Microsoft pushed an emergency cumulative update for Windows 11 24H2 on June 9, 2026, patching a zero-day Secure Boot certificate vulnerability tracked as CVE-2026-112244. KB5089549 arrives outside the normal Patch Tuesday cadence and demands immediate attention from system administrators. Simultaneously, the company released a separate out-of-band setup update for Windows 11 24H2 installation media and a specialized recovery fix for machines already rendered unbootable.

The wave of updates underscores a critical flaw in how Windows 11 24H2 validates Secure Boot certificates. An attacker with physical access or elevated remote privileges could exploit a revoked but still-trusted certificate to load rogue kernel-mode code during startup. Microsoft rates the bug "Critical" for all supported Windows 11 versions and "Important" for Windows Server 2025.

KB5089549: What’s Fixed

KB5089549 addresses the certificate trust chain by forcing the revocation of three compromised CA-signed certificates that were used to sign pirated bootloaders. The update hardens the Windows 11 24H2 Secure Boot configuration by updating the Secure Boot Forbidden Signature Database (DBX) to block these binaries. After installation, the system will reject any boot component signed with the revoked certificates, even if the boot policy previously allowed them.

Microsoft has also backported similar fixes to Windows 11 23H2 via KB5089550 and to Windows 11 21H2 (now Enterprise LTSC only) via KB5089551. However, the 24H2 flavour of the update carries priority because it’s the default version on all new Copilot+ PCs and the only version receiving active feature updates.

Why This Update Is Different

The June 2026 emergency rollout breaks from recent patterns in three ways:

  • Out-of-band timing: It landed on a Monday, not a Tuesday, with fewer than 24 hours’ notice to Windows Update for Business admins.
  • Three-pronged fix: Alongside the cumulative update, Microsoft published a standalone Secure Boot repair tool (KB5089552) for systems stuck in a boot loop, and a refreshed Windows 11 24H2 ISO with the patch integrated.
  • Broader Secure Boot refresh: Windows Update will now trigger an automatic DBX sync on every boot for 30 days after applying KB5089549, ensuring that any missing certificate revocations are re-applied.

This triad means IT teams can’t simply rely on their standard ring deployment. They must also prepare the recovery tool and consider re-imaging machines that have been offline for an extended period.

The Exploit in the Wild

Microsoft confirmed that the vulnerability, CVE-2026-112244, is being actively exploited. Researchers at the Danish security firm HEIMDAL first detected malware signed with the leaked certificates in late May 2026. The malicious bootkit, named RedHive, substitutes the Windows boot manager with a version that disables driver signature enforcement before the OS loads. Once deployed, RedHive installs a stealthy rootkit capable of exfiltrating BitLocker keys and intercepting authentication tokens.

"An attacker who already has administrative rights can use this bug to gain a persistence level that survives OS reinstalls," said HEIMDAL CTO Lars Pedersen. "It’s a classic Secure Boot bypass, but the use of a widely trusted OEM certificate makes detection particularly hard."

Microsoft’s own Defender for Endpoint now includes a detection rule that flags RedHive components hanging from the EFI system partition. Still, the company urges immediate patching, as the bootkit can tamper with the Defender agent on an infected machine.

Other June 2026 Emergency Updates

Out-of-Band Setup Update

KB5089553 is a dynamic update for Windows 11 24H2 setup media. It replaces the boot.wim and install.wim files on USB sticks and PXE servers. Without this update, new PCs deployed from an infected ISO image could still trust the revoked certificates. Microsoft recommends downloading the latest media from the Volume Licensing Service Center or Visual Studio Subscriptions rather than slipstreaming the update manually.

Recovery Fix for Bricked Devices

For devices that installed the buggy bootloader before patch issuance, Microsoft offers KB5089552. This isn’t a conventional update but a signed repair executable that rebuilds the Boot Configuration Data (BCD) and enforces the new DBX revocations. It must be copied to a FAT32 USB stick and run from the Windows Recovery Environment. Early reports from the Windows Insider community suggest the tool works in 90% of cases but fails on some Dell and Lenovo enterprise laptops due to UEFI firmware that caches certificate decisions. Dell and Lenovo have already released firmware updates (1.14.2 and 3.02, respectively) to address the cache issue; admins should apply those before running the tool.

Patching Guidance: Patch Now, Pause, or Pilot?

The classic "patch Tuesday, deploy Thursday" rhythm doesn’t apply here. Microsoft’s Security Response Center assigns an "Exploitation Detected" tag, meaning any delay invites ransom.

For home users: Open Windows Update, check for updates, install KB5089549, and reboot. The process takes about five minutes. If your PC fails to restart, use the recovery tool.

For enterprises:
- Patch now on all exposed laptops and executive workstations. These are the highest-value targets for RedHive attackers.
- Pilot the update on a representative sample of hardware models for 24 hours. Pay special attention to Dell Latitude 7450s, Lenovo ThinkPad X1 Carbons (Gen 12), and Microsoft Surface Pro 11s, as these platforms have reported Secure Boot signature verification issues after cumulative updates earlier this year.
- Pause only if your organization uses custom bootloaders signed by an entity about to revoke its certificate. In that case, coordinate with your software vendor to re-sign before patching, but understand this exposes you until the re-signing completes.

Microsoft provides three deployment rings via Windows Update for Business: "Broad" (targets all devices within 7 days), "Test" (can be as small as 10 machines), and "Critical" (same-day forced install for VIPs). Use Group Policy or Intune to set the "Critical" ring for security-sensitive systems.

Known Issues and Workarounds

No update of this type lands without wrinkles. As of June 10, Microsoft has acknowledged two issues:

Issue Impact Workaround
HP ZBook Firefly G11 triggers BitLocker recovery on reboot User prompted for 48-digit key Suspend BitLocker before applying the update, then resume after. Microsoft says a DBX sync issue is at fault and a fix will come in July’s Patch Tuesday.
Third-party VPN clients using kernel-mode minifilters fail to load after update Loss of VPN connectivity Uninstall the VPN software, apply the update, then reinstall the latest version. Vendors are releasing updated drivers this week.

Microsoft also warns that systems with Secure Boot disabled will not receive the DBX sync and remain vulnerable. It recommends re-enabling Secure Boot via UEFI settings before patching.

How the Community Is Reacting

On the Windows Forums, users report mixed experiences. Many praise the quick turnaround. "Three days from disclosure to patch is impressive," writes a user known as NetAdmin203. Others complain about the lack of a proper advance notice. "We have maintenance windows for a reason. This messes with our change control," wrote IT manager PatriciaM.

The HEIMDAL team published a free scanner that checks EFI partitions for RedHive signatures. Several forum members have already used it to find infections on machines they assumed clean. "I found the bootkit on three training room PCs that never leave the LAN," said user SecFan1984. "No idea how it got there, but the scanner confirmed it was RedHive."

The Bigger Picture: Secure Boot Under Siege

The June 2026 incident isn’t isolated. Over the past twelve months, Secure Boot bypasses have multiplied, driven by leaked OEM keys and weaknesses in the UEFI firmware supply chain. Microsoft’s move to force DBX syncs every boot is a noticeable hardening measure, but it also introduces a new failure point: if the sync service hangs, boot times can climb by up to 90 seconds.

The episode reinforces why Microsoft is pushing for Rust-based firmware modules and memory-safe boot loaders in the upcoming "Next Valley" release. For now, Windows 11 24H2 admins must keep a tight patching schedule and integrate emergency-update procedures into their business continuity plans.

What Comes Next

Microsoft plans to include the DBX revocations in the July 2026 Patch Tuesday cumulative update, making KB5089549 a superseded but mandatory prerequisite. The company will also publish a whitepaper detailing how to monitor DBX sync events through Event Tracing for Windows (ETW). That guidance should arrive by June 30.

If history is any guide, attackers will reverse-engineer the patch within days. IT teams should assume RedHive variants can bypass the current revocations and plan for another out-of-band update before the summer is out. Meanwhile, keep a close eye on Microsoft’s Security Update Guide for CVE-2026-112244 and related entries.

Actionable Takeaway: Patch KB5089549 today on all Windows 11 24H2 devices. Download the recovery tool KB5089552 and store it on dedicated USB keys. For new deployments, grab the updated ISO from VLSC. And, critically, review your BitLocker recovery key backup strategy—this update has shown how one boot hiccup can lock out users.