Microsoft June 2021 Patch Tuesday: 50 vulnerabilities patched, six zero-days exploited in the wild

Six out of seven zero-days are being actively used in cyberattacks.
Written by Charlie Osborne, Contributing Writer

Microsoft has released 50 security fixes for software to resolve critical and important issues including six zero-days that are being actively exploited in the wild.

In the Redmond giant's latest round of patches, usually released on the second Tuesday of each month in what is known as Patch Tuesday, Microsoft has fixed problems including remote code execution (RCE) bugs, denial-of-service issues, privilege escalation, and memory corruption issues. 

In total, when it comes to severity, five of the vulnerabilities are considered critical and 45 are deemed important. 

Products impacted by June's security update include Microsoft Office, .NET Core & Visual Studio, the Edge browser, Windows Cryptographic Services, SharePoint, Outlook, and Excel. 


The zero-day vulnerabilities that Microsoft has tracked as being actively exploited, now patched in this update, are: 

  • CVE-2021-33742: Windows MSHTML Platform Remote Code Execution Vulnerability, CVSS 7.5
  • CVE-2021-33739: Microsoft DWM Core Library Elevation of Privilege Vulnerability, CVSS 8.4
  • CVE-2021-31199: Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability, CVSS 5.2
  • CVE-2021-31201: Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability, CVSS 5.2
  • CVE-2021-31955: Windows Kernel Information Disclosure Vulnerability, CVSS 5.5
  • CVE-2021-31956: Windows NTFS Elevation of Privilege Vulnerability, CVSS 7.8

Another zero-day reported by Microsoft, but not actively exploited in the wild, is CVE-2021-31968. Issued a CVSS score of 7.5, this flaw, now patched, could be exploited to trigger denial-of-service. 

Eight of the vulnerabilities were reported by the Zero Day Initiative (ZDI). Microsoft has also acknowledged reports from Google's Threat Analysis Group, Google Project Zero, Nixu Cybersecurity, Check Point Research, FireEye, Kaspersky, and others. 

"While these vulnerabilities have already been exploited in the wild as zero-days, it is still vital that organizations apply these patches as soon as possible. Unpatched flaws remain a problem for many organizations months after patches have been released," Tenable commented.

Last month, Microsoft resolved 55 security flaws, four of which were deemed critical in the May batch of security fixes. Three zero-day vulnerabilities were also patched at the same time, but thankfully, none appear to have been exploited in the wild. 

A month prior, the tech giant tackled 114 vulnerabilities during April's Patch Tuesday. The US National Security Agency (NSA) was credited with reporting two remote code execution (RCE) vulnerability flaws (CVE-2021-28480 and CVE-2021-28481) in Exchange Server.

Editorial standards