Microsoft’s July Patch Tuesday arrived with a record-breaking volume of security updates, totaling 622 fixes for its products. Among these, two zero-day vulnerabilities are of immediate concern, as exploit kits are already targeting them. These critical patches address flaws in identity and collaboration infrastructure, highlighting the ongoing battle against cyber threats in enterprise environments.
The emergency patches are for CVE-2026-56164, an elevation-of-privilege vulnerability in on-premises SharePoint Server, and CVE-2026-56155, a similar flaw affecting Active Directory Federation Services (AD FS). While not rated as critical remote code execution vulnerabilities, their impact on crucial systems makes them a top priority for organizations to address immediately. These vulnerabilities were identified by incident responders, underscoring their presence in active attacks.
Urgent Zero-Days Demand Immediate Attention
CVE-2026-56164, affecting SharePoint Server, allows an unauthenticated attacker to escalate privileges over the network. Microsoft credits Mandiant and Google’s FLARE team with its discovery, suggesting it was found during investigations into live attacks. While the specific methods of exploitation and attackers remain undisclosed, this vulnerability poses a significant risk to organizations relying on self-hosted SharePoint instances. Compounding this risk, July 2026 also marks the end of extended support for SharePoint Server 2016 and 2019, leaving no paid support options available beyond patching.
Microsoft’s advisory suggests enabling AMSI (Antimalware Scan Interface) in Full Mode on affected servers can mitigate this particular attack vector, even before a patch is applied. SharePoint has remained a consistent target for attackers since major breaches in 2025, and this new vulnerability reinforces its status as a critical infrastructure component requiring vigilant security management.
The second exploited zero-day, CVE-2026-56155, is a flaw in Active Directory Federation Services that allows an already authenticated user to escalate privileges locally through weak access controls. Microsoft’s own Data Analysis and Response Team (DART) is credited with its discovery. AD FS plays a crucial role in authenticating users and signing tokens for trust relationships across an organization’s IT ecosystem. Therefore, a privilege escalation vulnerability on this system, even if labeled “local,” carries significant implications for overall security.
Organizations should note that neither of these exploited vulnerabilities had been added to the CISA Known Exploited Vulnerabilities (KEV) catalog at the time of release. However, Microsoft’s own exploitability rating and the nature of their discovery necessitate immediate patching, without waiting for official KEV listings. This serves as a reminder that exploitability flags, rather than just severity scores, should guide patching priorities.
Additional Vulnerabilities and Notable Fixes
Beyond the actively exploited zero-days, July’s Patch Tuesday also addressed CVE-2026-50661, a publicly disclosed but currently unexploited BitLocker bypass. This vulnerability requires physical access to the device, making it less of an immediate remote threat compared to the other zero-days, but still essential to patch. This fix continues a trend of BitLocker bypasses that have surfaced throughout the year.
A third significant vulnerability, CVE-2026-55040, a JWT (JSON Web Token) authentication bypass in SharePoint Server, was also disclosed. Discovered by Rapid7 Labs for their Pwn2Own Berlin entry, this vulnerability has security firms divided on its severity, with Rapid7 rating it medium and ZDI classifying it as Critical. Rapid7 successfully chained this bypass with a separate remote code execution (RCE) flaw to achieve unauthenticated RCE. The RCE component is not patched in this release and is slated for a fix in August, making the July patch crucial for breaking this attack chain.
RC4 Kerberos Hardening Completes
This update also marks the completion of Microsoft’s multi-year effort to harden Kerberos authentication against RC4 encryption. The July rollout removes the RC4Default-DisablementPhase rollback switch, which had served as an administrative fallback mechanism since the hardening process began in January. Post-update, RC4 will only be usable for accounts explicitly configured to permit it. This change could lead to authentication failures for any service accounts still attempting to use RC4 Kerberos tickets.
Organizations should prioritize auditing their environments for RC4 usage, using the audit events Microsoft introduced in January. Following the audit, passwords for affected service accounts should be rotated to ensure Windows generates AES keys, and then the patch should be applied. Any systems or legacy clients solely reliant on RC4 may require separate solutions before the Windows update is deployed to prevent service disruptions.
Record Volume Driven by AI and Evolving Threats
July’s unusually high volume of security updates, with Windows accounting for 416 of the 622 CVEs, is partly attributed to advancements in Microsoft’s vulnerability detection capabilities, including AI-driven tools like MDASH. While Microsoft has not specified the exact number of vulnerabilities discovered through AI, it has indicated expectations of a higher volume of updates as these technologies mature. This increased detection capacity, however, also accelerates the timeline for exploit development, shrinking the window between patch release and potential exploitation, often referred to as “Exploit Wednesday.”
The sheer scale of this month’s release also challenges traditional CVSS (Common Vulnerability Scoring System) based triage methods. With numerous high and critical-rated vulnerabilities, simple score-based prioritization becomes less effective. The two exploited zero-days, both privilege escalation flaws rather than headline RCEs, underscore the importance of monitoring exploitability indicators such as CISA’s KEV catalog, EPSS, and Microsoft’s own exploitability flags. Organizations are advised to adopt a faster patching cadence, focusing on actively exploited vulnerabilities, as the threat landscape continues to evolve.
Looking ahead, organizations must remain vigilant in their patch management processes, adapting to the increasing volume and sophistication of cyber threats. The trend towards AI-assisted vulnerability discovery suggests that Patch Tuesdays may continue to see significant update volumes. Therefore, a proactive and informed approach to security, prioritizing actively exploited vulnerabilities, will be crucial for maintaining robust defenses.

