Microsoft Just Patched 206 Vulnerabilities in One Day. Most Organisations Won’t Patch Fast Enough.

I have said it before and I will say it again: the gap between a vulnerability being disclosed and it being exploited is now measured in hours, not months. Microsoft’s June 2026 Patch Tuesday made that point with brutal clarity. The company disclosed 206 vulnerabilities, including three publicly known zero-days and a critical Azure HorizonDB flaw. One of those bugs, a new Microsoft 365 Copilot vulnerability, lay in software that tens of thousands of organisations are already rolling out.

The speed here matters. In the old world, a patch window opened for weeks. Today, generative AI tools let attackers scan for vulnerable systems and write matching exploit code almost instantly. Verizon’s 2026 Data Breach Investigations Report found that software flaws overtook stolen credentials as the top breach vector, accounting for 31 percent of breaches. That is a gearshift, and it means defenders can no longer rely on passwords or phishing filters as their primary shield.

We need to fight AI with AI. We need to incorporate them into our practices at a scale that we have never done before.

Nasrin Rezai, Verizon CISO

For people managing type 1 diabetes, this is not abstract. Any health data platform, patient portal, or connected medical device running on unpatched infrastructure is a target. The same attacker scanning for vulnerable Exchange servers or Azure services can scan for healthcare systems with the same automated toolkit. Regulatory compliance matters, but so does the practical habit of checking that updates land inside 48 hours, not after the next quarterly review.

What this means for your team or business

A useful test: ask yourself how long it would take to push a critical security update across every machine that touches customer or patient data. If the answer is longer than one week, start treating patching as a safety issue, not an IT chore. That means asset visibility first, then automated deployment, then confirmation. If you are still emailing around a PDF patch list, you are in the danger zone.

The Rise of Shadow AI compounds the problem. Employees using unapproved AI tools often paste sensitive data into interfaces that train on that data or store it indefinitely. In one recent report, unmonitored AI tool use added roughly $670,000 to the average cost of a breach. Those tools do not show up in the standard vulnerability scanner. They show up in policy lapses.

The practical steps

Start with the basics. Enable automatic updates on endpoints where feasible. Lock down administrative access to the smallest possible group. Require any new AI service to state clearly whether it uses submitted data for training. If the vendor cannot answer that in plain language, do not deploy it. Finally, separate your most sensitive data workloads into their own segmented environment. Attackers love shared infrastructure because one foothold becomes many.

The honest truth is that perfect security does not exist. What does exist is the discipline to move faster than the attacker’s patience. A 206-vulnerability day is not an anomaly. It is the new rhythm. You can either build your week around it, or spend your day recovering from ignoring it.

Related reading:

Subscribe

Related articles

Altman Pitches US-Led AI Safety Forum With Government Stake

Sam Altman wants Washington to have a seat at the table, including a potential equity stake in OpenAI.

Five Eyes Says AI Cyberattacks Are Months Away

Intelligence agencies warn AI-powered cyberattacks are months away. What that means for enterprises, what to patch, and where to start on defence today.

Australian Musicians vs AI: The Copyright Battle That Could Define the Future of Art

Australian musicians are fighting back as AI companies train on their music without permission. With a July 15 deadline looming, the government faces a choice between protecting artists or carving out an exception for big tech.

Anthropic Restarts Fable After U.S. Lifts Export Controls

Eighteen days after export controls pulled Fable 5 offline, Anthropic has reopened access under tighter filters and a U.S. pre-release commitment that may define how frontier models are rolled out going forward.

Anthropic’s Sonnet 5 Arrives as Fable 5 Returns to the US

Anthropic launched Sonnet 5, its newest mid-tier model, hours before the US lifted export controls on Fable 5 and Mythos 5. The timing raises questions about whether Sonnet 5 was designed as a stopgap for users locked out of more capable models.