PATCH MANAGEMENT

Microsoft's July 2026 Patch Tuesday

570 Flaws and 3 Actively Exploited Zero-Days. Microsoft shipped fixes for 570 vulnerabilities in its July 2026 Patch Tuesday, one of the largest single releases on record.

Matt Lucas  |  July 14, 2026  |  5 min
570
Total CVEs Fixed
3
Actively Exploited Zero-Days
0
Days Until Attackers Scale
TL;DR
  • What: Microsoft's July 2026 Patch Tuesday fixed 570 vulnerabilities, including 3 zero-days confirmed under active exploitation.
  • Impact: Attackers already have working exploits for the zero-days, and multiple critical flaws enable remote code execution across Windows, Office, and server products.
  • Fix / mitigation: Apply the July 2026 cumulative updates immediately, prioritizing the three exploited zero-days and all critical RCE CVEs.
  • Who's at risk: Every organization running Windows, Windows Server, Microsoft Office, and related Microsoft products is at risk until patched.

Microsoft's July 2026 Patch Tuesday closed 570 vulnerabilities in a single release, one of the heaviest security drops the company has shipped. Three of those bugs are zero-days that attackers are already exploiting in the wild, which collapses your patch window to zero. If you triage by anything other than known exploitation and remote code execution this month, you are triaging wrong.

The three zero-days come first

The headline risk is not the raw count. It is the three vulnerabilities confirmed under active attack before the patch existed. Zero-days that ship exploited mean at least one threat actor already weaponized them, reverse engineers now have a patch to diff, and commodity tooling follows within days. Historically, the gap between a Patch Tuesday zero-day disclosure and mass opportunistic scanning is measured in hours, not weeks.

Assume the zero-days are already in play

Actively exploited flaws in a Patch Tuesday release are not theoretical. Prioritize the three zero-days above the other 567 CVEs, deploy to internet-facing and high-value assets first, and hunt for signs of prior compromise rather than assuming patching alone is enough.

570 is a scoping problem

A release this large is not something you push blindly to production in one wave. But size cuts both ways: a bigger surface means more critical remote code execution bugs buried in the list, and more chances that a flaw in a component you forgot you exposed is the one that gets hit. Treat the 570 as a queue to be ranked, not a monolith to be feared.

How to rank the queue

Why elevation-of-privilege still matters

Big Patch Tuesdays are usually dominated by elevation-of-privilege bugs, and those get dismissed as low priority because they require existing access. That logic fails against real intrusions. Attackers chain a phishing foothold or a stolen credential with a local privilege escalation to go from a single user context to SYSTEM or domain admin. On a domain controller, an EoP bug is effectively a keys-to-the-kingdom flaw. Rank them by where they sit, not just by their base severity label.

What to do this week

Move fast on the exploited flaws, then work down the tiers on your normal test-and-deploy rhythm. Do not let the 570 count become an excuse to freeze. A stalled rollout leaves the zero-days exposed for exactly the window attackers are counting on.

Operational checklist

Confirm your update source is pulling the July 2026 cumulative updates. Push the three zero-day fixes to your highest-exposure assets first. Verify domain controllers and Exchange are in an early ring. Scan for indicators of compromise on the exploited CVEs, since a patch does not evict an attacker who already got in.

The bottom line

570 CVEs is a scheduling challenge. Three actively exploited zero-days are an incident-response clock. Deploy the July 2026 updates now, lead with the exploited flaws and critical RCE bugs, and assume the zero-days may have already touched your environment. The organizations that get hit this month will not be the ones that lacked the patch. They will be the ones that had it and waited.

Questions about your exposure?

RedEye Security provides assessments for organizations that need to understand their real risk.

Talk to us