Microsoft is the dominant risk concentration this week, combining the largest Patch Tuesday release in program history (206 CVEs) with two wormable-class unauthenticated RCEs, a ClickOnce abuse campaign enabling no-privilege persistence, and a proof-of-concept exploit chain against AutoGen Studio’s MCP integration that achieves host-level code execution from a malicious web page. The combined exposure spans every tier of the enterprise estate: internet-facing servers, endpoints, identity infrastructure, and AI development environments.