Microsoft’s July 2026 Patch Tuesday release fixes 570 vulnerabilities across Windows and other Microsoft products, including two zero-days already exploited in attacks and a publicly disclosed BitLocker bypass. Windows users should install the July 14 cumulative updates promptly, while administrators responsible for SharePoint Server and Active Directory Federation Services should treat this cycle as an urgent deployment rather than a routine monthly rollout.
The record total was detailed by BleepingComputer and corroborated by Microsoft’s Security Update Guide. It eclipses the more than 200 flaws addressed in June, but the headline needs qualification: Microsoft did not patch 570 defects solely in the Windows operating system. The count spans a broad portfolio including Windows, SharePoint Server, Office, .NET, Visual Studio, SQL Server and other Microsoft software.
The scale is still remarkable. BleepingComputer counted 254 elevation-of-privilege vulnerabilities, 145 remote-code-execution flaws, 102 information-disclosure bugs, 35 denial-of-service issues, 17 security-feature bypasses and 16 spoofing vulnerabilities. Those categories total 569 because Microsoft’s wider release also includes vulnerability types, such as tampering, that are not represented in that abbreviated breakdown.
The most immediate concern is CVE-2026-56164, an elevation-of-privilege vulnerability in Microsoft SharePoint Server. Microsoft says attackers are already exploiting the flaw, which stems from missing authentication for a critical function and can be reached over a network by an unauthenticated attacker.
That combination makes on-premises SharePoint installations the obvious first priority. An internet-facing collaboration server is a materially different risk from a desktop vulnerability requiring an attacker to have an existing local foothold, particularly when Microsoft has already observed exploitation.
Microsoft credited researchers from Mandiant Incident Response, Google Cloud and FLARE, along with an anonymous researcher, for reporting the SharePoint issue. The relevant July updates include KB5002882 for SharePoint Server Subscription Edition, with separate packages available for supported SharePoint releases.
Administrators should inventory every on-premises SharePoint farm, verify the installed product and patch level, and avoid assuming that ordinary Windows Update policies will cover the application server. SharePoint security updates have their own deployment and post-installation considerations, including the need to run the appropriate configuration process across the farm.
The second exploited zero-day, CVE-2026-56155, affects Active Directory Federation Services. It is an elevation-of-privilege vulnerability discovered by Jeremy Kingston and Scott Clark of Microsoft’s Detection and Response Team.
CVE-2026-56155 requires local access, making it less directly exposed than the SharePoint flaw. It remains significant because AD FS occupies a sensitive identity role: an attacker who has already reached a federation server may be able to turn limited access into more powerful control. Organizations that still operate AD FS should patch those servers quickly and review security telemetry for suspicious local access or privilege changes.
These are not merely theoretical weaknesses promoted by a high monthly count. Microsoft’s exploited designation means attacks were observed before broadly available fixes arrived, even though the company has not publicly described the campaigns, victims or scale of exploitation.
The flaw involves a protection-mechanism failure that could permit an unauthorized attacker with physical access to bypass a BitLocker security control and reach encrypted data. That requirement narrows the practical threat for a desktop secured inside an office, but it matters considerably for laptops, removable systems, kiosks and machines exposed to theft or hands-on tampering.
A physical-access requirement should not be mistaken for a harmless flaw. BitLocker is specifically intended to protect data when a device leaves its owner’s control, so a bypass in that scenario cuts into the feature’s core security promise.
Organizations managing mobile fleets should therefore include the July Windows update in their BitLocker compliance checks rather than treating disk encryption as sufficient by itself. Recovery keys should remain escrowed and tested, firmware should be current, and high-risk systems should use appropriate preboot authentication policies where operationally feasible.
For home users, the practical action is simpler: confirm that Windows Update completed successfully and that a BitLocker recovery key is stored somewhere accessible before restarting. Installing security updates without knowing where that key resides can turn an otherwise ordinary recovery prompt into a lockout.
A remotely exploitable flaw on an exposed server generally deserves attention before a local privilege-escalation bug on an isolated workstation. Likewise, a vulnerability known to be exploited should move ahead of a higher-scoring issue for which Microsoft considers exploitation unlikely.
For enterprise teams, a defensible July sequence is straightforward:
That does not make either number inherently wrong; it means administrators should not use a single headline figure as an asset inventory. The Security Update Guide, Microsoft Update Catalog, product-specific advisories and an organization’s own software records remain the reliable way to determine exposure.
KB5101650 upgrades the built-in curl utility to version 8.21.0 and adds SHA-2 certificate-thumbprint support for trusted Remote Desktop publishers. It also continues Microsoft’s deployment of replacement Secure Boot certificates ahead of certificate expirations that began in June 2026.
One hardening change deserves testing in specialized environments. Microsoft warns that applications using sockets over unregistered third-party Transport Driver Interface transports may stop working after security updates released on or after July 14. The change affects supported editions across Windows 10, Windows 11 and Windows Server, while registered TDI transports are not affected.
That caveat is unlikely to trouble a normal home PC, but it could surface in legacy networking, security or industrial software. Administrators should test applications with low-level network dependencies rather than using the size of the release as justification for bypassing validation altogether.
Windows 11 Home and Pro systems on version 24H2 also have a separate deadline approaching: Microsoft lists October 13, 2026 as the end of monthly updates for those editions. The July patch protects them now, but moving to Windows 11 25H2 is the longer-term requirement.
Consumers can install the release through Settings, Windows Update and Check for updates. Enterprise teams face a more demanding job: patch the exploited SharePoint and AD FS paths immediately, validate the TDI hardening change, and then drive the remaining July updates through rings quickly enough that a record-breaking patch count does not become a record-sized window of exposure.
The lifecycle implications are now clearer. SharePoint Server 2016 and 2019 reached the end of extended support on July 14, 2026—the same day this security update was released. It is therefore their final expected scheduled security baseline. Organizations retaining either release should install the July update, investigate potentially exposed systems, and accelerate migration to SharePoint Server Subscription Edition or SharePoint Online.
PCWorld’s newer coverage also highlights additional Critical SharePoint flaws, including CVE-2026-58644 and CVE-2026-50522, that may allow unauthenticated remote code execution through unsafe deserialization. Administrators should treat the complete SharePoint security package as an emergency deployment, not patch only the exploited CVE.
The record total was detailed by BleepingComputer and corroborated by Microsoft’s Security Update Guide. It eclipses the more than 200 flaws addressed in June, but the headline needs qualification: Microsoft did not patch 570 defects solely in the Windows operating system. The count spans a broad portfolio including Windows, SharePoint Server, Office, .NET, Visual Studio, SQL Server and other Microsoft software.
The scale is still remarkable. BleepingComputer counted 254 elevation-of-privilege vulnerabilities, 145 remote-code-execution flaws, 102 information-disclosure bugs, 35 denial-of-service issues, 17 security-feature bypasses and 16 spoofing vulnerabilities. Those categories total 569 because Microsoft’s wider release also includes vulnerability types, such as tampering, that are not represented in that abbreviated breakdown.
Two Exploited Zero-Days Move Servers to the Front
The most immediate concern is CVE-2026-56164, an elevation-of-privilege vulnerability in Microsoft SharePoint Server. Microsoft says attackers are already exploiting the flaw, which stems from missing authentication for a critical function and can be reached over a network by an unauthenticated attacker.That combination makes on-premises SharePoint installations the obvious first priority. An internet-facing collaboration server is a materially different risk from a desktop vulnerability requiring an attacker to have an existing local foothold, particularly when Microsoft has already observed exploitation.
Microsoft credited researchers from Mandiant Incident Response, Google Cloud and FLARE, along with an anonymous researcher, for reporting the SharePoint issue. The relevant July updates include KB5002882 for SharePoint Server Subscription Edition, with separate packages available for supported SharePoint releases.
Administrators should inventory every on-premises SharePoint farm, verify the installed product and patch level, and avoid assuming that ordinary Windows Update policies will cover the application server. SharePoint security updates have their own deployment and post-installation considerations, including the need to run the appropriate configuration process across the farm.
The second exploited zero-day, CVE-2026-56155, affects Active Directory Federation Services. It is an elevation-of-privilege vulnerability discovered by Jeremy Kingston and Scott Clark of Microsoft’s Detection and Response Team.
CVE-2026-56155 requires local access, making it less directly exposed than the SharePoint flaw. It remains significant because AD FS occupies a sensitive identity role: an attacker who has already reached a federation server may be able to turn limited access into more powerful control. Organizations that still operate AD FS should patch those servers quickly and review security telemetry for suspicious local access or privilege changes.
These are not merely theoretical weaknesses promoted by a high monthly count. Microsoft’s exploited designation means attacks were observed before broadly available fixes arrived, even though the company has not publicly described the campaigns, victims or scale of exploitation.
BitLocker’s Physical-Attack Boundary Gets Another Repair
The third zero-day, CVE-2026-50661, is a Windows BitLocker security-feature bypass. It was publicly disclosed before the July update, but Microsoft had not reported active exploitation when the patches were released.The flaw involves a protection-mechanism failure that could permit an unauthorized attacker with physical access to bypass a BitLocker security control and reach encrypted data. That requirement narrows the practical threat for a desktop secured inside an office, but it matters considerably for laptops, removable systems, kiosks and machines exposed to theft or hands-on tampering.
A physical-access requirement should not be mistaken for a harmless flaw. BitLocker is specifically intended to protect data when a device leaves its owner’s control, so a bypass in that scenario cuts into the feature’s core security promise.
Organizations managing mobile fleets should therefore include the July Windows update in their BitLocker compliance checks rather than treating disk encryption as sufficient by itself. Recovery keys should remain escrowed and tested, firmware should be current, and high-risk systems should use appropriate preboot authentication policies where operationally feasible.
For home users, the practical action is simpler: confirm that Windows Update completed successfully and that a BitLocker recovery key is stored somewhere accessible before restarting. Installing security updates without knowing where that key resides can turn an otherwise ordinary recovery prompt into a lockout.
The Record Number Is Less Useful Than the Attack Path
Fifty-nine vulnerabilities in Microsoft’s July count are rated Critical, including 48 remote-code-execution flaws, nine elevation-of-privilege vulnerabilities, one security bypass and one spoofing issue. That is a substantial attack surface, but severity labels and raw totals do not provide a complete deployment order.A remotely exploitable flaw on an exposed server generally deserves attention before a local privilege-escalation bug on an isolated workstation. Likewise, a vulnerability known to be exploited should move ahead of a higher-scoring issue for which Microsoft considers exploitation unlikely.
For enterprise teams, a defensible July sequence is straightforward:
- On-premises SharePoint Server systems should receive the CVE-2026-56164 updates first, especially when they are reachable from the internet.
- AD FS servers should follow quickly because CVE-2026-56155 is under active exploitation and affects identity infrastructure.
- BitLocker-protected laptops and other devices at elevated risk of theft or physical access should be prioritized for CVE-2026-50661.
- Remaining Windows clients, servers, Office installations, developer tools and Microsoft applications should proceed through accelerated testing and deployment.
That does not make either number inherently wrong; it means administrators should not use a single headline figure as an asset inventory. The Security Update Guide, Microsoft Update Catalog, product-specific advisories and an organization’s own software records remain the reliable way to determine exposure.
July’s Windows Updates Carry Compatibility Changes Too
For Windows 11 versions 25H2 and 24H2, the principal cumulative package is KB5101650, advancing the systems to OS builds 26200.8875 and 26100.8875 respectively. Microsoft says it is not currently aware of any issues with that update, although the release includes more than vulnerability repairs.KB5101650 upgrades the built-in curl utility to version 8.21.0 and adds SHA-2 certificate-thumbprint support for trusted Remote Desktop publishers. It also continues Microsoft’s deployment of replacement Secure Boot certificates ahead of certificate expirations that began in June 2026.
One hardening change deserves testing in specialized environments. Microsoft warns that applications using sockets over unregistered third-party Transport Driver Interface transports may stop working after security updates released on or after July 14. The change affects supported editions across Windows 10, Windows 11 and Windows Server, while registered TDI transports are not affected.
That caveat is unlikely to trouble a normal home PC, but it could surface in legacy networking, security or industrial software. Administrators should test applications with low-level network dependencies rather than using the size of the release as justification for bypassing validation altogether.
Windows 11 Home and Pro systems on version 24H2 also have a separate deadline approaching: Microsoft lists October 13, 2026 as the end of monthly updates for those editions. The July patch protects them now, but moving to Windows 11 25H2 is the longer-term requirement.
Consumers can install the release through Settings, Windows Update and Check for updates. Enterprise teams face a more demanding job: patch the exploited SharePoint and AD FS paths immediately, validate the TDI hardening change, and then drive the remaining July updates through rings quickly enough that a record-breaking patch count does not become a record-sized window of exposure.
Update: SharePoint Zero-Day Added to CISA Exploited-Vulnerability Catalog (July 15, 2026)
CISA has added CVE-2026-56164 to its Known Exploited Vulnerabilities catalog, reinforcing the need to patch exposed on-premises SharePoint Server farms immediately. Follow-up reporting also identifies a temporary Microsoft mitigation for organizations unable to deploy the update at once: enable the Antimalware Scan Interface and configure Request Body Scan mode to Full. This may help detect malicious POST requests but does not replace patching or compromise assessment.The lifecycle implications are now clearer. SharePoint Server 2016 and 2019 reached the end of extended support on July 14, 2026—the same day this security update was released. It is therefore their final expected scheduled security baseline. Organizations retaining either release should install the July update, investigate potentially exposed systems, and accelerate migration to SharePoint Server Subscription Edition or SharePoint Online.
PCWorld’s newer coverage also highlights additional Critical SharePoint flaws, including CVE-2026-58644 and CVE-2026-50522, that may allow unauthenticated remote code execution through unsafe deserialization. Administrators should treat the complete SharePoint security package as an emergency deployment, not patch only the exploited CVE.
Microsoft's July patches fix over 600 flaws, shattering last month's record | PCWorld
Microsoft's July 2026 Patch Tuesday fixed 570 security vulnerabilities, pushing the monthly total past 620 and to a new all-time record.
www.pcworld.com
References
- Primary source: Lifehacker
Published: 2026-07-14T19:52:57+00:00
Microsoft Just Patched a Record 570 Flaws in Windows | Lifehacker
Microsoft's Patch Tuesday update for July fixes a record 570 bugs, including three zero-days that have been actively exploited or publicly disclosed.lifehacker.com - Related coverage: tech.yahoo.com
Microsoft Just Patched a Record 570 Flaws in Windows
This month's Patch Tuesday update also includes three zero-days.tech.yahoo.com - Related coverage: bleepingcomputer.com
- Related coverage: thehackernews.com
Microsoft Patches Record 622 Flaws, Including Two Zero-Days Under Active Attack
Microsoft fixes a record 622 CVEs, including two exploited SharePoint and AD FS zero-days, while a Kerberos RC4 change could break service account logthehackernews.com
- Related coverage: krebsonsecurity.com
- Related coverage: techradar.com
Microsoft breaks Patch Tuesday record with fixes for over 200 security flaws | TechRadar
AI use is really starting to showwww.techradar.com
Last edited: