Microsoft Patches 622 Flaws

Overview

Microsoft’s July 2026 Patch Tuesday is its largest on record, addressing 622 CVEs — more than triple June’s previous high. Among them are two zero‑day vulnerabilities already being exploited, both privilege escalation flaws in SharePoint Server and Active Directory Federation Services (AD FS).

The Two Zero‑Days to Patch First

  • CVE‑2026‑56164 — SharePoint Server
    • Exploited in active attacks.
    • Allows unauthenticated remote privilege escalation.
    • Discovered by Mandiant and Google’s FLARE team during incident response.
    • Critical urgency: SharePoint Server 2016 and 2019 also reached end of support this month, with no ESU program available.
  • CVE‑2026‑56155 — Active Directory Federation Services
    • Exploited locally by authenticated attackers.
    • Enables privilege escalation through weak access controls.
    • Credited to Microsoft’s DART incident response unit.
    • Despite being labeled “local,” AD FS signs tokens for estate trusts, making this flaw highly impactful.

Neither CVE is yet listed in CISA’s Known Exploited Vulnerabilities (KEV) Catalog, but Microsoft has confirmed exploitation. Do not wait for KEV listing — patch immediately.

Other Notable Fixes

  • CVE‑2026‑50661 — BitLocker bypass (publicly disclosed, not exploited). Requires physical access.
  • CVE‑2026‑55040 — SharePoint JWT bypass disclosed by Rapid7. Rated medium by Microsoft but critical (9.1) by ZDI. Breaks a chain that could lead to unauthenticated RCE, with the RCE half expected in August.
  • Kerberos RC4 cleanup — Microsoft removed the RC4 rollback switch. Any service accounts still requesting RC4 tickets will fail authentication after patching. Audit and rotate passwords before applying updates.

Breakdown by Product Family

Product FamilyCVEsHighlights
Windows416AD FS zero‑day, BitLocker bypass, VMSwitch RCE (9.9), DHCP RCEs, NTFS/ReFS driver bugs.
Office82Counted once, but listed twice under Office 2016.
Edge4621 Microsoft‑specific fixes beyond Chromium.
Developer Tools27Security bypasses in Visual Studio, VS Code, GitHub Copilot.
SharePoint Server17Exploited zero‑day (CVE‑2026‑56164), JWT bypass, Critical RCE pair.
Azure11No urgent flags.
SQL Server8RCE pair (8.8).
Defender5Two Critical RCEs.
Exchange Server5Outlook Web Access XSS (9.6).
Other5No urgent issues.

Why This Matters

Microsoft credited incident responders for discovering both exploited zero‑days, highlighting the importance of real‑world detection. The company also noted that AI‑driven scanning systems (MDASH) are uncovering more flaws, contributing to the record volume.

The sheer scale of this release underscores a critical point: CVSS scores alone are no longer sufficient for triage. Both exploited zero‑days are mid‑tier privilege bugs, yet they are already being used in attacks.

Defensive Guidance

Microsoft recommends organizations:

  • Prioritize exploited CVEs over severity scores.
  • Enable AMSI Full Mode on SharePoint servers.
  • Audit Kerberos RC4 usage before patching.
  • Monitor event logs for unusual privilege activity.
  • Patch faster than usual — attackers can now diff patches and weaponize exploits within days.

Expert in the Cloud Insight

This record‑breaking Patch Tuesday shows how AI is accelerating both vulnerability discovery and exploit development. For defenders, the takeaway is clear: patch prioritization must shift from CVSS scores to exploitation intelligence (KEV, EPSS, Microsoft exploited flags).

The old “wait a week” cushion is gone. Exploit Wednesday is here.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.