Virtual Round Table · Jul 22

View the event
Microsoft's Record July Patch Tuesday Ships Fixes for Two Actively Exploited Zero-Days
Cybersecurity

Microsoft's Record July Patch Tuesday Ships Fixes for Two Actively Exploited Zero-Days

Microsoft's July 2026 Patch Tuesday is the largest on record, addressing more than 600 CVEs, including two zero-days already being exploited in Active Directory Federation Services and SharePoint Server.

PublishedJuly 19, 2026
Read time5 min read
Share

The largest Patch Tuesday on record

Microsoft's July 2026 Patch Tuesday set a new high-water mark, delivering fixes for well over 600 CVEs across Windows, SharePoint, Exchange, and the wider product line in a single release. Tallies varied by source depending on how bundled Chromium and Edge issues were counted, with figures reported from roughly 570 into the 620s, but every account agreed on the headline: this was the biggest monthly security update Microsoft has ever shipped. The scale alone turns routine patch triage into a serious operational challenge.

The volume reflects a broader trend rather than a one-month anomaly. As one analyst put it, "The CVE count year-to-date exceeds all other years' totals. How to count this mess is anyone's guess." For enterprise teams, the practical consequence is that comprehensive same-week patching of everything is no longer realistic. The month's most dangerous flaws have to be identified and prioritized quickly, because two of them were already under active attack when the updates landed.

A zero-day in Active Directory Federation Services

The first actively exploited zero-day, CVE-2026-56155, is an elevation-of-privilege vulnerability in Active Directory Federation Services. An attacker who successfully exploits it can gain administrator privileges, and ADFS occupies an especially sensitive position because it brokers authentication and federated single sign-on across an organization. Compromise of the identity layer gives an intruder a route to impersonate users and reach the applications and cloud services that trust ADFS-issued tokens.

The flaw requires local access and low privileges to exploit, which places it later in an attack chain rather than at the initial entry point. That positioning still makes it dangerous, because it can be paired with a remote code execution bug to enable lateral movement and privilege escalation once an attacker has a foothold. Any identity infrastructure vulnerability under active exploitation deserves top priority, and ADFS servers should be among the first systems patched in this cycle.

SharePoint under attack again

The second exploited zero-day, CVE-2026-56164, is an elevation-of-privilege vulnerability in SharePoint Server, rated CVSS 5.3. A missing authentication check allows an unauthenticated attacker to elevate privileges over the network without any user interaction. The moderate CVSS score understates the operational risk, because SharePoint frequently holds an organization's most sensitive internal documents and is often exposed to a wide internal, or even external, user population.

SharePoint has been a recurring target throughout 2026, and this month's release did not stop at the exploited flaw. Microsoft also patched critical remote code execution bugs in SharePoint tracked as CVE-2026-50522 and CVE-2026-58644, each carrying a CVSS score of 9.8. The pattern of repeated, high-severity SharePoint disclosures should push organizations to reassess how their on-premises SharePoint farms are exposed and monitored, and to treat any internet-facing deployment as a standing liability.

The critical remote code execution bugs

Beyond the exploited zero-days, several critical remote code execution vulnerabilities in the July batch demand attention because of their reach into core infrastructure. Microsoft Exchange Server received a fix for CVE-2026-55008, scored CVSS 9.6, in a product line that remains a perennial favorite of both nation-state and criminal actors. Mail servers sit at the crossroads of internal and external communication, so an RCE there offers attackers a rich target for data theft and onward access.

The update also addressed CVE-2026-50518, a CVSS 9.8 remote code execution flaw in the Windows DHCP Server. DHCP is foundational network plumbing that runs quietly on domain controllers and infrastructure servers, and a critical bug in that service can expose systems administrators rarely think of as attack surface. These high-severity RCEs may not be exploited yet, but their scores and their placement in critical infrastructure make them strong candidates for near-term weaponization.

One disclosed flaw not yet exploited

Alongside the two exploited zero-days, Microsoft addressed CVE-2026-50661, a BitLocker security feature bypass that was publicly disclosed before patching. The flaw could allow an attacker with physical access to a device to read encrypted data, undermining the assumption that full-disk encryption protects a lost or stolen machine. Public disclosure ahead of a fix raises the risk that exploitation follows, even though no in-the-wild attacks had been reported at release.

The physical-access requirement narrows the threat, so this belongs a rung below the network-exploitable and actively abused issues in most triage models. It still matters for organizations that depend on BitLocker as their last line of defense for laptops holding sensitive data, particularly in sectors with strict data-protection obligations. Teams that treat device encryption as a compliance control should factor this fix into their laptop and endpoint patching schedules rather than deferring it indefinitely.

Turning volume into a triage discipline

A release of this magnitude makes clear that raw patch counts have outgrown any team's capacity to apply everything at once. The workable path is disciplined prioritization: patch the two actively exploited zero-days in ADFS and SharePoint first, follow with the CVSS 9.8 remote code execution flaws in SharePoint and DHCP and the 9.6 Exchange bug, and work down from there. CISA's inclusion of the exploited flaws in its Known Exploited Vulnerabilities catalog provides a clear external signal to anchor that sequencing.

The strategic takeaway is that patch management has become a continuous risk-ranking exercise driven by exploitation evidence and exposure. Organizations that still aim to deploy an entire Patch Tuesday in one pass will miss the deadlines that matter most for the flaws attackers are already using. We think the record-breaking July release is a signal to invest in the tooling and process that let teams distinguish the handful of urgent fixes from the hundreds that can wait a cycle.

Tagged#news#security#cybersecurity#breach#cisa#ransomware#zero-day#supply-chain#ai-security#CVE-2026-56155#CVE-2026-56164#Microsoft#Patch-Tuesday#SharePoint#ADFS#Exchange