Microsoft Just Patched 206 Flaws in One Day
It's a record-breaking Patch Tuesday — 206 vulnerabilities fixed, including three zero-days already being used in attacks. Plus: China's 1,500-device botnet and critical Ivanti, Fortinet, and SAP patches you shouldn't skip.
Wednesday, June 10, 2026 · 5-minute read
🌐 World Intel
Microsoft's monthly security update — called Patch Tuesday — landed this week with 206 vulnerabilities fixed across Windows, Edge, Office, and Exchange. That's the most patches Microsoft has released in a single month on record. Three of those flaws are zero-days — already being used in real attacks when the patches shipped. Critical remote code execution bugs affect multiple products. If you have Windows Update set to automatic, your machine will patch itself. If you don't, open Settings → Windows Update → Check for Updates — today, not this weekend.
Source: The Hacker NewsA botnet called JDY has expanded to over 1,500 home routers and small-office devices, researchers say. It's being operated by Volt Typhoon — a China-linked group known for targeting critical infrastructure — and is used primarily for network reconnaissance and scanning. JDY is considered the successor to KV-botnet, which the FBI and Justice Department dismantled in January 2024. Volt Typhoon uses these compromised devices as relay points to make their attacks look like they originate from legitimate home users. If your home router is more than three years old and has never been updated, it may already be part of a botnet you don't know about.
Source: The Hacker NewsThree major enterprise software vendors each released security patches on the same day as Patch Tuesday. Ivanti fixed multiple critical flaws in Ivanti Connect Secure and Ivanti Policy Secure — both VPN products that have been heavily targeted over the past two years. Fortinet patched CVE-2026-25089 (CVSS 9.1) in FortiSandbox — an OS command injection flaw requiring no authentication. SAP patched critical vulnerabilities in SAP NetWeaver and SAP BusinessObjects, both widely used in large enterprises for finance and operations management. If your organization uses any of these products, apply patches this week — Ivanti in particular has a history of being targeted while organizations are still deciding whether to patch.
Source: The Hacker News⚔️ Active Attacks
Of the 206 flaws patched this month, three were zero-days — meaning attackers were already using them in live attacks before Microsoft knew and before any fix existed. Zero-days in Microsoft products typically get used by well-resourced groups first: nation-state hackers, criminal organizations with sophisticated capabilities, and groups that specialize in selling access to compromised systems. By the time a zero-day is patched and announced publicly, the window of unique attacker advantage closes — but not instantly, because many organizations take days or weeks to apply patches.
What you can do: Enable automatic Windows Updates if you haven't already. For organizations: prioritize patching any Windows systems that are internet-facing or hold sensitive data within 24 hours of a zero-day patch release. The first 48 hours after a patch are when copy-cat exploitation ramps up fastest.
Source: The Hacker News🔓 New Vulnerabilities
OS command injection vulnerability in Fortinet FortiSandbox that requires no authentication. An unauthenticated attacker can run arbitrary operating system commands on the FortiSandbox appliance. This flaw will be exploited actively within days of public disclosure — Fortinet products have been heavily targeted in recent years.
Patch now. Check Fortinet's PSIRT advisory for affected versions. If patching is delayed, isolate FortiSandbox from internet-facing networks immediately.
Multiple critical vulnerabilities patched in Ivanti's VPN products. Ivanti has been one of the most consistently targeted enterprise products for two years running — nearly every major patch cycle has included critical Ivanti flaws, and many have been actively exploited within days of disclosure.
Patch immediately. If you cannot patch right now, temporarily disable the affected product and investigate your logs for indicators of compromise before bringing it back online.
SAP patched critical flaws in its NetWeaver application server platform and BusinessObjects business intelligence suite. SAP NetWeaver has had several critical remote code execution flaws in recent months — attackers know it's a high-value target because it sits at the center of enterprise finance and operations.
Apply SAP Security Notes from the June 2026 Patch Day. SAP systems should never be internet-facing without a web application firewall in front of them.
🛠 New Tech
The JDY botnet story is a good reminder that home and small-office routers are frequently the weakest link in the chain. A new class of tools called router security scanners can check whether your router has known vulnerabilities before attackers do. Shodan (shodan.io) lets you see what your router looks like from the internet. RouterCheck is a consumer-friendly tool that audits your home router for common security issues. For those comfortable with command-line tools, Routersploit is used by security professionals to test router firmware. The single most effective thing most home users can do: log into your router's admin panel (usually 192.168.1.1 or 192.168.0.1), check the firmware version, and update it if there's a newer version available. Takes about 10 minutes and closes dozens of known vulnerabilities.
💡 Deep Dive
Every second Tuesday of the month, Microsoft releases a security update. It's called Patch Tuesday, and it's been happening since 2003. The idea was to batch security fixes into a predictable schedule so IT teams could plan their update work rather than scrambling at random intervals. It's become something of an institution — security researchers, corporate IT departments, and attackers all mark their calendars for the second Tuesday of the month.
This month's number — 206 patches — is a record. The previous high was around 180. It doesn't necessarily mean Microsoft's software is suddenly less secure. A high patch count can mean researchers found more bugs, or Microsoft invested more in internal security auditing, or both. But it does signal the scale of the maintenance burden in complex software that runs on a billion machines.
The three zero-days in this batch are the more urgent story. A zero-day is a vulnerability that attackers know about and are using before any patch exists. By the time Microsoft ships the fix, real people have already been compromised through these holes. The patch doesn't undo past damage — it just stops future attacks on systems that get updated.
For home users, the practical guidance is simple: turn on automatic updates and leave them on. Windows 10 and 11 both update automatically by default. If you've turned that off — maybe because an update once caused problems — understand that the tradeoff is accepting that your computer will have known security holes for as long as you delay.
For small businesses and organizations: the challenge is more complex. Patches sometimes break things. Applying 206 patches without testing is risky in a production environment. But the alternative — running unpatched systems with known vulnerabilities — is riskier. The standard advice is to apply critical and zero-day patches within 24-48 hours, especially on internet-facing systems. Test other patches in a staging environment first if possible, but don't let "testing" become indefinite delay. The attackers aren't waiting for you to finish your QA process.