VYPR
patchPublished Jul 14, 2026· 7 sources

Microsoft July 2026 Patch Tuesday Addresses 570 Vulnerabilities, Including Three Actively Exploited Zero-Days

Microsoft's July 2026 Patch Tuesday fixes 570 vulnerabilities, with three zero-days, including two exploited in the wild, impacting SharePoint Server and Active Directory Federation Services.

Microsoft's July 2026 Patch Tuesday has arrived, bringing a substantial update that addresses approximately 570 vulnerabilities across its extensive product ecosystem. This follows a record-breaking June release that patched 206 flaws, also including three publicly disclosed zero-days. The July update prioritizes fixes for critical security weaknesses, with a particular focus on vulnerabilities that are already being exploited by malicious actors.

Among the most concerning fixes are three zero-day vulnerabilities. CVE-2026-56164, a Microsoft SharePoint Server Elevation of Privilege flaw, has been actively exploited in the wild. While rated as 'Moderate' in severity, its exploitation in real-world scenarios means that on-premises SharePoint farms should be treated as a top patching priority. Attackers often chain such privilege escalation bugs with other vulnerabilities to achieve full server compromise.

Another actively exploited zero-day, CVE-2026-56155, affects Active Directory Federation Services (AD FS). This 'Important' severity vulnerability allows for Elevation of Privilege within AD FS, a critical component for identity federation and single sign-on in hybrid environments. Successful exploitation could grant attackers the ability to escalate privileges and pivot towards compromising broader identity infrastructure, echoing past attack patterns involving AD FS.

The third zero-day, CVE-2026-50661, is a Windows BitLocker Security Feature Bypass vulnerability. While publicly disclosed, Microsoft has not confirmed active exploitation. This vulnerability is similar to the 'YellowKey' bypass discovered earlier in 2026, which targeted BitLocker's recovery environment to bypass disk encryption on lost or stolen devices, rather than the core encryption mechanism itself.

Beyond the zero-days, this month's Patch Tuesday includes two 'Critical' rated Remote Code Execution (RCE) vulnerabilities. CVE-2026-58644 affects Microsoft SharePoint, and CVE-2026-58608 impacts the Windows Print Spooler. Both SharePoint and Print Spooler have historically been favored targets for ransomware operators and nation-state actors due to the severe impact of RCE flaws.

Elevation of Privilege (EoP) remains the most prevalent bug class in this release, with 249 such vulnerabilities identified. These affect core Windows components like the Windows Kernel, DirectX Graphics Kernel, and the Win32K subsystem. Attackers typically chain these EoP vulnerabilities with an initial foothold to gain SYSTEM-level access on compromised systems.

The July update covers a wide range of Microsoft products, including Windows OS components, Microsoft Office, SharePoint Server, Remote Desktop Services, and Windows Admin Center. Most of these fixes require manual application by customers, as they are not automatically resolved through cloud servicing. Enterprises running SharePoint on-premises should prioritize CVE-2026-58644 due to its Critical RCE rating, while organizations exposing services like Remote Desktop Services or Windows Admin Center should also address CVE-2026-58626 and CVE-2026-58631 respectively, as these are common targets for lateral movement.

Microsoft's proactive approach to vulnerability management, potentially enhanced by AI-driven discovery tools, continues to result in large patch releases. While the sheer volume can be daunting, addressing these vulnerabilities, especially those actively exploited or rated Critical, is paramount to maintaining a strong security posture against evolving cyber threats.

CISA has updated its alert to include additional SharePoint Server vulnerabilities, CVE-2026-55040, CVE-2026-58644, and CVE-2026-56164, which are now also noted as potentially risky if unpatched, though not yet confirmed as exploited. The agency also officially added CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164 to its Known Exploited Vulnerabilities (KEV) Catalog on April 14, July 1, and July 14, 2026, respectively, underscoring the active threat posed by these flaws.

This latest report from BleepingComputer details a record-breaking 570 vulnerabilities addressed in Microsoft's July 2026 Patch Tuesday, surpassing the 569 CVEs mentioned in previous coverage. Notably, the article confirms two actively exploited zero-days affecting Active Directory Federation Services and Microsoft SharePoint Server, aligning with earlier reports, and adds a third publicly disclosed zero-day in Windows BitLocker. It also highlights Microsoft's increasing reliance on AI for vulnerability discovery, which is contributing to the surge in disclosed flaws.

This latest report from Microsoft details a record-breaking 622 vulnerabilities patched in its July 2026 security update, surpassing previous disclosures. Notably, two of these vulnerabilities, affecting Active Directory and SharePoint Server, were actively exploited in the wild as zero-days. Additionally, a separate BitLocker vulnerability was publicly disclosed, underscoring the urgency of applying these patches.

The new article specifies that KB5099539 addresses a total of 570 vulnerabilities in Windows 10, aligning with the number of vulnerabilities mentioned in the existing story. This update is part of Microsoft's July 2026 Patch Tuesday, which included fixes for three zero-day vulnerabilities, two of which were actively exploited in the wild.

This update provides further detail on Microsoft's July 2026 Patch Tuesday, noting that the total number of vulnerabilities patched has reached a record 570, nearly triple the previous month's count. The article highlights that nearly 60 of these flaws are rated 'critical' and includes specific mentions of CVE-2026-56155 (ADFS) and CVE-2026-56164 (SharePoint) as examples of elevation of privilege vulnerabilities. It also points out CVE-2026-48561, a critical remote code execution flaw in Microsoft Copilot, and CVE-2026-50661, a security feature bypass in BitLocker that is not known to be actively exploited.

This month's Microsoft Patch Tuesday is exceptionally large, addressing a total of 622 vulnerabilities, with 62 of them classified as critical. Notably, two vulnerabilities are already being actively exploited in the wild: CVE-2026-56155 in Active Directory Federation Services and CVE-2026-56164 in SharePoint Server. Additionally, a disclosed but unexploited BitLocker vulnerability, CVE-2026-50661, is also included in this update.

Synthesized by Vypr AI