Cyber Security

Microsoft Patches Record 622 Flaws, Including Two Zero Days Under Active Attacks

Microsoft sent the largest Patch Tuesday on record today, and two of the fixes close holes that attackers are already exploiting. The release includes 622 CVEs for Microsoft by its Security Update Guide count, more than triple June’s high of about 200.

Those two live bugs are the ones you should catch first. Microsoft provides incident responders for both. Both vulnerabilities in the ownership and interoperability infrastructure: CVE-2026-56164 in SharePoint Server premises and CVE-2026-56155 in Active Directory Federation Services.

And it’s not one of the more serious ways to generate remote code. They are good bugs in two systems that are more important than their scores suggest: the company’s document store, and its sign-in box.

Two zero days to complete first

CVE-2026-56164, a SharePoint Server flaw that Microsoft says is being exploited in an attack, allows an unauthorized attacker to escalate privileges on a network. No authentication, no user interaction, remote control. Microsoft gave credit to Mandiant incident responders and Google’s FLARE team, which identified the discovery within the active attack, although Microsoft did not say how or by whom it was exploited.

If you’re running self-hosted SharePoint, this is the first one to catch, and there’s a second clock to it: today is also the day SharePoint Server 2016 and 2019 reach the end of extended support. Unlike Windows Server or SQL Server, there is no paid ESU program to revert to.

Despite the patch, Microsoft’s advisory notes that enabling AMSI in Full Mode on the server weakens the attack. SharePoint has been an attacker magnet since the ToolShell chain broke through unpublished servers in 2025, and it hasn’t stopped being one.

CVE-2026-56155, an Active Directory Federation Services flaw that Microsoft is also flagging as an exploit, allows an already authorized attacker to elevate privileges to an environment with weak access controls. Microsoft’s DART incident response unit gets the credit.

AD FS is the token signing box for all real estate trusts, which is why an error labeled “local” on that host deserves more attention than the label says. Microsoft did not say what privileges it provides, or how attackers used them.

Worth knowing for anyone following a fix deadline: CVE is also not in the CISA Vulnerability Exploitation catalog as of this writing. Microsoft’s exploit rater already marks both as exploited. Don’t wait for the KEV list to make it official.

Microsoft also rates the SharePoint bug as low in severity, which is a good reminder that the severity label isn’t something to fix this month.

The third bug, and the arrival of the SharePoint chain in August

A third zero-day was publicly disclosed but not attacked: CVE-2026-50661, another BitLocker bypass. It requires physical access to the device, so it’s not a remote emergency. It’s patchy, but it doesn’t cross the line. It continues BitLocker’s passing that dates back to Bitskrieg and YellowKey earlier this year.

SharePoint drew a second significant adjustment. Rapid7 Labs exposed CVE-2026-55040, a JWT authentication bypass they built for their Pwn2Own Berlin entry. The score depends on who you ask: Rapid7 puts it at 5.3 and says that Microsoft has given it medium stability, while ZDI reads the release as critical at 9.1.

What he does is not contradictory. Rapid7 tied it to a remote code execution bug to access unauthorized RCE against a vulnerable server, and half of RCE isn’t turned off yet; Microsoft is expected to fix it in August.

That puts July past the repair that breaks the chain. A four-point spread on one bug also tells you what the sharp number is this month.

RC4 cleanup that can break login

This update also ends Microsoft’s multi-year Kerberos RC4 stability. The July release removes the RC4DefaultDisablementPhase rollback switch, a bug hatch managers have been relying on since Microsoft began cracking down in January.

After this, RC4 only works on accounts that are explicitly configured to allow it. If any service account in your environment is still requesting RC4 Kerberos tickets, it may fail to authenticate when the update arrives.

The order is important: research first, using the RC4 test cases that Microsoft added in January, then rotate the passwords on the marked service accounts, so that Windows generates AES keys for them, and then patch them. Rotation only fixes missing AES key accounts.

Anything pinned to RC4 by configuration, or a legacy client that doesn’t speak anything, needs to be fixed before an update arrives. This one does not find you violated; it breaks things, but it will hack you at 2 am if you skip the research.

Why the silent moon made history

July is historically one of the lightest months on Microsoft’s calendar, which makes a release of this size stand out. Windows alone accounted for 416 of the 622, and ZDI accounted for 95 code execution bugs in all releases.

Here’s where the rest goes, and what you should remove from each pile:

Product family CVEs It’s worth taking out
Windows 416 Both AD FS zero-day (CVE-2026-56155) and BitLocker bypass exposed (CVE-2026-50661) stay here. VMSwitch RCE’s top release points, CVE-2026-57092 at 9.9. And five DHCP RCEs, and 21 NTFS and ReFS driver bugs that ZDI reads as one shared root.
The office 82 Counted once. Microsoft lists the same 82 and under a different track for Office 2016, which is why other stores report 164.
Microsoft Edge 46 ZDI lists 21 as Microsoft’s instead of Chromium’s re-listing.
Developer Tools 27 The security feature runs throughout Visual Studio, VS Code, and GitHub Copilot, especially injection and path crossing.
SharePoint Server 17 Exploited zero day (CVE-2026-56164) and Rapid7’s chain bypass (CVE-2026-55040), and a pair of Essential RCEs including CVE-2026-50522 at 9.8.
Azure 11 Nothing marked as urgent.
SQL Server 8 RCE pair, CVE-2026-54117 again CVE-2026-54118both 8.8.
The protector 5 Two Important RCEs.
Exchange Server 5 XSS stored in Outlook Web Access, CVE-2026-55008at 9.6. Microsoft puts it under spoofing, selling it less.
Other 5 Nothing marked as urgent.

The statistics come from Microsoft’s Security Update Guide, which covers 622 unique CVEs this month. ZDI, counting independently, reached 621, and its July update is the source of calls for each family.

Microsoft called this five days early. In a July 9 post, it told customers to expect a “higher volume of security updates included in each security release” as AI helps uncover more problems. That work includes MDASH, its multi-model scanning system, which found 16 bugs on May’s Patch Tuesday alone. Microsoft didn’t say how many July 622s came out of that pipeline.

The same automation cuts both ways. If a shipping patch is running, attackers can isolate it against the final build, find a blocking bug, and create an operational opportunity before most stores finish testing. That eats up the old “wait a week” cushion and narrows the gap to Exploit Wednesday.

It also includes CVSS-based triage. If the release carries 600-plus CVEs and a large share is rated High or Critical, “priority” stops filtering anything. Two of this month’s exploit bugs make this point: neither is a 9.8 topic, both are middle-class privilege bugs, and both are already working.

Filter by exploit, using KEV, EPSS, and the Microsoft exploit flag, not by score, and compile faster than ever. The number in the box only goes up.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button