How to handle a patch-heavy Patch Tuesday

Like jean jackets at a punk rock show, today’s IT pros have way too many patches.

This June, Microsoft released its highest volume of security updates of the year: 208 common vulnerabilities and exposures (CVEs).

The company’s past three months of updates have totaled 542, almost doubling the rate from the 286 in the same period in 2025.

Compare that to 10 years ago, when Microsoft released over 500 CVEs for the whole year.

With AI helping rapidly uncover new vulnerabilities (such as Anthropic’s Project Glasswing), IT teams need more than ever to be ready for dense patch deliveries from vendors.

Just your regular Tuesday. Patch Tuesday refers to Microsoft’s regular monthly release software security fixes and reliability updates, along with impact and remediation details. On a typical Patch Tuesday, an IT professional may assess the patches that apply to their environment; prioritize applying an update based on severity of the vulnerability and criticality of an asset; apply patches in a test environment to watch for disruptive effects like crashes; and then automate a rollout.

That process gets complicated, however, when there are 200 or so patches in a given release.

“Now assessing the patches for applicability by itself becomes a full-time job,” Nick Mitropoulos, certified instructor at SANS Institute and CEO of consultancy Scarlet Dragonfly, said. Prioritizing and testing could take days, especially for lean IT teams.

Mitropolous recommends:

• Knowing criticality. Not just of the vulnerability, Mitropoulos warns (Microsoft labels their fixes as critical, important, moderate, and low) but of your own assets. Mitropoulos advises building a configuration management database to track asset inventory and determine which critical IT infrastructure—say, a payment card server, a financial asset, or a critical R&D database—should be updated first.
• Test. Spin up a small isolated environment before rolling out the patch. “The challenge of a large number of patches means that sometimes there won’t be enough time for you to exhaustively test, so you may need to make some hard decisions as to what patches have to be applied, depending on asset criticality and vulnerability impact,” Mitropoulos wrote in a follow-up email.
• Automate the rollout. Tools like Configuration Manager (formerly “SCMM”) support the process and prevent the time-wasting process of patching machine by machine. Tier your environment for staged rollouts—a pilot ring, IT’s devices, non-critical servers, then production endpoints, for example. “If a patch breaks something, you want to know on 50 machines, not 5,000,” he added in his email.
• Build your knowledge. To understand the most pressing patches, subscribe to Microsoft bulletins and delve deeply into understanding “critical” vulnerabilities and the different risks and tactics associated with them, like remote code execution and information disclosure. That knowledge could come in handy as greater batches of “critical” CVEs arrive.
• Be flexible. Some orgs have one standard patch policy, and lack an important separate policy for critical patches.

The June patches were “uneventful” for Prashant Dinkar Hinge, chief information and transformation officer at insurer MSIG USA, and his team, thanks to a predefined “runbook” that identifies critical assets and associated vulnerabilities. With any patch batch, Hinge said, his teams first deal with updates concerning mission-critical assets, like those related to supporting policy issuance and processing claims.

AI is not the right tool for prioritizing what matters most to the business and what requires immediate attention, he said: “It’s the human who has the knowledge to solve that problem.” Hinge’s team tests and deploys patches in prioritized tiers. At the time of our interview in mid-June, Hinge said only low-priority patches from the June set remained, and those have since been addressed.

In a May security post, Microsoft VP of Engineering at Microsoft Security Response Center (MSRC) Tom Gallagher noted that the reporting volume from the security community was steadily climbing, thanks to factors like coordinated disclosure programs and the increased use of AI and automated discovery.

“We expect releases to continue trending larger for some time,” Gallagher wrote in May.