- What: Microsoft's July 2026 Patch Tuesday fixed a record 622 CVEs, including two zero-days under active exploitation: CVE-2026-56164 in on-prem SharePoint Server and CVE-2026-56155 in Active Directory Federation Services.
- Impact: CVE-2026-56164 lets an unauthenticated remote attacker escalate privileges on the company document store with no user interaction, and CVE-2026-56155 hands a local attacker elevated privileges on the host that signs authentication tokens for the rest of the estate.
- Fix / mitigation: Apply the July 2026 updates now, prioritizing the SharePoint and AD FS zero-days over the higher-scoring criticals, and enable AMSI in Full Mode on SharePoint servers as a stopgap.
- Who's at risk: Anyone running self-hosted SharePoint Server or AD FS, with SharePoint 2016 and 2019 shops most exposed since both hit end of extended support on patch day with no paid ESU option.
Microsoft shipped 622 of its own CVEs on July 14, 2026, more than triple June's previous record of roughly 200, in a month that is historically one of the lightest on its calendar. Two of those fixes close holes attackers are already exploiting, and neither one is a headline remote code execution critical. They are elevation-of-privilege bugs in the company document store and the box that signs its logins.
Both zero-days were credited to incident responders, which is the detail worth reading twice. Mandiant and Google's FLARE team found the SharePoint flaw. Microsoft's own DART unit found the AD FS one. That credit pattern means these were discovered inside live intrusions, not in a lab.
CVE-2026-56164: unauthenticated privilege escalation in SharePoint Server
This is the first patch to deploy. CVE-2026-56164 lets an unauthenticated attacker escalate privileges over the network against on-prem SharePoint Server. No credentials, no user interaction, remote. Microsoft confirms it is being exploited in attacks but has not said how or by whom.
Microsoft rates it fairly low on severity. Ignore that. The severity label is measuring the wrong thing this month, and SharePoint has been an attacker magnet since the ToolShell chain tore through unpatched servers in 2025.
There is a second clock on this one. July 14 is also the day SharePoint Server 2016 and 2019 reach end of extended support. Unlike Windows Server or SQL Server, neither has a paid ESU program to fall back on. If you are running either version, this is the last patch you get, and you are now on a migration timeline whether you planned one or not.
As of this writing, neither CVE-2026-56164 nor CVE-2026-56155 appears in the Known Exploited Vulnerabilities catalog. Microsoft's own exploitability rating already marks both as exploited. If your remediation SLA keys off KEV listings, you are waiting on paperwork while the attacks are already running. Treat Microsoft's exploited flag as the trigger.
CVE-2026-56155: elevation of privilege in AD FS
The second exploited bug lets an already-authenticated attacker elevate privileges locally through weak access controls in Active Directory Federation Services. Microsoft has not disclosed what privileges it grants or how attackers used it.
The word "local" is doing a lot of damage here. AD FS is the host that signs the tokens the rest of your estate trusts. A local privilege bug on that box is not a local problem, it is a federation problem. Any attacker who has already landed a foothold and can reach the AD FS host gets a path to the thing that mints identity for everything downstream.
The SharePoint chain that only half-lands in July
Rapid7 Labs disclosed CVE-2026-55040, a JWT authentication bypass built for their Pwn2Own Berlin entry. The scoring is a mess: Rapid7 puts it at 5.3 and says Microsoft assigned it medium, while ZDI reads the release as Critical at 9.1. A four-point spread on a single bug tells you what a severity number is worth right now.
What it does is not disputed. Rapid7 chained the bypass to a separate RCE bug to reach unauthenticated remote code execution against a vulnerable server. The RCE half is not patched yet, and Microsoft is slated to fix it in August. That makes July's bypass fix the piece that breaks the chain before the other half becomes public knowledge.
The third zero-day, CVE-2026-50661, is a publicly disclosed BitLocker bypass that is not under attack. It needs physical access, so it does not jump the queue. It continues a run of BitLocker bypasses stretching back through bitskrieg and YellowKey earlier this year. Patch it on your normal cycle.
The RC4 cleanup that will page you at 2am
This update finishes Microsoft's multi-year Kerberos RC4 hardening by removing the RC4DefaultDisablementPhase rollback switch, the escape hatch admins have leaned on since the crackdown began in January. After July, RC4 works only for accounts explicitly configured to allow it. Any service account still requesting RC4 Kerberos tickets can fail authentication the moment the update lands.
Audit first using the RC4 audit events Microsoft added in January. Then rotate passwords on flagged service accounts so Windows generates AES keys for them. Then patch. Rotation only fixes accounts missing AES keys. Anything pinned to RC4 by configuration, or a legacy client that speaks nothing else, needs its own fix before the update lands. This one does not get you breached, it just breaks things loudly.
Where the other 620 CVEs sit
Windows accounts for 416 of the 622, and ZDI counts 95 remote code execution bugs across the full release. The rest breaks down like this:
- Windows (416): both the AD FS zero-day and the BitLocker bypass live here, alongside the top score of the release, a VMSwitch RCE at CVE-2026-57092 rated 9.9. Also five DHCP RCEs and 21 NTFS and ReFS driver bugs that ZDI reads as one shared root cause.
- Office (82): counted once. Microsoft lists the same 82 again under a separate Office 2016 track, which is why some outlets report 164.
- Microsoft Edge (46): ZDI counts 21 as Microsoft's own rather than Chromium re-listings.
- Developer Tools (27): security feature bypasses across Visual Studio, VS Code, and GitHub Copilot, mostly injection and path traversal.
- SharePoint Server (17): the exploited zero-day and Rapid7's chain bypass, plus a Critical RCE pair including CVE-2026-50522 at 9.8.
- Exchange Server (5): a stored XSS in Outlook Web Access, CVE-2026-55008, at 9.6. Microsoft files it under spoofing, which undersells it.
- SQL Server (8): an RCE pair, CVE-2026-54117 and CVE-2026-54118, both 8.8.
- Defender (5): two Critical RCEs. Azure (11) and Other (5): nothing flagged as urgent.
What to do this week
- Patch on-prem SharePoint Server first for CVE-2026-56164. If you cannot patch immediately, enable AMSI in Full Mode, which Microsoft's advisory says blunts the attack.
- Patch AD FS for CVE-2026-56155 next, and review who currently has local access to that host.
- If you run SharePoint 2016 or 2019, start migration planning now. Support ended July 14 and there is no paid ESU.
- Do not sort by CVSS this month. The two exploited bugs score lower than a dozen things you would otherwise patch first.
- Run the RC4 audit before the July update reaches your domain controllers and service account tier.
- Track the August release for the second half of the Rapid7 SharePoint chain.
The record size of this release is the least interesting thing about it. The useful signal is that Microsoft's severity ratings and CISA's KEV catalog both point away from the two bugs that are actually being used against people right now. Prioritize on exploitation status and on what the compromised system controls, not on the number in the advisory.
Questions about your exposure?
RedEye Security provides assessments for organizations that need to understand their real risk.
Talk to us