Skip to content
Microsoft Patches Record 622 Flaws, Including Two Zero-Days Under Active Attack

Microsoft Patches Record 622 Flaws, Including Two Zero-Days Under Active Attack

Microsoft shipped its largest Patch Tuesday on record today, and two of the fixes close holes that attackers are already exploiting. The release covers 622 of Microsoft’s own CVEs by its Security Update Guide count, more than triple June’s previous high of around 200.

Those two live bugs are the ones to grab first. Microsoft credits incident responders for both. Both are elevation-of-privilege flaws in identity and collaboration infrastructure: CVE-2026-56164 in on-premises SharePoint Server and CVE-2026-56155 in Active Directory Federation Services.

Neither is one of the splashy remote code execution criticals. They are privilege bugs in two systems that matter more than their scores suggest: the company document store, and the box that signs its logins.

The two zero-days to patch first

CVE-2026-56164, a SharePoint Server flaw Microsoft says is being exploited in attacks, lets an unauthenticated attacker escalate privileges over the network. No credentials, no user interaction, remote. Microsoft credited it to Mandiant’s incident responders and Google’s FLARE team, which points to discovery inside active attacks, though Microsoft has not said how it was exploited or by whom.

If you run self-hosted SharePoint, this is the one to grab first, and there is a second clock on it: today is also the day SharePoint Server 2016 and 2019 reach the end of extended support. Unlike Windows Server or SQL Server, neither has a paid ESU program to fall back on.

Beyond patching, Microsoft’s advisory notes that enabling AMSI in Full Mode on the server blunts the attack. SharePoint has been an attacker magnet since the ToolShell chain tore through unpatched servers in 2025, and it has not stopped being one.

CVE-2026-56155, an Active Directory Federation Services flaw Microsoft also flags as exploited, lets an already-authenticated attacker elevate privileges locally through weak access controls. Microsoft’s own DART incident-response unit gets the credit.

AD FS is the box that signs the tokens for the rest of the estate trusts, which is why a flaw labeled “local” on that host is worth more attention than the label suggests. Microsoft has not said what privileges it grants, or how attackers used it.

Worth knowing for anyone tracking remediation deadlines: neither CVE is on CISA’s Known Exploited Vulnerabilities catalog as of this writing. Microsoft’s own exploitability rating already marks both as exploited. Do not wait for a KEV listing to make it official.

Microsoft also rates the SharePoint bug fairly low on severity, which is a good reminder that the severity label is not the thing to sort by this month.

A third bug, and a SharePoint chain landing in August

The third zero-day was publicly disclosed but is not under attack: CVE-2026-50661, another BitLocker bypass. It needs physical access to the device, so it is not a remote emergency. Patch it, but it does not jump the queue. It continues a run of BitLocker bypasses stretching back through bitskrieg and YellowKey earlier this year.

SharePoint drew a second notable fix. Rapid7 Labs disclosed CVE-2026-55040, a JWT authentication bypass they built for their Pwn2Own Berlin entry. The score depends on who you ask: Rapid7 puts it at 5.3 and says Microsoft assigned it medium severity, while ZDI reads the release as Critical at 9.1.

What it does is not in dispute. Rapid7 chained it to a separate remote code execution bug to reach unauthenticated RCE against a vulnerable server, and the RCE half is not patched yet; Microsoft is slated to fix it in August.

That makes July bypass the fix that breaks the chain. A four-point spread on one bug also tells you what a severity number is worth this month.

The RC4 cleanup that can break logins

This update also finishes Microsoft’s multi-year Kerberos RC4 hardening. The July rollout removes the RC4DefaultDisablementPhase rollback switch, the escape hatch admins have leaned on since Microsoft began the crackdown in January.

After this, RC4 works only for accounts explicitly configured to allow it. If any service account in your environment still requests RC4 Kerberos tickets, it can fail authentication the moment the update lands.

The order matters: audit first, using the RC4 audit events Microsoft added in January, then rotate the passwords on flagged service accounts, so Windows generates AES keys for them, then patch. Rotation only fixes accounts missing AES keys.

Anything pinned to RC4 by configuration, or a legacy client that speaks nothing else, needs its own fix before the update lands. This one does not get you breached; it breaks things, but it will page you at 2am if you skip the audit.

Why a quiet month set a record

July is historically one of the lightest months on Microsoft’s calendar, which makes a release this size stand out. Windows alone accounts for 416 of the 622, and ZDI counts 95 remote code execution bugs across the release.

Here is where the rest sits, and what is worth pulling out of each pile:

Product family CVEs Worth pulling out
Windows 416 Both the AD FS zero-day (CVE-2026-56155) and the disclosed BitLocker bypass (CVE-2026-50661) live here. Top score of the release is a VMSwitch RCE, CVE-2026-57092 at 9.9. Also five DHCP RCEs, and 21 NTFS and ReFS driver bugs that ZDI reads as one shared root cause.
Office 82 Counted once. Microsoft lists the same 82 again under a separate Office 2016 track, which is why some outlets report 164.
Microsoft Edge 46 ZDI counts 21 as Microsoft’s own rather than Chromium re-listings.
Developer Tools 27 Security feature bypasses across Visual Studio, VS Code, and GitHub Copilot, mostly injection and path traversal.
SharePoint Server 17 The exploited zero-day (CVE-2026-56164) and Rapid7’s chain bypass (CVE-2026-55040), plus a Critical RCE pair including CVE-2026-50522 at 9.8.
Azure 11 Nothing flagged as urgent.
SQL Server 8 An RCE pair, CVE-2026-54117 and CVE-2026-54118, both 8.8.
Defender 5 Two Critical RCEs.
Exchange Server 5 A stored XSS in Outlook Web Access, CVE-2026-55008, at 9.6. Microsoft files it under spoofing, which undersells it.
Other 5 Nothing flagged as urgent.

Counts are from Microsoft’s Security Update Guide, which totals 622 unique CVEs this month. ZDI, counting independently, landed on 621, and its July review is the source for the per-family callouts.

Microsoft called this one five days early. In a July 9 post, it told customers to expect a “higher volume of security updates included in each security release” as AI helps it uncover more issues. That work includes MDASH, its multi-model agentic scanning system, which found 16 of the bugs in May’s Patch Tuesday by itself. Microsoft has not said how many of July’s 622 came out of that pipeline.

The same automation cuts both ways. Once a patch ships, attackers can diff it against the last build, find the bug it closes, and build a working exploit before most shops have finished testing. That eats the old “wait a week” cushion and shrinks the gap to Exploit Wednesday.

It also guts CVSS-based triage. When a release carries 600-plus CVEs and a large share are rated High or Critical, “critical” stops sorting anything. This month’s two exploited bugs make the point: neither is a headline 9.8, both are mid-tier privilege flaws, and both are already in use.

Sort by what is being exploited, using KEV, EPSS, and Microsoft’s exploited flag, not by score, and patch faster than you used to. The number on the box is only going up.

Source link