgian authorities urged organizations to apply the updates immediately. The most urgent issues include **`CVE-2026-32201`**, an actively exploited **Microsoft SharePoint Server** vulnerability that was added to CISA’s Known Exploited Vulnerabilities catalog, and **`CVE-2026-33825`** in **Microsoft Defender**, a publicly disclosed zero-day tied to proof-of-concept code associated with the **BlueHammer** exploit. Microsoft also shipped Windows 11 cumulative updates with security hardening changes, including safer handling of **`.rdp`** files and improved visibility into **Secure Boot** certificates, while the broader patch set addressed numerous elevation-of-privilege and security feature bypass flaws that could support post-compromise escalation.
Apr 22, 2026
Microsoft Patches Multiple Windows Remote Code Execution Flaws Across Core Services
Microsoft published security advisories for a broad set of **remote code execution** vulnerabilities affecting Windows components and enterprise services, including **Windows Telephony Service**, **Hyper-V**, **ReFS**, **WSUS**, **Direct Show**, the **Windows Mobile Broadband Driver**, **Windows Server Setup and Boot Event Collection**, **SQL Server Native Client**, and **.NET**. The largest concentration of disclosures involved the Windows Telephony Service, with multiple CVEs including `CVE-2024-43620`, `CVE-2024-43627`, `CVE-2025-21190`, `CVE-2025-21240`, `CVE-2025-21243`, `CVE-2025-21250`, `CVE-2025-21266`, `CVE-2025-21273`, `CVE-2025-21409`, and `CVE-2025-21413`, indicating sustained patching activity around a single Windows attack surface. Other disclosed RCE issues expanded the risk to virtualization, storage, update infrastructure, and server environments through `CVE-2026-21244` and `CVE-2026-21248` in **Windows Hyper-V**, `CVE-2025-62456` in **Windows Resilient File System (ReFS)**, `CVE-2025-59287` in **Windows Server Update Service (WSUS)**, `CVE-2025-49666` in **Windows Server Setup and Boot Event Collection**, `CVE-2024-49012` in **SQL Server Native Client**, `CVE-2025-21291` in **Windows Direct Show**, and `CVE-2026-24288` in the **Windows Mobile Broadband Driver**. One referenced case, `CVE-2021-34458`, showed the potential severity of Microsoft RCE flaws in virtualized environments, with Microsoft describing a **Critical** Windows Kernel issue that could enable cross-guest interference on systems using **SR-IOV-capable hardware**.
May 25, 2026