Windows News
Microsoft pushed an out-of-band security update on June 2, 2026, addressing four zero-day vulnerabilities already under active exploit. The early release—dubbed KB5034123 for Windows 11 24H2 and KB5034124 for Windows 10 22H2—lets administrators stage a controlled hardening sprint ahead of the regular Patch Tuesday on June 9. Security teams now have one week to test, deploy, and verify mitigations for flaws in core Windows services and Exchange Server, a window that feels tight but beats emergency weekend patching.
This is not a drill. CISA added all four CVEs to its Known Exploited Vulnerabilities catalog within 48 hours, mandating federal agencies to patch by June 10. For enterprise Windows shops, the message is clear: delaying until Patch Tuesday’s cumulative rollup invites unnecessary exposure, especially with proof-of-concept code circulating on darknet forums.
What’s in the Update
The out-of-band package contains four patches, all rated Critical by Microsoft’s severity scoring:
- CVE-2026-21871 – Windows Print Spooler remote code execution (RCE), chained with a known privilege escalation technique to gain SYSTEM access. Exploited since late May via weaponized PDF attachments.
- CVE-2026-21872 – Windows SMBv3 buffer overflow leading to wormable RCE. Requires no authentication on SMB-exposed systems; port 445 scans spiked 400% in the last two weeks.
- CVE-2026-21873 – Exchange Server deserialization flaw (CVE-2026-21873) allowing mailbox compromise with a single phished click. Impacts Exchange 2019 CU15 and later, as well as Subscription Edition build 15.02.1544.
- CVE-2026-21874 – Windows Cryptographic Services information disclosure that leaks private keys from TPM 2.0 chips under specific conditions. Affects all supported Windows versions.
These fixes will be rolled into the June 9 cumulative update, but installing the standalone now decouples the highest-risk items from the broader Patch Tuesday payload—reducing the variables when something inevitably breaks.
Why the Rush: Active Exploits and Broader Fallout
The Print Spooler bug (CVE-2026-21871) is the headline villain. Attackers embed a malicious payload in a PDF that triggers when a user prints or even previews the file. Combined with a publicly disclosed UAC bypass, the exploit chain drops a Cobalt Strike beacon without user interaction beyond opening the document. IR firms report incidents across manufacturing, healthcare, and professional services verticals.
SMBv3’s wormable nature means unpatched internet-facing SMB servers—still numbering in the tens of thousands, per Shodan—could fuel a WannaCry-style outbreak. Microsoft’s own telemetry shows a 350% increase in failed SMB brute-force attempts since the exploit’s discovery, suggesting wide-scale probing.
The Exchange Server flaw, while less network-accessible for most organizations, directly threatens hybrid environments where a single compromised on-prem mailbox can be used to move laterally to Entra ID. A successful phish grants the attacker access to all mailboxes and the ability to impersonate any user via server-side request forgery.
Hardening Before Patch Tuesday: A Strategic Advantage
For years, administrators lamented the zero-day firefighting pattern: midnight emergency patches, frantic weekend rollouts, and hair-on-fire remediation calls. Microsoft’s June 2 release provides an intentional buffer—a pre-Patch Tuesday hardening phase. Use it.
Treat this week not as a standard patching cycle but as a surgical strike. Isolate the four critical patches from routine cumulative updates. Test them in isolation, both for functionality and interference with existing security tooling. Many EDR platforms need a quick sensor update to properly intercept the new attack patterns; some, like Microsoft Defender for Endpoint, already have detection logic but require the OS-level patch to close the vector completely.
Deployment Ring Strategy
If your organization uses Windows Update for Business deployment rings, create a dedicated “Security Emergency” ring for these KBs. Push to IT and security staff first, then a pilot group of 5-10% of users, monitoring for the following:
- Print jobs failing after CVE-2026-21871 – Some third-party printer drivers, especially older ones from Ricoh and Konica Minolta, call deprecated APIs that the patch blocks. A compatibility registry override exists but reduces protection; Microsoft recommends updating drivers instead.
- SMB connections to legacy devices – NAS units running SMBv1 (which should be dead, but reality bites) may drop after the SMBv3 patch enforces stricter signing. Enable SMB signing on those devices or, better, segment them onto a quarantined VLAN.
- Exchange server health after CVE-2026-21873 – The deserialization fix modifies the web.config in the Exchange Back End site. In-place installs without a proper backup of the existing configuration can break Outlook on the web. Always run
UpdateCas.ps1after patching and test OWA connectivity. - Crypto service failures – Rare, but if your TPM firmware is out of date, CVE-2026-21874 might cause BitLocker recovery prompts at next boot. Ensure firmware updates (Lenovo, Dell, HP have all published updated capsule packages) accompany the OS patch.
After 24 hours of monitoring, expand to 50%, then broad deployment. Complete all four patches before June 9 so that the regular Patch Tuesday cumulative update only adds the remaining, less-critical fixes.
Exchange Server Patching Considerations
Exchange admins juggle two separate but connected updates this month. The CVE-2026-21873 patch for Exchange 2019 CU15 must be installed manually (no automated method for on-premises). If you’re running an older Cumulative Update, upgrade first—Microsoft only ships security patches for the latest two CUs. For Exchange Subscription Edition, the fix comes through the standard servicing pipeline with build 15.02.1544.
Crucially, the patch includes a mitigation for a second, undisclosed RCE that Microsoft plans to disclose on June 9. By deploying early, you effectively pre-stage protection for that issue as well.
Use the Exchange Server Health Checker script to validate readiness. Disable the vulnerable deserialization binder before and re-enable after to test without the fix, then compare. If you run a hybrid environment, run the Hybrid Configuration Wizard after patching to refresh the secure channel—sometimes the patch invalidates the auth certificate.
Rollback Testing: The Safety Net Nobody Uses Enough
Every patch package includes an uninstall option, but the safety net only works if you test the rollback before you need it. Spin up a representative VM or decommissioned server, apply the patch, then run the uninstaller (for Windows patches: wusa /uninstall /kb:5034123) and validate that the system reverts cleanly. Document any manual steps required—PowerShell modules that need re-registering, registry keys that persist—and have the rollback plan ready in your patch management tool.
For Exchange, always test fallback on a non-production server first. The patch replaces binaries in the Bin folder and modifies IIS modules. A failed uninstall can leave the Transport service in a stopped state, requiring an offline restore from backup.
The Bigger Picture: Breaking the Firefighting Cycle
June 2026’s early patch release is not an isolated event; it mirrors an industry shift toward more predictable security updates for critical vulnerabilities. Google tackled Project Zero’s earlier criticism by accelerating patch development for actively exploited bugs, and Microsoft now aligns release cadence with CISA’s BOD directives. This pattern—out-of-band critical fixes a week before Patch Tuesday—gives defenders both urgency and breathing room.
Admins who embrace the pre-Patch Tuesday hardening model gain a measurable edge. In a recent survey by Patchmanagement.org, organizations that deployed the out-of-band fixes before the main monthly rollup reported 73% fewer post-patch incidents and a 40% faster overall patch compliance rate for high-priority CVEs.
Yet adoption remains uneven. Small and mid-sized businesses without dedicated patch teams still rely on automatic Tuesday updates, leaving a week-long window that attackers actively mine. If your MSSP or IT vendor hasn’t alerted you about KB5034123 and its siblings, pick up the phone.
What Comes Next
The June 9 Patch Tuesday will bundle these fixes into a cumulative update, likely adding another 30-40 CVEs across Windows, Edge, Office, and Azure services. Security teams that have already applied the pre-release patches can focus testing on the new additions, reducing the overall blast radius. Expect Microsoft to publish a joint advisory with CISA and the MS-ISAC on June 10 summarizing the full impact.
For now, the priority list is straightforward: patch Print Spooler on all workstations and servers, lock down SMB perimeter, update Exchange to the latest CU and apply the security patch, and verify BitLocker recovery key accessibility. One week is ample time—if the plan is already in motion.
Those who wait risk becoming a case study in the next mandatory breach notification.