Microsoft made its largest shipment patch tuesday Today is on the record, and two fixes close holes that attackers are already exploiting. The release includes Microsoft’s own 622 CVEs, according to the Security Update Guide count, more than three times the previous high of about 200 in June.
First those two living bugs must be caught. Microsoft credits incident responders for both. Both identity and collaboration infrastructure have high-privilege vulnerabilities: CVE-2026-56164 in on-premises SharePoint servers and CVE-2026-56155 in Active Directory Federation Services.
None of this fancy remote code execution is one of the important ones. They’re privilege bugs in two systems that matter more than their scores suggest: the company document store, and the box that signs its logins.
Two zero days to patch first
CVE-2026-56164, a SharePoint Server flaw that Microsoft says is being exploited in attacks, allows an unauthenticated attacker to escalate privileges on the network. No credentials, no user interaction, remote. Microsoft credited Mandiant’s incident responders and Google’s Flare team, pointing to the discovery of active attacks inside, though Microsoft did not say how the exploit was discovered or by whom.
If you run self-hosted SharePoint, this is the first to catch, and the second to watch on: Today is also the day SharePoint Server 2016 and 2019 reach the end of extended support. Unlike Windows Server or SQL Server, neither of them have any paid ESU programs to offer.
Beyond patching, Microsoft’s advice states that enabling AMSI in full mode on the server blunts the attack. SharePoint has been an attack magnet since the Toolshell series of attacks destroyed unpatched servers in 2025, and it hasn’t stopped being one.
CVE-2026-56155, an Active Directory Federation Services flaw that Microsoft also marks as an exploit, allows an already authenticated attacker to escalate privileges locally through weak access controls. Microsoft’s own DART incident-response unit gets credit for this.
The AD FS is the box that signs tokens for the rest of the estate trusts, which is why a fault labeled “local” on that host is more noticeable than the label suggests. Microsoft has not disclosed what privilege it grants, or how the attackers used it.
It’s worth knowing for anyone keeping track of the fix’s timeline: at the time of this writing no CVEs are on CISA’s list of known exploited vulnerabilities. Microsoft’s own exploitability rating already marks both as exploited. Don’t wait for the KEV list to make it official.
Microsoft also significantly downplays the severity of SharePoint bugs, which is a good reminder that severity labels aren’t the thing to sort by this month.
The third bug, and the SharePoint series landing in August
A third zero-day was publicly disclosed, but was not attacked: CVE-2026-50661, another BitLocker bypass. This requires physical access to the device, so it is not a remote emergency. Patch it, but it doesn’t go out of the queue. This follows the BitLocker bypass earlier this year via Bitscreen and Yellowkey.
SharePoint came up with another notable solution. Rapid7 Labs disclosed CVE-2026-55040, which is a JWT authentication bypass they created for their Pwn2Own Berlin entry. The score depends on who you ask: Rapid7 puts it at 5.3 and says Microsoft gave it moderate severity, while ZDI reads the release as 9.1 Critical.
What it does is not in dispute. Rapid7 linked this to a separate remote code execution bug for accessing unauthenticated RCE against a vulnerable server, and the RCE half is not patched yet; Microsoft is supposed to fix this in August.
This bypasses the July series-breaking correction. The four-point spread on a bug also tells you what the severity number is this month.
RC4 cleanup that can break login
This update also completes Microsoft’s multi-year Kerberos RC4 hardening. The July rollout removes the RC4DefaultDisablementPhase rollback switch, the escape hatch administrators have come to rely on since Microsoft began the crackdown in January.
After this, RC4 only works for accounts explicitly configured to allow it. If any service accounts in your environment still request RC4 Kerberos tickets, this authentication may fail as the update arrives.
The order matters: audit first, use the RC4 audit event Microsoft added in January, then rotate passwords on flagged service accounts so Windows generates AES keys for them, then patch. Rotation only fixes accounts with missing AES keys.
Anything pinned to RC4 by configuration, or a legacy client that doesn’t say anything else, needs to be fixed yourself before the update arrives. This does not violate you; It breaks things, but if you skip the audit it will send you to the 2 o’clock page.
Why did a quiet month set a record?
July is historically one of the lightest months on Microsoft’s calendar, which makes a release of this size different. Windows alone has 416 of the 622, and ZDI counted 95 remote code execution bugs across the entire release.
Here’s where the rest sit, and what’s worth removing from each pile:
| product family | CVE | Worth taking out |
|---|---|---|
| windows | 416 | Both AD FS zero-days (CVE-2026-56155) and disclose BitLocker bypass (CVE-2026-50661) live here. The top score of the release is VMSwitch RCE, CVE-2026-57092 9.9 o’clock. Additionally there are five DHCP RCEs, and 21 NTFS and REFS driver bugs that ZDI reads as a shared root cause. |
| Office | 82 | Counted once. Microsoft re-lists the same 82 under a different Office 2016 track, which is why some outlets report 164. |
| Microsoft Edge | 46 | Chromium treats ZDI 21 as Microsoft’s own rather than relisting. |
| developer Tools | 27 | Visual Studio, VS Code and GitHub Copilot have security feature bypasses, mostly injection and path traversal. |
| sharepoint server | 17 | Exploited Zero Day (CVE-2026-56164) and Rapid7’s chain bypass (CVE-2026-55040), as well as a critical RCE pair CVE-2026-50522 9.8 o’clock. |
| Blue | 11 | Nothing was marked as urgent. |
| SQL Server | 8 | An RCE pair, CVE-2026-54117 And CVE-2026-54118Both 8.8. |
| guard | 5 | Two important RCEs. |
| exchange Server | 5 | XSS stored in Outlook Web Access, CVE-2026-55008At 9.6. Microsoft files it under spoofing, which reduces its sales. |
| Other | 5 | Nothing was marked as urgent. |
The calculations are from Microsoft’s security update guide, which shows a total of 622 unique CVEs this month. ZDI, counting independently, landed at 621, and its July review is the source of the per-family callout.
Microsoft called it quits five days ago. In a July 9 post, it told customers to expect “a greater volume of security updates to be included in each security release” as AI helps uncover more issues. That work includes MDASH, its multi-model agentive scanning system, which found 16 bugs on its own in May’s Patch Tuesday. Microsoft has not said how many of the July 622 came through that pipeline.
The same automation cuts both ways. Once a patch ships, attackers can vary it from the final build, find the bugs that close it, and build a working exploit before most shops have finished testing. This eats up the old “wait a week” cushion and reduces the Exploit Wednesday gap.
This also impacts CVSS-based triage. When a release has more than 600 CVEs and a large portion are given a high or critical rating, “important” stops sorting out anything. This month’s two exploited bugs illustrate this point: neither of them is Title 9.8, both have mid-level privilege flaws, and both are already in use.
Sort not by score, but by what is being exploited, using KEV, EPSS and Microsoft’s exploit flag and patch faster than before. The numbers on the box keep increasing.