Patch Tuesday Just Dropped Three Windows Zero-Days, an Exchange Exploit, and Two Ivanti Nightmares. What Are You Waiting For?
Three Windows zero-days. An Exchange Server exploit that was already being used against real targets. Two Ivanti Sentry vulnerabilities scoring 10.0 and 9.9. Today is June’s Patch Tuesday, and it is one of the worst in recent memory.
If you have Windows machines, an on-premises Exchange server, or a supply chain that touches Ivanti products, stop reading and start patching. Then come back.
Still here? Right. Let’s go through what actually happened today and what it means for your business.
The Windows Zero-Days: YellowKey, GreenPlasma, and MiniPlasma
Microsoft patched three zero-day vulnerabilities in Windows today. These weren’t theoretical risks sitting in a researcher’s lab notebook. They were being actively exploited before the patches existed.
YellowKey and GreenPlasma are privilege escalation vulnerabilities. In plain English: an attacker who already has a foothold on your machine, perhaps through a phishing email or a compromised account, can use these flaws to instantly elevate themselves to SYSTEM level. That is the highest level of access on a Windows machine. Full control. Everything.
MiniPlasma is arguably the most alarming of the three. It grants access to BitLocker-protected drives. BitLocker is the encryption built into Windows that protects your data if a laptop is stolen or seized. Many small businesses rely on it as their primary data-at-rest protection, often because a consultant told them it was enough. MiniPlasma suggests that relying on BitLocker alone, without layered controls, is a bet that just got a lot riskier.
All three vulnerabilities affected fully patched Windows systems before today. The phrase “fully patched” doing precisely no protective work whatsoever.
The Exchange Server Zero-Day: Already in the Wild
Microsoft also patched a zero-day in Exchange Server, its email platform used by businesses running on-premises email infrastructure. The vulnerability allowed attackers to execute arbitrary JavaScript code via cross-site scripting (XSS) attacks targeting Outlook Web Access, the browser-based interface your staff use to check email when they’re not in the office.
This one was being exploited in attacks before today’s patch. That means someone, somewhere, was already using it against real targets.
Here is why this matters for small businesses even if you don’t run Exchange yourself. Your accountant might. Your solicitor might. The managed service provider handling your IT almost certainly manages Exchange for multiple clients. Supply chain exposure is real, and it cuts in both directions: you can be compromised through a trusted partner’s vulnerable system, and you can be the vulnerable link that exposes your clients.
If you use Microsoft 365 rather than on-premises Exchange, you are not affected by this specific vulnerability. Microsoft manages patching for the hosted service. But if you have any on-premises Exchange infrastructure, apply today’s update immediately.
Ivanti Sentry: A Perfect 10 for Severity
Separate from the Microsoft patches, Ivanti has disclosed two critical vulnerabilities in Ivanti Sentry, a product used to manage and secure mobile device access to corporate systems. The two bugs score 10.0 and 9.9 on the CVSS severity scale. The maximum possible score is 10.0.
The 10.0-rated vulnerability allows remote, unauthenticated code execution with root privileges. Let that sink in. No password. No user interaction. No authentication of any kind. An attacker with network access can run whatever code they want on the affected system with the highest possible level of privilege.
This is not a “patch when convenient” situation. Ivanti has told customers to patch now. That advice should be taken at face value.
Small businesses are unlikely to run Ivanti Sentry directly. But if your IT is managed by an MSP, or if you work with larger organisations as part of their supply chain, ask the question. Ask your IT provider today whether they use Ivanti Sentry and whether they have applied the patches. If they cannot answer that question promptly and clearly, that is useful information about how seriously they take your security.
What Today Tells Us About the Broader Problem
Three zero-days being actively exploited means three separate threat actors, or groups, had working exploits for Windows vulnerabilities and were using them against targets before Microsoft knew the flaws existed. That is not a software quality story. That is a threat landscape story.
The Exchange vulnerability being exploited in the wild before patching is now a recurring pattern. It happened with Exchange in 2021. It is happening again in 2026. If your organisation relies on on-premises Exchange and applies patches on a monthly review cycle rather than immediately upon release, you are accepting a window of exposure that attackers are demonstrably willing to use.
Ivanti’s track record on critical vulnerabilities is, at this point, a documented pattern. Organisations that continue to deploy Ivanti products without an aggressive, near-real-time patching posture are making a choice. Make sure it is a conscious one.
How Today’s Patches Give You a Competitive Edge
If you are a small business that patches quickly and keeps your systems current, you are already ahead of a significant proportion of your competitors and peers. Procurement processes at larger organisations increasingly include questions about patching cadence and vulnerability management. Being able to demonstrate that you applied today’s critical patches within 24 hours is a concrete, verifiable answer to those questions.
Cyber Essentials certification requires that critical and high-severity patches be applied within 14 days of release. Today’s patches, particularly the Windows zero-days and Exchange vulnerability, should not wait 14 days. Applying them today does not just protect you. It demonstrates a security culture that goes beyond the minimum requirement, which is exactly the kind of differentiator that matters in supplier due diligence conversations.
Making the Business Case for Urgent Patching
If you need to make the case to a director or budget holder for investing time and resource in patching today rather than next week, here are the arguments that will land:
The risk is confirmed, not theoretical. Three of today’s vulnerabilities were being actively exploited before the patches existed. This is not a precautionary measure. It is a response to a documented, ongoing threat.
The cost of not patching is measurable. A ransomware incident at a 20-person business typically costs between £50,000 and £200,000 when you include downtime, recovery, and reputational damage. Today’s patches are free. The IT time to apply them is a few hours at most.
Regulators and insurers are watching. Cyber insurance underwriters increasingly ask about patching cadence at renewal. Failing to apply a critical patch for a known, actively exploited vulnerability, when patches were available, is the kind of detail that affects both premiums and claims. The ICO takes a similarly dim view of breaches attributable to unpatched known vulnerabilities.
Your supply chain relationships depend on it. If you are a supplier to larger organisations, they increasingly audit your security posture. Being the weakest link in a supply chain is not a position you want to be in.
What to Do Right Now
Here is what a 20-person business should be doing today, in order of priority:
-
Run Windows Update on every machine today. Not this week. Today. Go to Settings, Windows Update, Check for updates. Do it on every Windows device in the business. If you have a domain and group policy managing updates, verify that today’s patches are being pushed and confirm they are applying successfully.
-
Check your Exchange situation. If you run on-premises Exchange Server, contact your IT provider or MSP right now and ask whether today’s security update has been applied. If they say they will get to it this week, push back. This one was being exploited before the patch existed.
-
Ask your MSP about Ivanti. You probably do not run Ivanti Sentry directly. Your MSP might. Ask them whether they use it, whether they have patched it, and what their standard response time is for CVSS 10.0 vulnerabilities. The answer will tell you something important.
-
Check your BitLocker posture. If BitLocker is part of your data protection strategy, today’s MiniPlasma vulnerability is a reminder that encryption at rest is one layer, not a complete strategy. Confirm that your BitLocker keys are stored and managed securely, not just sitting in a local administrator account.
-
Document what you did and when. If you apply today’s patches today, note it. Date, time, systems updated. That documentation is useful for Cyber Essentials renewals, insurance underwriting conversations, and any future due diligence requests.
Before you go: follow the show wherever you listen, leave a rating or review, drop a comment with your thoughts, and share this with someone who needs to hear it. Because someone in your network has not patched yet, and this is the week that matters.
| Source | Article |
|---|---|
| BleepingComputer | Microsoft patches Exchange Server zero-day exploited in attacks |
| BleepingComputer | Microsoft patches YellowKey, GreenPlasma, MiniPlasma zero-days |
| The Register | Ivanti tells Sentry customers to patch now as critical bugs hit 10.0 and 9.9 |
| BleepingComputer | Microsoft: Some Windows PCs fail to install latest monthly updates |
| The Register | GitHub pulls pin on npm’s auto-run scripts |
| Microsoft Security Response Center | CVE-2026-49975 Apache HTTP Server: mod_http2 denial of service |