Tuesday, June 30, 2026

Microsoft Office/Outlook Critical RCE Patches — CVE-2026-45458 and CVE-2026-45456 via Malicious Documents

The June 2026 Patch Tuesday cycle includes Critical RCE patches for Microsoft Office (CVE-2026-45458) and Outlook/Word (CVE-2026-45456, CVE-2026-47635), all exploitable via malicious document delivery with no other user interaction beyond opening the file. Alert users not to open unsolicited or unexpected Office/Word documents even from known contacts, as CVE-2026-42897 is being actively exploited via this vector. Deploy the June 2026 cumulative M365 and Office updates immediately.

Azure Kubernetes Service Critical RCE (CVE-2026-32193) Patched in June Patch Tuesday

A critical path-traversal RCE vulnerability (CVSS 8.8) in Azure Kubernetes Service was patched in June 2026, allowing a low-privileged attacker running an untrusted container with hostNetwork to break out and gain control of the AKS worker node. Microsoft has proactively remediated this within cloud infrastructure with no customer action required for cloud-hosted AKS. On-premises or hybrid AKS deployments should apply the cumulative update immediately.

Windows BitLocker Bypass CVE-2026-45585 ('YellowKey') — Confirmed Exploited in the Wild

CVE-2026-45585, dubbed 'YellowKey' and disclosed by the rogue researcher 'Nightmare Eclipse,' is a Windows BitLocker Security Feature Bypass confirmed as exploited in the wild by Sophos. The flaw allows attackers with physical access to bypass BitLocker device encryption. Patched in the June 2026 Patch Tuesday cycle — apply updates immediately; no standalone workaround exists beyond physical device security controls.

HTTP/2 Bomb DoS (CVE-2026-49975) — Microsoft IIS Unpatched, NGINX/Apache Fixed

CVE-2026-49975, known as 'HTTP/2 Bomb,' is a publicly disclosed denial-of-service vulnerability affecting multiple web server platforms including Microsoft IIS, allowing a single attacker to exhaust server memory without requiring large bandwidth. Patches are available for NGINX and Apache; Microsoft IIS is not yet patched as of late June 2026. Disabling HTTP/2 on IIS is a valid interim mitigation until a Microsoft patch is released.

Cisco Unified Communications Manager SSRF (CVE-2026-20230) — Exploit Code Publicly Available

Cisco Unified CM and Unified CM SME contain a server-side request forgery (SSRF) vulnerability allowing an unauthenticated remote attacker to write files to the underlying OS for later root escalation, with public exploit code now confirmed available. Cisco has released a patch; apply the Unified CM update immediately using the version specified in the official Cisco advisory. This product is commonly deployed as core voice/video infrastructure in Australian enterprises.

SonicWall SMA1000 SQL Injection (CVE-2026-4112) and Three Further Vulns Patched

SonicWall patched four vulnerabilities in the SMA1000 series firewalls, including a high-severity SQL injection bug (CVE-2026-4112) that can allow a read-only admin to gain full primary admin rights. Three additional flaws allow remote attackers to enumerate SSL VPN credentials or bypass TOTP authentication. SonicWall reports no known exploitation in the wild but urges immediate update of SMA1000 appliances.

CRN Channel Awards Australia 2026 Finalists Announced — Expanded MSP Categories Reflect Sector Growth

CRN Australia has announced the shortlist for the 2026 CRN Channel Awards, co-hosted with the GTIA ANZ Spotlight Awards, to be held on 17 September at the Hyatt Regency Sydney. Due to overwhelming applications, the MSP of the Year and Service Provider of the Year categories have been split into headcount-based subcategories, reflecting growth in the Australian MSP sector. The awards recognise MSPs, solution providers, MSSPs, vendors, and distributors across Australia and the broader ANZ region.