Microsoft said three of the exploited vulnerabilities were publicly known, suggesting attackers already had details about the defects prior to Tuesday’s release.

Researchers said the information disclosure zero-day exposes sensitive information that attackers can use to undermine defenses and make other exploits more reliable.

Microsoft closed out the year with 1,139 total defects patched, making it the second-largest year in volume behind 2020, according to Trend Micro.

Researchers warn that although exploitation of the zero-day is complex, a functional exploit exists in the wild.

The tech giant addressed a record-high number of defects for the year in its latest update.

The company is ahead of pace, disclosing about 100 more vulnerabilities at this point in the year than it did in 2024, according to a researcher.

Despite serious alarm raised by officials, organizations have not applied the patch for Microsoft Exchange servers en masse.

Researchers are especially concerned about a high-severity defect in SQL Server and a critical vulnerability in SPNEGO, a foundational protocol.

A researcher tells CyberScoop that up to 80% of enterprises could be vulnerable to the zero-day Microsoft patched in its June update.

The company has addressed zero-day vulnerabilities for eight consecutive months without deeming any of them critical at the time of disclosure.