PATCH MANAGEMENT

Microsoft's 622-CVE Patch Tuesday

Two Zero-Days in SharePoint and AD FS Are Already Being Exploited. Microsoft shipped 622 CVEs in July 2026, more than triple the previous record, and two of them are under active attack: an unauthenticated SharePoint privilege escalation and an AD FS elevation flaw found by incident responders.

Matt Lucas  |  July 17, 2026  |  6 min
Editorial hero illustration
CVEs in this postCVE-2026-42533CVE-2026-50522CVE-2026-50661CVE-2026-54117CVE-2026-54118CVE-2026-55008CVE-2026-55040CVE-2026-56155CVE-2026-56164CVE-2026-57092Live detections →All RedEye CVEs →
622
CVEs patched (3x prior record)
2
zero-days under active attack
416
CVEs in Windows alone
95
remote code execution bugs
TL;DR
  • What: Microsoft's July 2026 Patch Tuesday fixed a record 622 CVEs, including two zero-days under active exploitation: CVE-2026-56164 in on-prem SharePoint Server and CVE-2026-56155 in Active Directory Federation Services.
  • Impact: CVE-2026-56164 lets an unauthenticated remote attacker escalate privileges on the company document store with no user interaction, and CVE-2026-56155 hands a local attacker elevated privileges on the host that signs authentication tokens for the rest of the estate.
  • Fix / mitigation: Apply the July 2026 updates now, prioritizing the SharePoint and AD FS zero-days over the higher-scoring criticals, and enable AMSI in Full Mode on SharePoint servers as a stopgap.
  • Who's at risk: Anyone running self-hosted SharePoint Server or AD FS, with SharePoint 2016 and 2019 shops most exposed since both hit end of extended support on patch day with no paid ESU option.

Microsoft shipped 622 of its own CVEs on July 14, 2026, more than triple June's previous record of roughly 200, in a month that is historically one of the lightest on its calendar. Two of those fixes close holes attackers are already exploiting, and neither one is a headline remote code execution critical. They are elevation-of-privilege bugs in the company document store and the box that signs its logins.

Both zero-days were credited to incident responders, which is the detail worth reading twice. Mandiant and Google's FLARE team found the SharePoint flaw. Microsoft's own DART unit found the AD FS one. That credit pattern means these were discovered inside live intrusions, not in a lab.

CVE-2026-56164: unauthenticated privilege escalation in SharePoint Server

This is the first patch to deploy. CVE-2026-56164 lets an unauthenticated attacker escalate privileges over the network against on-prem SharePoint Server. No credentials, no user interaction, remote. Microsoft confirms it is being exploited in attacks but has not said how or by whom.

Microsoft rates it fairly low on severity. Ignore that. The severity label is measuring the wrong thing this month, and SharePoint has been an attacker magnet since the ToolShell chain tore through unpatched servers in 2025.

There is a second clock on this one. July 14 is also the day SharePoint Server 2016 and 2019 reach end of extended support. Unlike Windows Server or SQL Server, neither has a paid ESU program to fall back on. If you are running either version, this is the last patch you get, and you are now on a migration timeline whether you planned one or not.

Neither zero-day is on CISA's KEV catalog

As of this writing, neither CVE-2026-56164 nor CVE-2026-56155 appears in the Known Exploited Vulnerabilities catalog. Microsoft's own exploitability rating already marks both as exploited. If your remediation SLA keys off KEV listings, you are waiting on paperwork while the attacks are already running. Treat Microsoft's exploited flag as the trigger.

CVE-2026-56155: elevation of privilege in AD FS

The second exploited bug lets an already-authenticated attacker elevate privileges locally through weak access controls in Active Directory Federation Services. Microsoft has not disclosed what privileges it grants or how attackers used it.

The word "local" is doing a lot of damage here. AD FS is the host that signs the tokens the rest of your estate trusts. A local privilege bug on that box is not a local problem, it is a federation problem. Any attacker who has already landed a foothold and can reach the AD FS host gets a path to the thing that mints identity for everything downstream.

The SharePoint chain that only half-lands in July

Rapid7 Labs disclosed CVE-2026-55040, a JWT authentication bypass built for their Pwn2Own Berlin entry. The scoring is a mess: Rapid7 puts it at 5.3 and says Microsoft assigned it medium, while ZDI reads the release as Critical at 9.1. A four-point spread on a single bug tells you what a severity number is worth right now.

What it does is not disputed. Rapid7 chained the bypass to a separate RCE bug to reach unauthenticated remote code execution against a vulnerable server. The RCE half is not patched yet, and Microsoft is slated to fix it in August. That makes July's bypass fix the piece that breaks the chain before the other half becomes public knowledge.

The third zero-day, CVE-2026-50661, is a publicly disclosed BitLocker bypass that is not under attack. It needs physical access, so it does not jump the queue. It continues a run of BitLocker bypasses stretching back through bitskrieg and YellowKey earlier this year. Patch it on your normal cycle.

The RC4 cleanup that will page you at 2am

This update finishes Microsoft's multi-year Kerberos RC4 hardening by removing the RC4DefaultDisablementPhase rollback switch, the escape hatch admins have leaned on since the crackdown began in January. After July, RC4 works only for accounts explicitly configured to allow it. Any service account still requesting RC4 Kerberos tickets can fail authentication the moment the update lands.

Order of operations for the RC4 change

Audit first using the RC4 audit events Microsoft added in January. Then rotate passwords on flagged service accounts so Windows generates AES keys for them. Then patch. Rotation only fixes accounts missing AES keys. Anything pinned to RC4 by configuration, or a legacy client that speaks nothing else, needs its own fix before the update lands. This one does not get you breached, it just breaks things loudly.

Where the other 620 CVEs sit

Windows accounts for 416 of the 622, and ZDI counts 95 remote code execution bugs across the full release. The rest breaks down like this:

What to do this week

The record size of this release is the least interesting thing about it. The useful signal is that Microsoft's severity ratings and CISA's KEV catalog both point away from the two bugs that are actually being used against people right now. Prioritize on exploitation status and on what the compromised system controls, not on the number in the advisory.

Questions about your exposure?

RedEye Security provides assessments for organizations that need to understand their real risk.

Talk to us