Critical infrastructure under pressure: Patch Tuesday June 2026

Patch Tuesday in June 2026 highlights critical vulnerabilities in core enterprise infrastructure components. Of particular concern are a remote code execution flaw in Veeam Backup & Replication, a severe vulnerability in Check Point Remote Access VPNs that may allow connections without valid authentication, and critical security issues in SAP NetWeaver affecting authentication and web components. These high‑impact risks are accompanied by three publicly known zero‑day vulnerabilities in Microsoft products.

Microsoft: Three Publicly Known Zero-Days

Microsoft addressed multiple critical security vulnerabilities in Windows 10, Windows 11, and the common Windows Server editions. Most notable are three publicly disclosed zero‑day vulnerabilities:

• CVE-2026-45586
• CVE-2026-50507
• CVE-2026-49160

These flaws were known prior to patch release, significantly increasing the risk for unpatched systems. Updates are available for both client and server platforms.

SAP: Critical Vulnerabilities in NetWeaver Components

SAP also released several critical security updates in June. Particularly affected are central NetWeaver components:

• XML Signature Wrapping in SAML authentication Impacts SAP NetWeaver AS ABAP and the ABAP Platform, potentially undermining the integrity of authentication processes.
• Directory Traversal in SAP NetWeaver Application Server Java (Web Container) This vulnerability may allow unauthorized access to internal resources and should be prioritized, especially in internet‑facing environments.

Further details on these and additional vulnerabilities are available in the latest SAP Security Notes.

Other Vendors: Backup, VPN and Communication Systems at Risk

In addition to Microsoft and SAP, several other vendors released security updates addressing high‑impact issues:

• Adobe: Security updates for multiple products.
• Cisco: Updates for various products, including a vulnerability in Unified Communications Manager with a publicly available PoC exploit, as well as an SD‑WAN zero‑day actively exploited in attacks.
• Fortinet: Security updates for multiple products, including a fix for an OS Command Injection vulnerability in FortiSandbox.
• Check Point: Security fixes for Remote Access VPNs and mobile access components that may allow VPN connections without a valid user password under certain conditions.
• Ivanti: Security updates for various products.
• Veeam: A critical update for Backup & Replication, addressing a vulnerability that can be exploited to achieve remote code execution (RCE) on domain‑joined backup servers—posing a severe risk to backup and recovery infrastructures.

What Is Patch Tuesday?

The term refers to the second Tuesday of each month, when Microsoft releases important security patches for its products. This fixed schedule helps system administrators and users plan and deploy updates more efficiently.