Weekly Cybersecurity Threat Briefing — June 15, 2026
**Your weekly rundown of the threats that matter most to small businesses.**
Another week, another reminder that attackers don't take days off. This was one of the biggest patch weeks in recent memory — Microsoft alone fixed 200 vulnerabilities — and a few of the threats this week directly target tools that small businesses and MSPs use every day. Here's what you need to know and what to do about it.
---
## 1. Microsoft's Biggest Patch Tuesday of 2026: 200 Vulnerabilities Fixed
**Risk Level: 🔴 Critical**
Microsoft released its June Patch Tuesday updates on June 10, and it was massive — 200 vulnerabilities patched in a single release. That's the largest of the year. Among them:
- **33 Critical vulnerabilities**, including 28 remote code execution (RCE) flaws ([Zecurit breakdown](https://zecurit.co/patch-tuesday-june-2026/))
- **3 publicly disclosed zero-days** (vulnerabilities that were known before the patch)
- **6 Critical RCE flaws in Remote Desktop Client alone** — that's the tool many businesses use for remote access
- **An actively exploited Exchange Server zero-day (CVE-2026-42897)** — attackers were already using this one in the wild before the patch dropped ([BleepingComputer](https://www.bleepingcomputer.com/news/microsoft/microsoft-patches-exchange-server-zero-day-exploited-in-attacks/))
The Exchange Server flaw is especially concerning for businesses still running on-premises email. Attackers could execute malicious code through Outlook Web Access (the browser-based email login your team might use when they're away from the office). If you use Microsoft 365 cloud email, you're not affected by this specific one — but if you have any on-premises Exchange, patch immediately.
**What to do:**
- Run Windows Update on every PC and server — but read the next section first if you have HP hardware
- If you run on-premises Exchange Server, prioritize that patch above everything else
- If your team uses Remote Desktop, make sure those systems are updated too
- Reboot machines after updates to make sure patches take effect
---
## 2. ⚠️ Heads Up: June Patch (KB5094126) Is Causing Boot Failures on Some PCs
**Risk Level: 🟠 High (Operational Impact)**
Here's the catch-22 this week: the June patches are critical and need to be installed — but the Windows 11 cumulative update (KB5094126) is causing serious problems on some hardware, especially HP business laptops and desktops.
Reports are flooding in from IT admins managing hundreds of devices ([Windows Latest](https://www.windowslatest.com/2026/06/14/windows-11-kb5094126-issues-include-boot-failures-bsod-bitlocker-recovery-on-some-pcs-hp-onedrive-sync-and-enterprise-apps-broken/), [Cyber Security News](https://cybersecuritynews.com/windows-11-update-kb5094126/)). After installing KB5094126, some PCs are hitting:
- **BitLocker recovery loops** — the machine demands your BitLocker recovery key on every boot, and entering it doesn't always fix the loop
- **Black Screen of Death (BSOD)** on startup
- **Secure Boot signature errors** preventing normal boot
- **Broken OneDrive integration** in File Explorer (less severe, but annoying)
The most affected hardware so far includes the HP EliteBook 840 G10, HP ProBook 460 G11, HP ZBook series, HP Engage One Pro POS systems, and some Dell Precision models. The root cause appears to be related to the Secure Boot certificate updates in the patch interacting badly with older BIOS firmware and smaller EFI partitions (100MB instead of the newer 500MB–1GB layouts).
**This doesn't mean you should skip the patch.** The 200 vulnerabilities it fixes — including actively exploited zero-days — are too serious to ignore. But you should be smart about how you roll it out.
**What to do:**
- **Before patching:** Make sure you have your BitLocker recovery keys accessible (check your Microsoft account, Active Directory, or Intune — wherever they're stored)
- **HP users especially:** Update your BIOS/UEFI firmware to the latest version *before* installing KB5094126
- **Test first:** If you manage multiple machines, patch a few test devices before rolling out to everyone
- **If you're already stuck in a BitLocker loop:** Try disabling Secure Boot temporarily in BIOS, boot into Windows, check the EFI partition, update firmware, then re-enable Secure Boot
- **Talk to your MSP:** This is exactly the kind of situation where having professional IT support saves you hours of headaches
---
## 3. Windows Defender "RoguePlanet" Zero-Day — Still Unpatched
**Risk Level: 🔴 Critical**
Hours after Microsoft released June's patches, a security researcher publicly dropped *another* zero-day exploit — this one targeting Windows Defender itself. It's called "RoguePlanet," and it allows attackers to escalate from a regular user account to full SYSTEM-level access on Windows 10 and Windows 11 machines ([The Hacker News](https://thehackernews.com/2026/06/microsoft-defender-rogueplanet-zero-day.html), [ThreatLocker](https://www.threatlocker.com/blog/microsoft-defender-zero-day-rogueplanet-grants-system-privileges)).
The scary part? It works even on machines with the June 2026 patches installed. There is no fix available yet. This is the same researcher (going by "Chaotic Eclipse") who previously released the YellowKey, GreenPlasma, and MiniPlasma exploits targeting Windows — Microsoft has now patched those three in the June update, but RoguePlanet remains open.
**What to do:**
- Still install the June patches — they fix the three older exploits from this researcher
- Use endpoint protection software and monitor for unusual privilege escalation
- Limit which users have local admin rights on their PCs (principle of least privilege)
- Watch for Microsoft's out-of-band patch and apply it as soon as it drops
---
## 4. Check Point VPN Zero-Day Exploited by Qilin Ransomware (CVE-2026-50751)
**Risk Level: 🔴 Critical**
If your business uses a Check Point firewall or VPN, pay close attention. A critical authentication bypass vulnerability (CVE-2026-50751) is being actively exploited, and at least one attack has been linked to the Qilin ransomware gang — currently the most active ransomware group in the world ([Help Net Security](https://www.helpnetsecurity.com/2026/06/08/check-point-cve-2026-50751-qilin-ransomware/)).
The flaw affects Check Point's Remote Access VPN, Mobile Access, and their Spark firewalls (which are specifically marketed to small and mid-size businesses and MSPs). Attackers can bypass authentication entirely and connect to your network without a password if the VPN is configured to use the older IKEv1 protocol.
Check Point says exploitation has been happening since early May, with attacks increasing in June. They've observed "a few dozen targeted organizations globally" so far.
**What to do:**
- If you use Check Point products, update to the latest fixed firmware immediately
- Check if your VPN configuration uses IKEv1 — if so, switch to IKEv2
- Review VPN logs for suspicious connections going back to May 7, 2026
- Make sure your gateway requires machine certificates for connections
---
## 5. Chrome Zero-Day #5 of 2026 (CVE-2026-11645) — Update Your Browser
**Risk Level: 🟠 High**
Google patched its fifth actively exploited Chrome zero-day of the year on June 9 ([BleepingComputer](https://www.bleepingcomputer.com/news/security/google-patches-fifth-chrome-zero-day-bug-exploited-in-attacks-this-year/)). This one (CVE-2026-11645) is an out-of-bounds memory flaw in Chrome's V8 JavaScript engine. In plain English: visiting a malicious website could let attackers run code on your machine.
The attack works through a crafted web page, which means it could be delivered through a phishing email link, a malicious ad, or a compromised website. Google has confirmed this vulnerability is being exploited in real attacks.
**What to do:**
- Update Chrome on every machine now (Menu → Help → About Google Chrome)
- If you use Edge, Brave, or other Chromium-based browsers, update those too — they share the same engine
- Enable auto-updates and consider forcing browser updates through group policy
- Remind your team: don't click links in unexpected emails
---
## 6. Oracle PeopleSoft Zero-Day — ShinyHunters Breaching 100+ Organizations
**Risk Level: 🟠 High**
The ShinyHunters hacking group has been on a tear, exploiting a zero-day vulnerability (CVE-2026-35273) in Oracle PeopleSoft to breach over 100 organizations ([Help Net Security](https://www.helpnetsecurity.com/2026/06/11/oracle-peoplesoft-under-attack-cve-2026-35273/)). Most victims so far have been universities and educational institutions, but PeopleSoft is also widely used in HR and finance departments across many industries.
The flaw allows unauthenticated remote code execution — meaning attackers don't need any credentials to break in. Oracle released an emergency out-of-band patch on June 10, with Mandiant (Google's security team) confirming active exploitation dating back to late May.
The University of Nottingham is among the confirmed victims, with personal data and academic records of nearly half a million students exposed.
**What to do:**
- If your organization uses Oracle PeopleSoft, apply the emergency patch immediately
- Check for indicators of compromise — especially unusual activity since late May
- This is a good reminder: if you work with vendors or partners who use PeopleSoft for HR/payroll, ask them if they've patched
---
## 7. ⏰ UPDATE: Cisco SD-WAN Patch Now Available — and Secure Boot Deadline Is 10 Days Away
**Risk Level: 🟡 Medium (Cisco) / 🟠 High (Secure Boot)**
Two updates on stories from last week:
**Cisco SD-WAN (CVE-2026-20245):** Good news — Cisco has started releasing patches as of June 10. Last week this was an unpatched zero-day with no workaround. If you use Cisco SD-WAN, now's the time to upgrade. Collect admin-tech files first to preserve any indicators of compromise, then update.
**Secure Boot Certificate Expiration ([Microsoft](https://techcommunity.microsoft.com/blog/windows-itpro-blog/secure-boot-playbook-for-certificates-expiring-in-2026/4469235)):** The deadline is now just **10 days away (June 25, 2026)**. After that date, devices that haven't been updated with the new 2023 certificates will lose the ability to receive future early-boot security updates. Your computers will still work, but they'll be running on expired security certificates — like driving with an expired insurance card. You can still get it done, but every day you wait is a day you're less protected.
**What to do:**
- **Cisco SD-WAN users:** Apply the June 10 patches now
- **Secure Boot:** Check your devices using Event ID 1808 in Windows Event Log, or the UEFICA2023Status registry key — it should read "Updated"
- Ask your IT provider or MSP if your Secure Boot certificates have been updated — this is something we're proactively handling for our clients at Litzsey Tech
---
## Quick Wins This Week
Here are three things you can do right now to improve your security posture:
**1. Force a browser update sweep.** Chrome's fifth zero-day of the year means browser updates are non-negotiable. Walk around the office (or send a message to your remote team) and make sure everyone's Chrome is on version 149.0.7827.102 or newer. Takes 2 minutes per machine.
**2. Check your VPN configuration.** Whether you use Check Point or another vendor, this week's VPN zero-day is a reminder: make sure your VPN isn't using deprecated protocols like IKEv1. Most modern VPNs default to IKEv2, but older configurations may not have been updated.
**3. Run Windows Update — but prep first.** With 200 Microsoft vulnerabilities patched, you need to install this update. But before you do: make sure you have your BitLocker recovery keys accessible, update your BIOS firmware (especially on HP hardware), and test on one machine before rolling out to the whole office.
---
## Sources
- [Microsoft June 2026 Patch Tuesday — Zecurit](https://zecurit.co/patch-tuesday-june-2026/)
- [Microsoft Patches Exchange Server Zero-Day — BleepingComputer](https://www.bleepingcomputer.com/news/microsoft/microsoft-patches-exchange-server-zero-day-exploited-in-attacks/)
- [Patch Tuesday June 2026: Windows Zero-Days & Exchange Exploit — The Small Business Cybersecurity Guy](https://thesmallbusinesscybersecurityguy.co.uk/blog/patch-tuesday-june-2026-windows-zero-days-exchange-ivanti-2026/)
- [KB5094126 Boot Failures, BitLocker Loops — Windows Latest](https://www.windowslatest.com/2026/06/14/windows-11-kb5094126-issues-include-boot-failures-bsod-bitlocker-recovery-on-some-pcs-hp-onedrive-sync-and-enterprise-apps-broken/)
- [Windows 11 Update KB5094126 Issues — Cyber Security News](https://cybersecuritynews.com/windows-11-update-kb5094126/)
- [Microsoft Defender RoguePlanet Zero-Day — The Hacker News](https://thehackernews.com/2026/06/microsoft-defender-rogueplanet-zero-day.html)
- [RoguePlanet Zero-Day Analysis — ThreatLocker](https://www.threatlocker.com/blog/microsoft-defender-zero-day-rogueplanet-grants-system-privileges)
- [MiniPlasma Windows Privilege Escalation — ThreatLocker](https://www.threatlocker.com/blog/miniplasma-windows-privilege-escalation-zero-day-affects-fully-patched-systems)
- [Check Point CVE-2026-50751 & Qilin Ransomware — Help Net Security](https://www.helpnetsecurity.com/2026/06/08/check-point-cve-2026-50751-qilin-ransomware/)
- [Qilin's Latest Spree of Victims — ZeroFox](https://www.zerofox.com/intelligence/qilins-latest-spree-of-alleged-victims/)
- [Chrome V8 Zero-Day CVE-2026-11645 — BleepingComputer](https://www.bleepingcomputer.com/news/security/google-patches-fifth-chrome-zero-day-bug-exploited-in-attacks-this-year/)
- [Oracle PeopleSoft Under Attack CVE-2026-35273 — Help Net Security](https://www.helpnetsecurity.com/2026/06/11/oracle-peoplesoft-under-attack-cve-2026-35273/)
- [Secure Boot Certificate Playbook — Microsoft](https://techcommunity.microsoft.com/blog/windows-itpro-blog/secure-boot-playbook-for-certificates-expiring-in-2026/4469235)
- [June 2026 KB5094126 Release Notes — Microsoft](https://support.microsoft.com/en-us/topic/june-9-2026-kb5094126-os-builds-26200-8655-and-26100-8655-1a9bcba6-5f53-4075-8156-fe11ac631737)
---
## The Bottom Line
This was an unusually heavy week for patches and zero-days. Between Microsoft's record-breaking Patch Tuesday, unpatched Windows Defender exploits, VPN bypasses being used for ransomware, and Chrome's ongoing zero-day problem — the message is clear: keeping your systems updated isn't optional, it's your first line of defense.
If any of this feels overwhelming, that's normal. You don't have to navigate it alone.
Have questions about any of these threats? Need help checking your systems? That's what we're here for. Reach out to Litzsey Tech Services — we help small businesses stay safe without the jargon or the stress.
Stay safe out there,
Kenneth Litzsey
Litzsey Tech Services | litzseytech.com
