Microsoft carries the broadest and most severe exposure this week: two wormable-class unauthenticated RCEs in Windows Kernel TCP/IP and HTTP.sys (both CVSS 9.8) are patched in the June 2026 Patch Tuesday cycle, alongside three publicly disclosed zero-days. Separately, Microsoft’s ClickOnce deployment framework is being actively weaponized as a persistence and malware delivery platform in a documented, no-privilege-required attack chain. These are two independent response tracks requiring simultaneous action.