Overview
- Microsoft, which published the update Tuesday, said none of the 137 CVEs show signs of active exploitation.
- CVE-2026-41089 targets Netlogon, the service domain controllers use to handle logins, and allows unauthenticated remote code execution that experts say calls for same-window patching of all controllers.
- CVE-2026-41096 affects the Windows DNS Client and can run attacker code from a malicious DNS reply, creating broad risk because every Windows device relies on DNS lookups.
- CVE-2026-42898 hits on‑premises Microsoft Dynamics 365 with a 9.9 CVSS score and needs no user action, raising the chance a basic foothold could turn a business app server into a code‑execution beachhead.
- A Secure Boot certificate deadline on June 26 pushes organizations to update fleets in time to rotate trust anchors and avoid device boot issues.