Microsoft Patches 622 Flaws, Including Two Actively Attacked Zero-Days

▼ Summary
– Microsoft’s July 2026 Patch Tuesday is its largest ever, covering 622 CVEs, including two zero-day elevation-of-privilege flaws already being exploited: CVE-2026-56164 in SharePoint Server and CVE-2026-56155 in Active Directory Federation Services.
– CVE-2026-56164 allows an unauthenticated attacker to remotely escalate privileges on self-hosted SharePoint Server, and SharePoint Server 2016 and 2019 reach end of extended support on the same day with no paid ESU program.
– CVE-2026-56155 lets an already-authenticated attacker elevate privileges locally on an AD FS server; though labeled “local,” it is critical because AD FS signs tokens for the entire network.
– The update finalizes Microsoft’s multi-year Kerberos RC4 hardening by removing the rollback switch, meaning RC4 will only work for explicitly configured accounts, potentially causing authentication failures for service accounts still requesting RC4 tickets.
– Microsoft attributes the record number of fixes partly to its AI-assisted MDASH scanning system, which is also shrinking the patch-to-exploit window, making it essential to prioritize fixes based on exploitation flags rather than CVSS severity scores.
Microsoft has shipped its largest Patch Tuesday on record, addressing 622 vulnerabilities in a single release , more than triple the previous high of around 200 set just last month. Among the fixes are two actively exploited zero-days that demand immediate attention from security teams.
The two live bugs are both elevation-of-privilege flaws in identity and collaboration infrastructure. CVE-2026-56164 affects on-premises SharePoint Server, while CVE-2026-56155 targets Active Directory Federation Services (AD FS). Neither carries the dramatic “critical” remote code execution label, but both strike at systems that hold outsized importance: the company document store and the authentication server that signs login tokens.
CVE-2026-56164 is especially dangerous. Microsoft confirms it is being exploited in active attacks, and it allows an unauthenticated attacker to escalate privileges over the network with no credentials and no user interaction. The company credited Mandiant’s incident responders and Google’s FLARE team, signaling discovery inside real-world breaches. For organizations running self-hosted SharePoint, this is the patch to prioritize first. There is a second clock ticking: today also marks the end of extended support for SharePoint Server 2016 and 2019. Unlike Windows Server or SQL Server, neither has a paid Extended Security Updates (ESU) program to fall back on. Beyond patching, Microsoft advises enabling AMSI in Full Mode on the server to blunt the attack. SharePoint has been a persistent target since the ToolShell chain tore through unpatched servers in 2025, and that trend continues.
CVE-2026-56155 in AD FS lets an already-authenticated attacker elevate privileges locally through weak access controls. Microsoft’s own DART incident-response unit gets the credit here. AD FS is the box that signs tokens for the rest of the enterprise trust fabric, which is why a flaw labeled “local” on that host is worth far more attention than the label suggests. Microsoft has not disclosed what privileges it grants or how attackers have used it.
Worth knowing for anyone tracking remediation deadlines: neither CVE appears on CISA’s Known Exploited Vulnerabilities catalog as of this writing. Microsoft’s own exploitability rating already marks both as exploited. Do not wait for a KEV listing to make it official. Microsoft also rates the SharePoint bug fairly low on severity, which is a good reminder that the severity label is not the thing to sort by this month.
A third zero-day was publicly disclosed but is not under attack: CVE-2026-50661, another BitLocker bypass. It requires physical access to the device, so it is not a remote emergency. Patch it, but it does not jump the queue. It continues a run of BitLocker bypasses stretching back through bitskrieg and YellowKey earlier this year.
SharePoint drew a second notable fix. Rapid7 Labs disclosed CVE-2026-55040, a JWT authentication bypass they built for their Pwn2Own Berlin entry. The score depends on who you ask: Rapid7 puts it at 5.3 and says Microsoft assigned it medium severity, while ZDI reads the release as Critical at 9.1. What it does is not in dispute. Rapid7 chained it to a separate remote code execution bug to reach unauthenticated RCE against a vulnerable server, and the RCE half is not patched yet; Microsoft is slated to fix it in August. That makes July’s bypass the fix that breaks the chain.
This update also finishes Microsoft’s multi-year Kerberos RC4 hardening. The July rollout removes the RC4DefaultDisablementPhase rollback switch, the escape hatch admins have leaned on since Microsoft began the crackdown in January. After this, RC4 works only for accounts explicitly configured to allow it. If any service account in your environment still requests RC4 Kerberos tickets, it can fail authentication the moment the update lands. The order matters: audit first using the RC4 audit events Microsoft added in January, then rotate the passwords on flagged service accounts so Windows generates AES keys for them, then patch. Rotation only fixes accounts missing AES keys. Anything pinned to RC4 by configuration, or a legacy client that speaks nothing else, needs its own fix before the update lands.
July is historically one of the lightest months on Microsoft’s calendar, which makes a release this size stand out. Windows alone accounts for 416 of the 622 CVEs, and ZDI counts 95 remote code execution bugs across the release. The top score of the release is a VMSwitch RCE at 9.9, and there are five DHCP RCEs plus 21 NTFS and ReFS driver bugs that ZDI reads as one shared root cause. Office accounts for 82 CVEs, Microsoft Edge for 46, and Developer Tools for 27 , mostly injection and path traversal across Visual Studio, VS Code, and GitHub Copilot. SharePoint Server has 17, including the exploited zero-day and Rapid7’s chain bypass. Azure, SQL Server, Defender, Exchange Server, and other product families fill out the rest.
Microsoft called this release five days early. In a July 9 post, it told customers to expect a “higher volume of security updates included in each security release” as AI helps it uncover more issues. That work includes MDASH, its multi-model agentic scanning system, which found 16 of the bugs in May’s Patch Tuesday by itself. Microsoft has not said how many of July’s 622 came out of that pipeline. The same automation cuts both ways. Once a patch ships, attackers can diff it against the last build, find the bug it closes, and build a working exploit before most shops have finished testing. That eats the old “wait a week” cushion and shrinks the gap to Exploit Wednesday.
It also guts CVSS-based triage. When a release carries 600-plus CVEs and a large share are rated High or Critical, “critical” stops sorting anything. This month’s two exploited bugs make the point: neither is a headline 9.8, both are mid-tier privilege flaws, and both are already in use. Sort by what is being exploited, using KEV, EPSS, and Microsoft’s exploited flag, not by score, and patch faster than you used to. The number on the box is only going up.
(Source: Internet)
