Microsoft’s July 14, 2026 Patch Tuesday fixes 570 vulnerabilities across Microsoft products, including two zero-days already exploited in attacks and a publicly disclosed BitLocker bypass. The headline number is a record by BleepingComputer’s Patch Tuesday count, but it should not be read as “570 Windows 10 and Windows 11 bugs”: the release spans Windows, Windows Server, SharePoint Server, Office, .NET, Azure components, and other Microsoft software.
The immediate priority is not the scale of the batch but the two confirmed in-the-wild vulnerabilities: CVE-2026-56155 in Active Directory Federation Services and CVE-2026-56164 in Microsoft SharePoint Server. Microsoft’s own security guidance and reporting from BleepingComputer indicate both were being used before the July patches arrived. That moves this from a routine monthly update into a deployment exercise for identity and collaboration administrators.
Microsoft had warned on July 9 that customers should expect larger security releases as it expands AI-assisted vulnerability discovery across the Windows codebase. Its new multi-model scanning system, called MDASH, is designed to sift candidate flaws, validate them, and send only high-confidence findings to engineering teams. The July volume is therefore evidence of a faster discovery pipeline, not proof that Windows suddenly accumulated hundreds of new defects in a month.

Cybersecurity analysts monitor AI-driven vulnerability alerts, patch deployment, audit logs, and encrypted systems.The real emergency sits in AD FS and on-premises SharePoint​

CVE-2026-56155 is an elevation-of-privilege flaw in Active Directory Federation Services, the identity component still used by many organizations for federated sign-on. Microsoft says insufficiently granular access control can allow an authorized attacker to elevate privileges locally. In practice, an attacker who has already gained a foothold could potentially turn that position into administrative control over a particularly sensitive identity system.
The associated remediation has an operational wrinkle. Microsoft’s July Windows security update begins the first hardening phase for the AD FS Distributed Key Manager container ACL. The update initially runs in Audit mode, logging insecure permissions rather than automatically correcting them. Administrators need to inspect the AD FS Admin event log for Event ID 1132, then plan the opt-in ACL remediation rather than treating the monthly reboot as the entire job.
That distinction matters. A rushed permissions change around the Distributed Key Manager container can affect the certificates AD FS uses for token signing and token encryption. The correct response is still urgent patching, but it should be paired with review of the audit events, validation of federation flows, and confirmation that every AD FS server has received the update.
CVE-2026-56164 is the other active zero-day, affecting on-premises Microsoft SharePoint Server rather than SharePoint Online. Microsoft describes it as a missing-authentication issue in a critical function that allows an unauthenticated attacker to elevate privileges over a network. BleepingComputer reported that Microsoft has not published technical details of the active exploitation, which is all the more reason to assume internet-exposed SharePoint infrastructure is a priority target.
Microsoft recommends enabling the Antimalware Scan Interface on affected SharePoint servers and setting Request Body Scan mode to Full as a mitigation. That is not a substitute for applying the update. It is a compensating control for organizations that need time to test or coordinate an emergency maintenance window.

BitLocker deserves attention, but its threat model is different​

The third zero-day, CVE-2026-50661, is a publicly disclosed Windows BitLocker security-feature bypass. Unlike the AD FS and SharePoint flaws, Microsoft has not said it is being actively exploited. Successful exploitation requires physical access to the target device, and the expected outcome is access to data that the attacker should not be able to read from an encrypted system drive.
That makes the fix important for laptops, lost-device scenarios, field hardware, and any organization that depends on BitLocker as part of its data-protection posture. It is less likely to be the first item in an incident-response queue than an exposed SharePoint farm or AD FS server, but it should not be pushed into next month’s cycle.
The July update also reinforces a familiar lesson: full-disk encryption is a layer, not a magic wall. BitLocker remains valuable, but its assurance depends on the device’s patch state, Secure Boot posture, TPM configuration, recovery-key controls, and physical custody.

The record is 570—or 622—depending on the counting rule​

Security coverage around this month’s release has produced two totals. BleepingComputer counted 570 vulnerabilities in the Patch Tuesday set released by Microsoft on July 14, excluding issues repaired earlier in the month and a large set of Chromium vulnerabilities fixed upstream by Google. Malwarebytes reported 622 Microsoft CVEs when using a broader tally.
The discrepancy is not evidence that either outlet got the story wrong. It demonstrates why vulnerability totals need context: vendors publish fixes continuously, products inherit fixes from upstream projects, and “Patch Tuesday” can be defined narrowly as that day’s Microsoft advisories or broadly as the month’s Microsoft security activity.
Under BleepingComputer’s July 14 count, 59 issues are rated Critical. The breakdown is led by 254 elevation-of-privilege vulnerabilities and 145 remote-code-execution vulnerabilities, followed by 102 information-disclosure issues, 35 denial-of-service flaws, 17 security-feature bypasses, and 16 spoofing vulnerabilities. Numbers at this scale can make any monthly release look equally urgent; they are not. Exposure, exploit status, and the role of the affected system should determine deployment order.
For most home users, the practical action is straightforward: install the latest cumulative update through Windows Update, reboot, and verify the device is current. The Windows 11 July cumulative updates include KB5101650 for version 25H2 and version 24H2, and KB5099414 for version 23H2. Windows 10’s July security update, KB5099539, is relevant to systems enrolled in Extended Security Updates now that standard Windows 10 support has ended.

AI speeds discovery, not change control​

Microsoft’s position is that AI-driven discovery lets it identify weaknesses earlier, prioritize risk, and reduce the time between an internal finding and customer protection. MDASH is described as a multi-model pipeline that scans critical binaries, validates candidate bugs through model-based review, and passes confirmed findings into a Windows-specific proof process intended to eliminate false positives.
That is a meaningful technical change, but it does not remove the enterprise patching problem. If AI increases the rate at which vendors find valid vulnerabilities, IT teams will receive larger batches more often. The bottleneck moves from discovery to triage, compatibility testing, staged deployment, rollback planning, and proof that critical systems remain healthy after the update.
Microsoft argues that optional preview updates, Known Issue Rollback, Windows Autopatch, Intune, and hotpatch capabilities can soften that burden. Those tools help, but they do not decide whether an organization’s bespoke SharePoint integration, legacy AD FS configuration, endpoint security driver, or line-of-business application will behave correctly after a cumulative update.
Administrators should therefore treat July’s release as two tracks. The first is an accelerated security response for exposed SharePoint Server, AD FS, and Windows devices at elevated physical-loss risk. The second is a disciplined validation cycle for the remaining fixes, with monitoring for application failures, federation errors, performance regressions, and update-health signals.
The larger consequence is that Patch Tuesday may no longer be sized for the old cadence of human-only code review. Microsoft has made clear that it expects AI to uncover more flaws faster. July’s record release shows the defensive benefit of that approach—but it also gives Windows administrators a preview of the patch volume they may need to absorb from now on.

References​

  1. Primary source: zamin.uz
    Published: 2026-07-17T18:55:19+00:00
  2. Related coverage: pcgamer.com
  3. Related coverage: techcrunch.com
  4. Related coverage: thehackernews.com
  5. Related coverage: neowin.net
  6. Related coverage: assets.beyondtrust.com