Microsoft: Seven Critical and High Vulnerabilities Disclosed on June 4th
Microsoft disclosed seven vulnerabilities on June 4th, including three critical flaws affecting Exchange Online, Azure, and Windows, with CVSS scores up to 10.0.
Key findings
- Seven vulnerabilities disclosed by Microsoft on June 4th, 2026, within a four-hour window.
- Three critical vulnerabilities with CVSS scores up to 10.0 affect Azure, Exchange Online, and Windows.
- Flaws include authentication bypass, command injection, and improper authorization.
- Microsoft Copilot and Copilot Chat are among the affected products.
- CVE-2025-71316 in Windows involves insecure Unicode to ANSI conversion, potentially allowing DLL loading.
Microsoft addressed a significant batch of seven vulnerabilities on June 4th, 2026, with a rapid disclosure window spanning just over four hours. The disclosed flaws include critical and high-severity issues impacting key Microsoft products such as Exchange Online, Azure, Microsoft Graph, Copilot, and Windows.
The vulnerabilities span several attack vectors, including improper authorization, authentication bypass, and command injection. Three of the disclosed vulnerabilities are rated as Critical, with CVSSv3 scores of 9.1, 10.0, and 9.8, respectively. These critical flaws pose the most significant risk to users and systems.
Among the critical disclosures is CVE-2026-48567, an authentication bypass by spoofing vulnerability in Azure HorizonDB. This flaw allows an unauthorized attacker to elevate privileges over a network, posing a severe threat to data integrity and access control. Another critical vulnerability, CVE-2026-48579, affects Microsoft Exchange Online, enabling an unauthorized attacker to disclose information over a network due to improper authorization.
Additionally, CVE-2025-71316, a critical vulnerability in Microsoft Windows, involves an insecure handling of Unicode characters by the Windows C runtime when converting them to ANSI codepages. An attacker could exploit the '-L' option in sqldiff.exe to load an arbitrary DLL, potentially leading to command execution.
Several other vulnerabilities were disclosed, including high and medium severity flaws. CVE-2026-45497, a high-severity flaw in Microsoft Copilot, involves command injection that could allow an authorized attacker to execute code over a network. Medium-severity issues include CVE-2026-47655, an information disclosure vulnerability in Microsoft Graph, and CVE-2026-47644, an injection vulnerability in Copilot Chat (Microsoft Edge) that could lead to information disclosure.
Another medium-severity vulnerability, CVE-2026-42824, also impacts M365 Copilot and relates to command injection, allowing an unauthorized attacker to disclose information. The rapid disclosure of these vulnerabilities suggests a coordinated effort to inform the public and users about potential security risks.
Microsoft's proactive disclosure of these vulnerabilities, even those with critical severity, underscores the importance of timely patching and security updates. Users are advised to review Microsoft's security advisories for detailed information on affected products and versions, and to apply any available patches or mitigations as soon as possible to protect their environments from potential exploitation.