Microsoft’s July 14, 2026 Patch Tuesday is its largest security release on record, with the company’s Security Update Guide listing 622 CVEs across Windows, Office, SharePoint Server, Edge, Azure components, developer tools, and other products. That is more than triple June’s already unusual total, and it includes two vulnerabilities confirmed as under active attack.
The initial “570 flaws” headline circulating in patch coverage is not necessarily wrong, but it is incomplete. BleepingComputer’s count excludes some records and product groupings that broader tallies include; Microsoft’s own release data, echoed by NHS England and Rapid7, puts the full July total at 622. For administrators, the difference is less important than the operational reality: 416 of the CVEs are in the Windows product family, and the update demands triage rather than a routine monthly deployment.
Microsoft has also made clear why the number is rising. In a June security blog, the company said its AI-assisted vulnerability discovery system, internally known as MDASH, is now being used across Windows, Azure, and identity engineering. The company’s position is that these tools let security teams inspect difficult, old, and interconnected code at a depth and scale that conventional review cannot sustain.
That may be good news in the long run. In the short term, it means Patch Tuesday is becoming a much larger change-management event.
The immediate priorities are CVE-2026-56155 in Active Directory Federation Services and CVE-2026-56164 in on-premises Microsoft SharePoint Server. Microsoft says both have been exploited in the wild, and CISA added both to its Known Exploited Vulnerabilities catalog on July 14.
CVE-2026-56155 is an elevation-of-privilege vulnerability involving the Distributed Key Manager container used by AD FS. Microsoft’s support guidance describes a hardening process for overly permissive access-control lists that could expose material used to protect token-signing and token-encryption keys. The July Windows updates begin in audit mode, logging Event ID 1132 when AD FS detects insecure DKM permissions, before later updates move toward automatic remediation.
That detail matters because this is not simply a “patch and forget” issue for identity teams. Administrators running AD FS should install the July update on every federation server, review the AD FS Admin event log, and prepare for the October 13, 2026 transition Microsoft has scheduled for stronger automatic remediation. An unmanaged permissions problem in identity infrastructure can become a far more consequential incident than its CVSS number initially suggests.
CVE-2026-56164 is the more urgent exposure for organizations operating internet-facing SharePoint Server. It is a missing-authentication flaw that enables an unauthenticated attacker to elevate privileges over the network. CISA’s advisory says attackers are exploiting it alongside earlier SharePoint weaknesses to gain access, steal IIS machine keys, establish persistence, and deploy malware.
BleepingComputer reports that CISA is tracking active exploitation of three SharePoint vulnerabilities across supported self-hosted versions, including CVE-2026-56164 and the earlier CVE-2026-45659. The advice is unusually direct: patch, confirm that the updates actually installed, investigate potential compromise before rotating secrets, enable AMSI integration and Defender protections for SharePoint, and reduce or eliminate direct internet exposure where possible.
For federal civilian agencies, the remediation deadline for CVE-2026-56164 is July 17. Private-sector organizations are not bound by that date, but the timetable is a useful indication of how CISA sees the risk.
That distinction should guide endpoint teams. A BitLocker bypass is significant for laptops, field devices, shared workstations, lost hardware, and systems that may be accessed by an insider or a thief. It is not the reason to delay SharePoint or AD FS remediation while a broad Windows pilot runs.
The July batch also includes high-severity remote-code-execution fixes in services and components that enterprise environments should recognize immediately: Windows DNS Server, DHCP Server, Remote Desktop Services, Hyper-V, HTTP.sys, SQL Server, SharePoint, and Office. Microsoft’s earlier MDASH disclosure specifically identified findings in the Windows kernel, Hyper-V, Active Directory Domain Services, Remote Desktop Client, HTTP.sys, DNS Client, and DHCP Client.
The scale of the release does not mean every Windows PC is exposed to every listed vulnerability. It does mean that organizations relying on “Critical only” or a generic severity filter risk missing the systems attackers are already targeting. Exploitation status, internet exposure, identity role, and business function should outrank raw patch counts.
Those deployments may still be receiving the final updates relevant to this month’s bulletin, but they should not be treated as sustainably protected platforms after this point. An internet-facing SharePoint server that has reached end of support is no longer just an upgrade backlog item; it is a security architecture decision that needs an owner, a retirement plan, and compensating controls immediately.
SharePoint Server Subscription Edition is now Microsoft’s supported on-premises path, but migration is not a same-day response to active exploitation. In the near term, security teams should locate every SharePoint instance, identify externally exposed servers, apply the current fixes, review IIS and SharePoint logs, and validate service-account and machine-key handling. If a server cannot be patched or inspected quickly, restricting external access is more defensible than leaving it exposed for convenience.
That is a meaningful defensive use of AI. Microsoft reported that MDASH found vulnerabilities across deep Windows infrastructure before exploitation, including several serious flaws in Hyper-V, Active Directory, Remote Desktop, and networking components. Finding these issues before attackers do is plainly better than discovering them after an incident.
But discovery is only half the equation. Every additional confirmed flaw creates a patch, compatibility, testing, deployment, and verification obligation for customers. The limiting factor for many IT departments is no longer access to vulnerability intelligence; it is the ability to turn that intelligence into safe change at speed.
This month also exposes the weakness of treating exploitability ratings as fixed truth. CISA’s decision to add actively exploited SharePoint and AD FS flaws to KEV should override any complacency created by lower severity scores or earlier probability assessments. Attackers do not prioritize CVEs according to the neatness of a dashboard. They prioritize reachable systems, usable chains, credentials, and weak operational response.
A practical sequence is straightforward:
The initial “570 flaws” headline circulating in patch coverage is not necessarily wrong, but it is incomplete. BleepingComputer’s count excludes some records and product groupings that broader tallies include; Microsoft’s own release data, echoed by NHS England and Rapid7, puts the full July total at 622. For administrators, the difference is less important than the operational reality: 416 of the CVEs are in the Windows product family, and the update demands triage rather than a routine monthly deployment.
Microsoft has also made clear why the number is rising. In a June security blog, the company said its AI-assisted vulnerability discovery system, internally known as MDASH, is now being used across Windows, Azure, and identity engineering. The company’s position is that these tools let security teams inspect difficult, old, and interconnected code at a depth and scale that conventional review cannot sustain.
That may be good news in the long run. In the short term, it means Patch Tuesday is becoming a much larger change-management event.
Two exploited flaws move to the front of the queue
The immediate priorities are CVE-2026-56155 in Active Directory Federation Services and CVE-2026-56164 in on-premises Microsoft SharePoint Server. Microsoft says both have been exploited in the wild, and CISA added both to its Known Exploited Vulnerabilities catalog on July 14.CVE-2026-56155 is an elevation-of-privilege vulnerability involving the Distributed Key Manager container used by AD FS. Microsoft’s support guidance describes a hardening process for overly permissive access-control lists that could expose material used to protect token-signing and token-encryption keys. The July Windows updates begin in audit mode, logging Event ID 1132 when AD FS detects insecure DKM permissions, before later updates move toward automatic remediation.
That detail matters because this is not simply a “patch and forget” issue for identity teams. Administrators running AD FS should install the July update on every federation server, review the AD FS Admin event log, and prepare for the October 13, 2026 transition Microsoft has scheduled for stronger automatic remediation. An unmanaged permissions problem in identity infrastructure can become a far more consequential incident than its CVSS number initially suggests.
CVE-2026-56164 is the more urgent exposure for organizations operating internet-facing SharePoint Server. It is a missing-authentication flaw that enables an unauthenticated attacker to elevate privileges over the network. CISA’s advisory says attackers are exploiting it alongside earlier SharePoint weaknesses to gain access, steal IIS machine keys, establish persistence, and deploy malware.
BleepingComputer reports that CISA is tracking active exploitation of three SharePoint vulnerabilities across supported self-hosted versions, including CVE-2026-56164 and the earlier CVE-2026-45659. The advice is unusually direct: patch, confirm that the updates actually installed, investigate potential compromise before rotating secrets, enable AMSI integration and Defender protections for SharePoint, and reduce or eliminate direct internet exposure where possible.
For federal civilian agencies, the remediation deadline for CVE-2026-56164 is July 17. Private-sector organizations are not bound by that date, but the timetable is a useful indication of how CISA sees the risk.
A public BitLocker bypass is not a remote compromise
The third zero-day, CVE-2026-50661, affects Windows BitLocker and was publicly disclosed before Microsoft issued a fix. It is a security-feature bypass that requires physical access to a device; it is not a remotely exploitable flaw and Microsoft has not reported active exploitation.That distinction should guide endpoint teams. A BitLocker bypass is significant for laptops, field devices, shared workstations, lost hardware, and systems that may be accessed by an insider or a thief. It is not the reason to delay SharePoint or AD FS remediation while a broad Windows pilot runs.
The July batch also includes high-severity remote-code-execution fixes in services and components that enterprise environments should recognize immediately: Windows DNS Server, DHCP Server, Remote Desktop Services, Hyper-V, HTTP.sys, SQL Server, SharePoint, and Office. Microsoft’s earlier MDASH disclosure specifically identified findings in the Windows kernel, Hyper-V, Active Directory Domain Services, Remote Desktop Client, HTTP.sys, DNS Client, and DHCP Client.
The scale of the release does not mean every Windows PC is exposed to every listed vulnerability. It does mean that organizations relying on “Critical only” or a generic severity filter risk missing the systems attackers are already targeting. Exploitation status, internet exposure, identity role, and business function should outrank raw patch counts.
SharePoint’s lifecycle problem gets worse this week
There is an awkward complication for organizations still running SharePoint Server 2016 or SharePoint Server 2019: both products reached the end of extended support on July 14, the same day this record patch cycle landed. NHS England highlighted that milestone in its security alert.Those deployments may still be receiving the final updates relevant to this month’s bulletin, but they should not be treated as sustainably protected platforms after this point. An internet-facing SharePoint server that has reached end of support is no longer just an upgrade backlog item; it is a security architecture decision that needs an owner, a retirement plan, and compensating controls immediately.
SharePoint Server Subscription Edition is now Microsoft’s supported on-premises path, but migration is not a same-day response to active exploitation. In the near term, security teams should locate every SharePoint instance, identify externally exposed servers, apply the current fixes, review IIS and SharePoint logs, and validate service-account and machine-key handling. If a server cannot be patched or inspected quickly, restricting external access is more defensible than leaving it exposed for convenience.
AI is changing discovery faster than patch operations
Microsoft’s AI explanation should be read carefully. The company is not saying AI magically created 622 vulnerabilities in a month. It is saying its internal systems can now find, validate, and route more previously undiscovered defects into engineering workflows. MDASH uses multiple specialized agents rather than a single model, with findings flowing into GitHub Advanced Security, Azure DevOps, and Microsoft Defender processes for validation and remediation.That is a meaningful defensive use of AI. Microsoft reported that MDASH found vulnerabilities across deep Windows infrastructure before exploitation, including several serious flaws in Hyper-V, Active Directory, Remote Desktop, and networking components. Finding these issues before attackers do is plainly better than discovering them after an incident.
But discovery is only half the equation. Every additional confirmed flaw creates a patch, compatibility, testing, deployment, and verification obligation for customers. The limiting factor for many IT departments is no longer access to vulnerability intelligence; it is the ability to turn that intelligence into safe change at speed.
This month also exposes the weakness of treating exploitability ratings as fixed truth. CISA’s decision to add actively exploited SharePoint and AD FS flaws to KEV should override any complacency created by lower severity scores or earlier probability assessments. Attackers do not prioritize CVEs according to the neatness of a dashboard. They prioritize reachable systems, usable chains, credentials, and weak operational response.
The July plan should be narrow before it becomes broad
The right response is not to freeze all July updates because the release is exceptionally large. A blanket delay makes little sense where active exploitation is confirmed. It is also not realistic to push every update everywhere at once without validation.A practical sequence is straightforward:
- Patch and investigate on-premises SharePoint Server systems, especially anything exposed externally.
- Update AD FS servers, review Event ID 1132, and assign ownership for DKM ACL remediation before October’s automatic hardening phase.
- Deploy the BitLocker fix quickly to mobile and physically accessible Windows devices.
- Prioritize Windows Server roles, identity infrastructure, virtualization hosts, DNS, DHCP, Remote Desktop, SQL Server, and other high-value services before broad workstation rollout.
- Verify installation and service health rather than assuming a successful deployment report equals successful mitigation.
References
- Primary source: Rolling Out
Published: 2026-07-15T20:13:21+00:00
Microsoft just shattered its own patch record, again
Microsoft patched a record 570 security vulnerabilities this month, crediting AI assisted discovery, though researchers question whether risk ratings are keeping pace.rollingout.com - Related coverage: bleepingcomputer.com
- Related coverage: techradar.com
Microsoft breaks Patch Tuesday record with fixes for over 200 security flaws | TechRadar
AI use is really starting to showwww.techradar.com - Related coverage: itwire.com
Microsoft July Patch Tuesday Reveals 622 Vulnerabilities | iTWire
Microsoft is publishing 622 vulnerabilities on July 2026 Patch Tuesday, including a record-breaking 416 Windows vulnerabilities.
itwire.com
- Related coverage: hackread.com
Microsoft’s July 2026 Patch Tuesday fixes 622 flaws and 2 exploited zero-days
Microsoft’s July 2026 Patch Tuesday fixes 622 CVEs, including exploited AD FS and SharePoint flaws, plus the disclosed BitLocker bypass requiring urgent action.hackread.com - Related coverage: techlicious.com
Microsoft ships record Patch Tuesday fixing active attacks
July's Patch Tuesday fixes more vulnerabilities than any release in Microsoft's history, including two flaws already being exploited. Here's what to update now.www.techlicious.com