Microsoft’s June 2026 Patch Tuesday is one of its biggest on record — close to 200 security flaws fixed in a single release, including several zero-days. Two stand out for Australian businesses. The first, CVE-2026-41091, is a flaw in Microsoft Defender that is already being exploited in the wild: it lets a low-privileged user escalate to full SYSTEM control. The second, CVE-2026-44815, is a critical flaw in the Windows DHCP Client (CVSS 9.8) that an attacker on the same network can trigger with no clicks and no one logged in, as reported by BleepingComputer.

If your business runs Windows and Microsoft Defender — which is almost every Australian SMB — both of these affect you. The Defender bug matters most because attackers are using it right now. An intruder who already has a foothold, say through a phished password, can use it to take over the whole machine. The DHCP flaw is the kind of bug that worms love: it needs no user interaction and spreads across a shared network, so a single unpatched laptop on your office Wi-Fi is enough to cause trouble.

The fix is simple: apply the June updates now. Don’t wait for your usual monthly maintenance window. Check that your patch management or RMM tooling has actually pushed and installed the June rollup across every device — not just the head-office machines — and prioritise anything internet-facing or on shared networks. If you’re not certain your whole fleet is covered, ask your IT provider to confirm the June updates are installed and that reboots have completed.

Keeping patches current across every device is exactly the sort of thing that slips when no one owns it. All IT Services manages patching and endpoint protection as part of our managed cybersecurity, so flaws like these are closed before they become a problem.