Overview
Microsoft’s July 2026 Patch Tuesday is its largest on record, addressing 622 CVEs — more than triple June’s previous high. Among them are two zero‑day vulnerabilities already being exploited, both privilege escalation flaws in SharePoint Server and Active Directory Federation Services (AD FS).
The Two Zero‑Days to Patch First
- CVE‑2026‑56164 — SharePoint Server
- Exploited in active attacks.
- Allows unauthenticated remote privilege escalation.
- Discovered by Mandiant and Google’s FLARE team during incident response.
- Critical urgency: SharePoint Server 2016 and 2019 also reached end of support this month, with no ESU program available.
- CVE‑2026‑56155 — Active Directory Federation Services
- Exploited locally by authenticated attackers.
- Enables privilege escalation through weak access controls.
- Credited to Microsoft’s DART incident response unit.
- Despite being labeled “local,” AD FS signs tokens for estate trusts, making this flaw highly impactful.
Neither CVE is yet listed in CISA’s Known Exploited Vulnerabilities (KEV) Catalog, but Microsoft has confirmed exploitation. Do not wait for KEV listing — patch immediately.
Other Notable Fixes
- CVE‑2026‑50661 — BitLocker bypass (publicly disclosed, not exploited). Requires physical access.
- CVE‑2026‑55040 — SharePoint JWT bypass disclosed by Rapid7. Rated medium by Microsoft but critical (9.1) by ZDI. Breaks a chain that could lead to unauthenticated RCE, with the RCE half expected in August.
- Kerberos RC4 cleanup — Microsoft removed the RC4 rollback switch. Any service accounts still requesting RC4 tickets will fail authentication after patching. Audit and rotate passwords before applying updates.
Breakdown by Product Family
| Product Family | CVEs | Highlights |
|---|---|---|
| Windows | 416 | AD FS zero‑day, BitLocker bypass, VMSwitch RCE (9.9), DHCP RCEs, NTFS/ReFS driver bugs. |
| Office | 82 | Counted once, but listed twice under Office 2016. |
| Edge | 46 | 21 Microsoft‑specific fixes beyond Chromium. |
| Developer Tools | 27 | Security bypasses in Visual Studio, VS Code, GitHub Copilot. |
| SharePoint Server | 17 | Exploited zero‑day (CVE‑2026‑56164), JWT bypass, Critical RCE pair. |
| Azure | 11 | No urgent flags. |
| SQL Server | 8 | RCE pair (8.8). |
| Defender | 5 | Two Critical RCEs. |
| Exchange Server | 5 | Outlook Web Access XSS (9.6). |
| Other | 5 | No urgent issues. |
Why This Matters
Microsoft credited incident responders for discovering both exploited zero‑days, highlighting the importance of real‑world detection. The company also noted that AI‑driven scanning systems (MDASH) are uncovering more flaws, contributing to the record volume.
The sheer scale of this release underscores a critical point: CVSS scores alone are no longer sufficient for triage. Both exploited zero‑days are mid‑tier privilege bugs, yet they are already being used in attacks.
Defensive Guidance
Microsoft recommends organizations:
- Prioritize exploited CVEs over severity scores.
- Enable AMSI Full Mode on SharePoint servers.
- Audit Kerberos RC4 usage before patching.
- Monitor event logs for unusual privilege activity.
- Patch faster than usual — attackers can now diff patches and weaponize exploits within days.
Expert in the Cloud Insight
This record‑breaking Patch Tuesday shows how AI is accelerating both vulnerability discovery and exploit development. For defenders, the takeaway is clear: patch prioritization must shift from CVSS scores to exploitation intelligence (KEV, EPSS, Microsoft exploited flags).
The old “wait a week” cushion is gone. Exploit Wednesday is here.
Leave a Reply