What are the Microsoft June 2026 Patch Tuesday zero-days?

Three zero-days were patched: YellowKey and GreenPlasma grant SYSTEM privileges, MiniPlasma bypasses BitLocker. A fourth, RoguePlanet, was released hours later with no patch — it exploits a Defender race condition for SYSTEM escalation.

What is CVE-2026-0257 in PAN-OS?

CVE-2026-0257 is an actively exploited zero-day in Palo Alto Networks PAN-OS. Unit 42 confirmed exploitation in the wild and released IOCs and mitigations. CVSS and attack vector details have not been formally disclosed.

How long was the ServiceNow API flaw exposed before patching?

ServiceNow discovered the unauthenticated API flaw on April 7, 2026 and patched it on June 5 — a 59-day window. Attackers exploited the flaw in customer breaches during that exposure period.

Why is CVE-2026-44963 in Veeam Backup critical for ransomware defense?

CVE-2026-44963 (CVSS 9.4) lets any authenticated AD domain user execute code on the Veeam backup server. Ransomware operators specifically target backup infrastructure to eliminate recovery options, making this a high-priority patch.

What is the RoguePlanet zero-day exploit?

RoguePlanet exploits a race condition in Microsoft Defender to escalate privileges to SYSTEM. Released by researcher Nightmare Eclipse hours after Patch Tuesday, it has no patch. The researcher reports a 100% success rate.

Microsoft's Record 206-Flaw Patch Tuesday — 4 Zero-Days

Microsoft shipped fixes for 206 vulnerabilities on Tuesday — the largest Patch Tuesday on record — including three publicly disclosed zero-days. Hours later, a researcher dropped a fourth zero-day targeting Microsoft Defender with no patch available. Meanwhile, Palo Alto Networks confirmed active exploitation of a PAN-OS zero-day, and ServiceNow disclosed an API flaw that sat unpatched for 59 days while attackers exploited it in customer breaches.

In the News

Microsoft Patches Record 206 Flaws — Then a 4th Zero-Day Drops

Microsoft’s June 2026 Patch Tuesday addresses 206 vulnerabilities — 39 of them critical remote code execution flaws. Three zero-days were publicly disclosed: YellowKey and GreenPlasma both grant SYSTEM-level privileges through privilege escalation, and MiniPlasma bypasses BitLocker full-disk encryption. Microsoft attributed the unprecedented volume to AI-driven bug discovery tooling finding more flaws faster, and signaled that this volume may become the new normal.

Hours after the official release, researcher Nightmare Eclipse — the same individual behind the YellowKey and GreenPlasma disclosures — published RoguePlanet, a fourth zero-day exploiting a race condition in Microsoft Defender to escalate to SYSTEM privileges. The researcher reports a 100% success rate. No patch exists for RoguePlanet. The exploit targets the Defender service itself, meaning the endpoint protection platform becomes the attack surface. Organizations should monitor for Defender service failures and unexpected privilege escalation events (Event ID 4672, 4673) on endpoints as a compensating detection while awaiting a fix.

The operational challenge is straightforward: 206 patches in one cycle exceeds most organizations’ testing and deployment capacity. Prioritization is not optional — it is the only viable response. Risk-based vulnerability management that correlates CVSS with actual exploit availability and asset exposure is the difference between a manageable rollout and a backlog that persists into the next cycle.

What defenders should do: Prioritize the three patched zero-days and the 39 critical RCEs immediately. For RoguePlanet, monitor for Defender service crashes and unexpected SYSTEM-token grants. Ensure EDR telemetry captures Defender process behavior independently of Defender itself.

PAN-OS Zero-Day CVE-2026-0257 Under Active Exploitation

Palo Alto Networks’ Unit 42 published a threat brief confirming active exploitation of CVE-2026-0257, a new zero-day in PAN-OS. The vendor released indicators of compromise and interim mitigations but has not yet disclosed the CVSS score or detailed attack vector. A vendor-issued threat brief with IOCs indicates confirmed customer impact — this is not a theoretical disclosure.

The timing matters: a PAN-OS active exploitation disclosure landing on the same day as Microsoft’s record Patch Tuesday means security teams face competing triage demands across both endpoint and perimeter infrastructure. Organizations running PAN-OS firewalls should apply the vendor’s interim mitigations immediately, ingest the published IOCs into their SIEM and NDR platforms, and monitor for anomalous traffic originating from firewall management interfaces. The Unit 42 threat brief should be treated as a primary source for detection engineering until a full advisory and patch are available.

What defenders should do: Apply Unit 42’s interim mitigations. Ingest published IOCs into detection platforms. Monitor firewall management plane traffic for anomalous outbound connections.

ServiceNow API Flaw Exploited in Breaches — 59-Day Exposure Window

ServiceNow patched an unauthenticated API flaw on June 5 that allowed attackers to query customer instance data without credentials. The vendor discovered the vulnerability on April 7 — creating a 59-day window between discovery and patch during which attackers exploited the flaw in customer breaches. That 59-day window is not a disclosure timeline; it is an exposure timeline where defenders had zero visibility into a vulnerability the vendor already knew about.

ServiceNow instances are deeply integrated with SIEM, SOAR, and CMDB platforms across most enterprise environments. Unauthorized API access to a ServiceNow instance does not just expose ticket data — it can reveal the organization’s asset inventory, vulnerability findings, incident response playbooks, and integration credentials stored in the CMDB. Any organization running ServiceNow should immediately review API access logs from April 7 through June 5 for unauthenticated query patterns that would indicate exploitation during the exposure window.

What defenders should do: Audit ServiceNow API access logs for the April 7 – June 5 window. Review CMDB integration credentials that may have been exposed. Confirm that ServiceNow instances are on the patched version.

Veeam Backup RCE — Any Domain User Can Compromise Backup Servers

A critical vulnerability (CVE-2026-44963, CVSS 9.4) in Veeam Backup & Replication allows any authenticated Active Directory domain user to execute arbitrary code on the backup server. Veeam is the single most targeted backup platform in ransomware operations because destroying backups eliminates the victim’s recovery path and maximizes extortion leverage.

The authentication bar is the critical detail: this is not an admin-level flaw. Any domain user — including compromised service accounts, help desk credentials, or lateral-movement footholds — can reach the backup server and execute code. Organizations with AD-integrated Veeam deployments should patch immediately and verify that backup servers are network-segmented from the production domain. Immutable backup copies stored outside the Veeam server’s control remain the primary countermeasure against backup-targeted ransomware.

What defenders should do: Patch Veeam Backup & Replication immediately. Verify network segmentation between backup infrastructure and the production AD domain. Confirm that immutable or air-gapped backup copies exist outside the Veeam server’s reach.

Defender Action Items

Patch Microsoft June 2026 Patch Tuesday — prioritize 3 zero-days (YellowKey, GreenPlasma, MiniPlasma) and 39 critical RCEs. Monitor for RoguePlanet Defender race-condition exploit via Event IDs 4672/4673 and Defender service failures.
Apply PAN-OS CVE-2026-0257 mitigations — ingest Unit 42 IOCs into SIEM/NDR, restrict firewall management interface access, monitor for anomalous outbound connections from PAN-OS devices.
Audit ServiceNow API logs — review unauthenticated API access from April 7 through June 5. Rotate any CMDB integration credentials. Confirm patched version deployed.
Patch Veeam CVE-2026-44963 — any AD domain user can achieve RCE. Verify backup server network segmentation and immutable backup copy integrity.
Update Chrome to 149.0.7827.103 — CVE-2026-11645, V8 out-of-bounds read/write, exploited in the wild. Fifth Chrome zero-day of 2026.
Assess Ivanti Sentry exposure — two critical flaws including a CVSS 10.0 unauthenticated RCE as root. Patch or isolate Sentry gateways immediately.

Detection Spotlight

RoguePlanet exploits a race condition in Microsoft Defender, causing the Defender service to crash or restart during privilege escalation. Monitor for Defender service disruptions coinciding with new SYSTEM-token grants. The following Splunk SPL query detects Windows Defender service failures followed by SYSTEM-privilege logon events within a 60-second window on the same host:

index=wineventlog (source="WinEventLog:System" EventCode=7034 ServiceName="WinDefend")
| join host
  [search index=wineventlog source="WinEventLog:Security" EventCode=4672
   | where mvfind(Privileges, "SeDebugPrivilege") >= 0
   | rename _time as priv_time]
| where abs(_time - priv_time) < 60
| table _time host ServiceName EventCode Privileges Account_Name
| sort - _time

This query catches Defender service crashes (Event ID 7034 for WinDefend) correlating with Special Privilege logon events (Event ID 4672 with SeDebugPrivilege). False positive rate is low in production — legitimate Defender restarts rarely coincide with privilege escalation events within a 60-second window. Tune by excluding known patching windows or SCCM-driven Defender update cycles.

References

Microsoft Patches 200+ Vulnerabilities — SecurityWeek
RoguePlanet Zero-Day Exploit Released — SecurityWeek
Active Exploitation of PAN-OS CVE-2026-0257 — Palo Alto Unit 42
ServiceNow Flaw Exploited to Gain Access — The Hacker News
Veeam Vulnerability Exposes Backup Servers to RCE — BleepingComputer
Chrome V8 Zero-Day CVE-2026-11645 — The Hacker News
Max Severity Ivanti Sentry Flaw — BleepingComputer
LiteLLM CVE-2026-42271 Exploited — The Hacker News

Get the daily cybersecurity brief in your inbox every weekday morning — news, SE angles, and detection queries.