News
Microsoft's Record July Patch Tuesday Fixes 570 Flaws, Including Two Exploited Zero-Days
Microsoft's July Patch Tuesday release broke the record for a second straight month, delivering fixes for roughly 570 holes across Windows, SharePoint, Microsoft 365, Azure and others.
The spike is tied in part to Microsoft's growing use of AI in security research. The company recently warned customers to expect more security updates as AI-assisted tools uncover flaws that may have remained hidden for years.
"We knew this day would come," Satnam Narang, senior staff research engineer at Tenable, said. "June 2026 Patch Tuesday broke the record, and July blew the record out of the water."
Narang said the release makes it likely that 2026 will surpass the previous annual Patch Tuesday record of 1,245 CVEs set in 2020. Still, he cautioned that the number of vulnerabilities should not be viewed as a direct measure of risk.
"The volume is striking, but it reflects how good these tools have become at finding bugs, not how many of those bugs actually pose a risk to organizations," Narang said.
For admins, the more immediate concern is a group of three zero-day vulnerabilities. Two have already been exploited in attacks, while the third was publicly disclosed before a patch became available.
AD FS and SharePoint Zero-Days Exploited
CVE-2026-56155 is an elevation-of-privilege vulnerability in Active Directory Federation Services. Microsoft rated the flaw important with a CVSS score of 7.8 and confirmed that attackers have exploited it in the wild.
The issue allows an authenticated attacker with local access and limited privileges to gain admin permissions. From there, the attacker could modify security settings, install malware, disable defenses or create fake admin accounts.
The flaw is especially significant for those that still use AD FS for federated authentication. A compromised federation server could give attackers access to credentials, sensitive business resources and other systems tied to an organization's identity infrastructure.
Jack Bicer, director of vulnerability research at Action1, said the flaw could give an attacker "complete control over the affected system." He warned that an AD FS compromise could lead to ransomware deployment, credential theft and broader attacks against enterprise infrastructure.
The second exploited zero-day, CVE-2026-56164, affects Microsoft SharePoint Server. Microsoft rated the elevation-of-privilege flaw moderate with a CVSS score of 5.3, but its active exploitation and the exposure of Internet-facing SharePoint servers make it more urgent than the rating may suggest.
The vulnerability stems from missing authentication for a critical function. An attacker can send specially crafted network requests to reach SharePoint functionality that should require authorization.
"This is a missing authentication vulnerability in Microsoft SharePoint Server that allows an unauthorized attacker to elevate privileges over the network," Alex Vovk, CEO and co-founder of Action1, said. "Because the flaw is remotely exploitable without requiring authentication or user interaction, attackers can target vulnerable SharePoint servers directly."
Organizations running on-prem SharePoint should put internet-facing servers near the top of the patch list, especially systems that store confidential documents or support business workflows.
Public BitLocker Bypass Patched
The third zero-day, CVE-2026-50661, is a Windows BitLocker security feature bypass vulnerability. It was publicly disclosed but hasn't been linked to active attacks yet.
Microsoft rated the flaw important with a CVSS score of 6.1. Exploitation requires physical access to the device, but it does not require authentication or user interaction. A successful attacker could bypass BitLocker Device Encryption and access data stored on an encrypted drive.
The vulnerability may be connected to a BitLocker bypass disclosed by the researcher known as Nightmare-Eclipse or Chaotic-Eclipse, although Microsoft has not confirmed the link.
Mike Walters, president and co-founder of Action1, said the flaw could expose regulated information, intellectual property and credentials on lost or stolen systems.
"Organizations relying on BitLocker to protect sensitive information on laptops, desktops and servers face an increased risk if devices are lost, stolen or accessed by unauthorized individuals," Walters said.
Critical Copilot, Dynamics and SharePoint Fixes
Beyond the zero-days, July includes dozens of critical vulnerabilities affecting enterprise applications, security tools and core Windows components.
CVE-2026-48561 is a Microsoft Copilot remote code execution vulnerability rated 9.6. According to Action1, an attacker could host a malicious website that causes Microsoft Edge for Android to send crafted prompts to Copilot when a user visits the site. The affected component could then process those requests without proper confirmation or validation.
Microsoft also patched two critical vulnerabilities in the Microsoft Malware Protection Engine, CVE-2026-55011 and CVE-2026-55012. Both could allow code execution after a user opens a malicious file. The flaws are notable because the engine underpins Microsoft Defender protections across large numbers of Windows systems.
CVE-2026-55944, a remote code execution vulnerability in Microsoft Dynamics NAV and on-premises Microsoft Dynamics 365 Business Central, carries a CVSS score of 9.8. It requires no authentication or user interaction and can be exploited through a specially crafted login request. Microsoft considers exploitation more likely.
Another SharePoint vulnerability, CVE-2026-58644, is a critical remote code execution flaw rated 9.8. It can be exploited remotely without user interaction, and Microsoft also considers exploitation more likely.
Other notable fixes include CVE-2026-55008, a critical Exchange Server spoofing vulnerability, and CVE-2026-57090, a Windows Media Foundation remote code execution flaw that can be triggered through malicious multimedia content.
With a release this large, administrators cannot treat every flaw the same. The two exploited zero-days should come first, followed by exposed SharePoint systems, identity infrastructure and critical remote code execution vulnerabilities that require no authentication or user interaction.
As Narang noted, AI-assisted vulnerability discovery is changing both the size of Patch Tuesday and the assumptions behind traditional risk ratings.
"What this means is that our way of looking at Patch Tuesday has changed," he said, "because the exploitability index is centered around humans, not AI tools."