What Happened
Microsoft’s June 2026 Patch Tuesday is scheduled for June 9, 2026, and security analysts are flagging two issues as immediate priorities: a patch for CVE-2026-42897 and the critical June 26 Secure Boot certificate deadline.
CVE-2026-42897 is an actively exploited cross-site scripting spoofing vulnerability in Microsoft Exchange Server’s Outlook Web Access, rated Critical with a CVSS of 8.1. Microsoft added it to the CISA Known Exploited Vulnerabilities catalog in May and has been mitigating it through the Exchange Emergency Mitigation Service, which deploys interim controls automatically on servers with the service enabled. A permanent patch is expected in the June 9 release.
The June release also precedes the absolute June 26 deadline for Secure Boot certificate validation — a critical update that revokes signatures of known-bad boot components. Organizations that have not deployed and validated the Secure Boot dbx update before June 26 face potential compliance and operational risk. Industry analysis suggests 2–5% of systems in typical enterprise environments may experience boot failures if the dbx deployment is not staged and tested carefully.
Why This Matters for Canadian Organizations
Microsoft Exchange Server remains deployed in a significant number of Canadian government departments, healthcare organizations, educational institutions, and enterprises that have not completed migration to Exchange Online. For these organizations, CVE-2026-42897 represents an unresolved critical exposure: the Emergency Mitigation Service applies an interim control but is not a substitute for the permanent patch. Any on-premises Exchange 2016, 2019, or Exchange Server SE deployment should be treated as a priority for the June 9 update.
The Secure Boot deadline is a system-level issue. For Canadian IT and operations teams managing large Windows fleets — including those running Windows 11 and Windows Server 2025 — deploying the Secure Boot dbx update without a staged rollout plan risks boot failures on systems with older or signed-but-revoked bootloaders and drivers. PIPEDA and OSFI B-13 both require documented change management processes for critical infrastructure modifications of this type.
What to Do
Before June 9: confirm whether Exchange Emergency Mitigation Service is enabled on all on-premises Exchange servers, verify CVE-2026-42897 mitigation status, and prepare a patching maintenance window for the June 9 release. For the Secure Boot deadline: audit your Windows fleet for systems using older bootloaders or drivers listed in Secure Boot revocation lists, establish a staged rollout plan for the dbx update, and identify recovery procedures for any systems that fail to boot after the update. Apply the June 9 patches across your environment within 30 days of release as a baseline, and prioritize Exchange and any other publicly disclosed exploited vulnerabilities first. Canadian organizations under CCCS guidance should monitor for any advisories issued in conjunction with the June 9 release.
Source: Help Net Security
