Microsoft’s June 2026 Patch Tuesday delivers 206 CVEs including two unauthenticated CVSS 9.8 RCEs in HTTP.sys and the Windows Kernel, a BitLocker bypass with public proof-of-concept, and three publicly disclosed zero-days. Separate CrowdStrike research documents active weaponization of Microsoft’s ClickOnce deployment framework as a no-admin, no-CVE persistence and delivery mechanism operating outside most EDR detection architectures. Any organization running internet-facing Windows Server, BitLocker-protected endpoints, or standard Windows workstations is exposed across multiple simultaneous threat surfaces.