Patch Tuesday June 2026: What UK Small Businesses Actually Need to Do Right Now
The Zero Day Initiative is calling June 2026 Microsoft’s largest Patch Tuesday release ever. The industry responded with the predictable avalanche of alarming listicles.
Here is the problem with that. Alarm without triage is just noise. And noise gets people to do nothing.
I have looked at the data. For UK small businesses, three items warrant immediate attention. The rest can wait for your normal patching cycle.
Story One: Your Windows Machines Are Exposed Right Now
CVE-2026-44815 is a stack-based buffer overflow in the Windows DHCP Client. CVSS score: 9.8. Remote code execution. No user interaction required.
DHCP is the protocol that assigns your devices an IP address when they connect to a network. Every Windows machine uses it by default. An attacker on the same network, or in some configurations across the internet, can potentially execute arbitrary code on your machine without you clicking anything.
That is not theoretical risk. A CVSS 9.8 with network-based exploitation and no user interaction is the kind of vulnerability ransomware operators build tooling around within days of disclosure.
Alongside this, CVE-2026-45657 (use-after-free in the Windows Kernel, CVSS 9.8) and CVE-2026-47291 (integer overflow in HTTP.sys, CVSS 9.8) also landed in the same patch bundle. The pattern is consistent: core Windows components, maximum severity, network-exploitable.
What this means in plain language: Any unpatched Windows machine is carrying three critical, remotely exploitable vulnerabilities as of this morning. The fix is already available. Run Windows Update.
Story Two: Veeam Is Ransomware’s Favourite Target, and It Has Another Critical Flaw
CVE-2026-44963 affects Veeam Backup & Replication version 12. An authenticated domain user, meaning anyone with a standard Windows account on your network, can execute arbitrary code on your backup server.
Veeam is extremely common in small and medium business environments. It is positioned as enterprise backup software at accessible prices, which means it sits in a lot of 10 to 50-person companies. The version 12 constraint sounds reassuring until you note that Rapid7 has already confirmed domain-joined backup server configurations are the common deployment pattern.
This matters for a specific reason that goes beyond patching hygiene. Your backup server is your recovery option when ransomware hits. Ransomware groups know this. They have targeted Veeam specifically in multiple documented attack campaigns. Previous Veeam vulnerabilities have appeared on CISA’s Known Exploited Vulnerabilities catalogue. CVE-2026-44963 is not yet confirmed as actively exploited, but the attack surface, the attacker interest, and the historical pattern all point the same direction.
Veeam has released patches covering 12 builds. If you or your IT provider runs Veeam, the patch is available now.
The honest risk statement: If a threat actor gets a foothold on any domain account in your organisation and your Veeam server is unpatched, they can destroy your backups before deploying ransomware. At that point your negotiating position with the attacker is considerably weaker.
Story Three: A 2017 WordPress Vulnerability That Will Not Die
CVE-2017-20251 carries a 2017 CVE identifier but was published to the National Vulnerability Database on 9 June 2026. The vulnerability is in the WordPress Insert PHP plugin, versions before 3.3.1.
The mechanism is straightforward. Unauthenticated attackers can send a POST request to the WordPress REST API containing a malicious shortcode. The plugin will execute arbitrary PHP code on the server. No credentials. No user interaction. Full server compromise from a single HTTP request.
The 2017 date is significant. This is not a newly discovered flaw. It is a flaw that has existed for years in software that is, apparently, still running on production websites. The security industry has a tendency to treat old CVEs as lower priority. The data does not support that position. Trend Micro published research this week confirming active exploitation of a WinRAR vulnerability from 2025, with analysts noting that old flaws persist because organisations find them difficult to patch. The same logic applies here.
If your business website runs on WordPress, this requires active investigation, not a mental note.
Why This Gives You an Edge
Most of your competitors are not reading patch notes. Most of them have not checked their WordPress plugins this month. Most of them do not know whether their Veeam installation is version 12.
That gap is a business advantage, not just a security posture. When you pursue contracts with larger organisations, those organisations increasingly require evidence of security controls as part of procurement. Being able to demonstrate that you have a patching process, that you monitor threat intelligence, and that you act on it within 24 to 48 hours of a critical disclosure is a concrete differentiator.
It is also increasingly relevant to your insurance position. Cyber insurers are tightening underwriting criteria. Documented patching processes, particularly for critical CVEs, are becoming a standard requirement for favourable premiums.
The businesses that act on today’s brief are in a demonstrably stronger position than the ones that file it under ‘look at later.‘
Making the Business Case
If you need to explain this to a director or a budget holder, three arguments:
The Windows DHCP vulnerability requires no user error. Most security incidents involve phishing, a clicked link, a weak password. CVE-2026-44815 requires none of that. An attacker on the network can exploit it silently. That fundamentally changes the risk conversation from ‘train our staff better’ to ‘apply a patch that is already available at no cost.’
The Veeam flaw puts your recovery capability at risk, not just your data. Ransomware attacks on businesses with intact backups typically resolve faster and with lower total cost than attacks where backups are compromised. This vulnerability specifically targets the backup layer. The cost of patching Veeam is measured in IT time. The cost of a ransomware incident without functional backups is measured in days of downtime and, potentially, regulatory notification obligations under UK GDPR.
The WordPress risk is a supply chain and reputational issue, not just a technical one. If your website is compromised via an unpatched plugin, the consequences include customer data exposure, ICO notification obligations, and reputational damage that is disproportionate to the size of the technical failure. A plugin audit takes less than an hour.
What to Do Before Friday
-
Run Windows Update on every Windows machine in your organisation today. This covers CVE-2026-44815, CVE-2026-45657, CVE-2026-47291, and the rest of the June Patch Tuesday bundle. If you have an IT provider, confirm with them in writing that this has been applied across all managed endpoints.
-
Check your Veeam Backup & Replication version. If you are running version 12, apply the patch Veeam released on 9 June 2026. If you are unsure whether you run Veeam, ask your IT provider. If your IT provider is unsure, that is a separate conversation worth having.
-
Audit your WordPress plugins. Log in to your WordPress admin panel, go to Plugins, and check whether Insert PHP or any variant of it is installed. If it is, deactivate and delete it. If you need similar functionality, there are maintained alternatives. While you are there, update every other plugin that has an available update.
-
Document what you did and when. A timestamped record of patching activity is relevant to your Cyber Essentials assessment, your insurance policy, and any future procurement due diligence. A brief email to yourself confirming the actions taken is sufficient to start.
-
If you have an MSP, send them this brief and ask for written confirmation of remediation. ‘We’re monitoring the situation’ is not a remediation status. Patch applied, version confirmed, date completed: that is a remediation status.