Microsoft's Biggest Patch Tuesday Ever: Inside the 570-Flaw, 3-Zero-Day July 2026 Update
It's 9:14 a.m. on a Wednesday, and a SOC analyst at a mid-sized healthcare company is staring at a vulnerability scanner report that just doubled in size overnight. Her SharePoint farm — the same one HR, legal, and finance all dump sensitive files into — is flagged red. Somewhere out there, an attacker already knows about the flaw sitting on her server. Patch Tuesday didn't just land; it landed like a truck.
That's not hypothetical. It's the reality security teams woke up to this week after Microsoft shipped its largest single-month security update in company history: 570 documented vulnerabilities, three of them zero-days, two of those already being exploited in the wild before a patch existed. If you manage Windows infrastructure, SharePoint, or Active Directory Federation Services, this is the update you can't quietly schedule for "next sprint."
Table of Contents
- What Actually Happened This Patch Tuesday
- The Three Zero-Days You Need to Know
- Critical RCE Bugs: SharePoint, Print Spooler & Copilot
- Vulnerability Breakdown by Category
- Why This Matters for Real-World Networks
- Detection: How to Check If You're Exposed
- Prevention and Patching Priorities
- Expert Tips From the Trenches
- Related Reading
- FAQ
- Conclusion
What Actually Happened This Patch Tuesday
Every second Tuesday of the month, Microsoft releases its cumulative security rollup for Windows, Office, SharePoint, Exchange, SQL Server, and a growing list of enterprise products. Most months, security teams brace for somewhere between 60 and 150 fixes. This month, that number hit 570 — comfortably eclipsing the previous record set just a month earlier.
Of those 570 fixes, 59 carry a Critical severity rating. Three are zero-days: vulnerabilities that were either publicly known or actively exploited before Microsoft had a patch ready. Two of the three zero-days were confirmed under active attack, which is the detail that should get every defender's attention, because it means threat actors had a head start.
Microsoft has pointed to its growing use of AI-assisted vulnerability discovery as a factor behind the surge — automated tooling scanning the Windows and Office codebase at a scale human researchers simply can't match. That's good news in the long run (bugs get found before attackers find them), but in the short term it means patch volume is only going up, and patch management processes built for "a few dozen fixes a month" are already out of date.
The Three Zero-Days You Need to Know
Not all 570 fixes are equal. If your team can only triage a handful of CVEs this week, these three are non-negotiable.
CVE-2026-56164 — SharePoint Server Elevation of Privilege (Actively Exploited)
This is the headline flaw. It stems from missing authentication for a critical function inside SharePoint Server, which lets an unauthenticated, remote attacker escalate privileges over the network. Translation: an attacker doesn't need valid credentials to start climbing the privilege ladder on your SharePoint farm. Internet-facing, on-premises SharePoint servers are especially exposed, since the attack can be carried out remotely without prior access. CISA has added this CVE to its Known Exploited Vulnerabilities catalog with an aggressive patch deadline, which tells you exactly how seriously federal agencies are treating it.
CVE-2026-56155 — Active Directory Federation Services (Actively Exploited)
AD FS is the backbone of single sign-on for a huge number of enterprises — it's what lets an employee log in once and access dozens of internal and cloud apps. A flaw here that's already being exploited is a five-alarm fire, because AD FS compromise can cascade into identity-based lateral movement across your entire environment. Microsoft hasn't published full technical details on how it's been abused in the wild, which is fairly typical for actively exploited identity-infrastructure bugs — but the lack of detail doesn't mean the risk is lower.
CVE-2026-50661 — Windows BitLocker Security Feature Bypass (Publicly Disclosed)
Unlike the two above, this one hasn't been confirmed as exploited yet — but it is publicly known, which shortens the runway before someone weaponizes it. An attacker with physical access to a device could potentially bypass BitLocker device encryption and get at data that's supposed to be protected at rest. This matters enormously for lost or stolen laptops — the exact scenario BitLocker exists to defend against.
Beyond the Zero-Days: Critical RCE Bugs Riding Along
The three zero-days get the headlines, but two Critical-rated remote code execution bugs shipped in the same batch deserve equal attention on your patch dashboard, because both are unauthenticated and network-reachable — the exact profile attackers look for first.
CVE-2026-58644 — Microsoft SharePoint Server Remote Code Execution (CVSS 9.8). This is a deserialization-of-untrusted-data flaw (CWE-502): SharePoint receives a serialized object from a client and reconstructs it without properly validating the incoming data, so a specially crafted payload sent to a vulnerable endpoint can trigger code execution on the server. It's paired with a near-identical sibling bug, CVE-2026-50522, and Microsoft currently rates both as "Exploitation More Likely." Given that a related SharePoint elevation-of-privilege flaw is already confirmed exploited in the same release, treat this SharePoint RCE exploit chain as an active threat, not a theoretical one — and if you're still asking "is my SharePoint server vulnerable" after patching CVE-2026-56164, the answer is: check for this one too, since they hit the same servers from different angles.
CVE-2026-58608 — Windows Print Spooler Remote Code Execution (CVSS 8.8). A race condition and use-after-free flaw (CWE-362/CWE-416) lets a low-privileged, remote attacker execute code with no user interaction and low attack complexity, by manipulating the Print Spooler into referencing memory that's already been freed. Print Spooler has a well-documented history — going back to PrintNightmare — of being a favorite entry point for ransomware crews precisely because it's a service almost every Windows box runs by default and rarely gets audited on its own.
CVE-2026-48561 — Microsoft Copilot Remote Code Execution (CVSS 9.6). This one is worth calling out separately because the attack path doesn't look like a typical Windows bug at all. It's a command-injection flaw (CWE-77) in Microsoft 365 Copilot for iOS and Android: a malicious website can silently trigger Microsoft Edge for Android into sending crafted prompts to Copilot, and because the component accepted those prompts without confirming where they came from, simply visiting a booby-trapped page was enough to trigger unintended Copilot actions like reading or altering data. No download, no attachment, no obvious phishing tell — just a visited link. It's a preview of the kind of AI-assisted attack surface security teams are going to be dealing with a lot more of going forward.
Vulnerability Breakdown by Category
Here's how the 570 fixes shake out by type, which is useful context for prioritizing your own environment's exposure:
| Category | Approximate Count |
|---|---|
| Elevation of Privilege | ~254 |
| Remote Code Execution | ~145 |
| Information Disclosure | ~102 |
| Denial of Service | ~35 |
| Security Feature Bypass | ~17 |
| Spoofing | ~16 |
Elevation of Privilege dominates this month's release, hitting core components like the Windows Kernel, DirectX Graphics Kernel, Desktop Window Manager, and the Win32K subsystem. On paper these look "less severe" than RCE bugs. In practice, attackers routinely chain a low-severity EoP bug with an initial foothold — a phished credential, a malicious attachment — to jump straight to SYSTEM-level access. Don't let severity labels lull your team into deprioritizing them.
Why This Matters for Real-World Networks
Patch counts alone don't tell the full story — attack surface does. Think about what's actually sitting on a typical enterprise network right now:
- An internet-facing SharePoint portal used for partner file sharing
- AD FS handling SSO for cloud email, VPN, and internal apps
- Hundreds of laptops relying on BitLocker as the last line of defense if they're lost or stolen
- A Print Spooler service running quietly on nearly every Windows endpoint, rarely audited
Every one of those is directly touched by this month's zero-days. This isn't an abstract "patch when convenient" release — it's a release that maps almost perfectly onto the systems attackers already target first: identity infrastructure and internet-facing collaboration platforms. Given how ransomware crews have shifted toward identity-based intrusion techniques over pure software exploitation in recent incident data, an AD FS zero-day being actively exploited should be treated with the same urgency as a ransomware precursor — because that's often exactly what it is.
Detection: How to Check If You're Exposed
Before you can patch, you need to know what's actually running in your environment. Here are practical steps a SOC or IT admin can take today.
1. Inventory your SharePoint and AD FS footprint. Run a quick PowerShell check across your domain to identify servers running SharePoint or AD FS roles:
Get-WindowsFeature | Where-Object {$_.Name -like "*ADFS*" -or $_.Name -like "*SharePoint*"}
This tells you which servers need immediate attention versus which are unaffected.
2. Check patch status against the July 2026 cumulative update. On Windows Server, confirm the relevant KB has been installed:
Get-HotFix | Where-Object {$_.InstalledOn -ge (Get-Date).AddDays(-7)}
This lists updates applied in the last week — cross-reference against Microsoft's July 2026 release notes to confirm the correct cumulative update landed.
3. Enable AMSI on SharePoint as an interim mitigation. If you can't patch immediately, Microsoft recommends enabling the Antimalware Scan Interface with Request Body Scan mode set to Full — this doesn't fix CVE-2026-56164 but reduces exploitation risk while you schedule downtime.
4. Review authentication logs on AD FS servers. Since exploitation details for CVE-2026-56155 haven't been fully disclosed, watch for unusual authentication patterns: spikes in failed logins, token requests from unfamiliar IP ranges, or SSO sessions originating from geographies your organization doesn't operate in.
5. Flag any devices reported lost or stolen in the last 90 days. If BitLocker was the only control protecting data on those machines, treat the CVE-2026-50661 disclosure as a reason to reassess whether that data should now be considered potentially exposed.
Prevention and Patching Priorities
With 570 fixes to work through, triage is everything. A reasonable prioritization order looks like this:
- Patch the two actively exploited zero-days first — SharePoint (CVE-2026-56164) and AD FS (CVE-2026-56155) — on internet-facing and identity-critical servers, even outside your normal change window.
- Patch the Critical-rated RCE bugs next — particularly SharePoint RCE and Print Spooler RCE, both historically favored by ransomware operators.
- Roll out the BitLocker fix to laptop fleets — especially devices used by staff who travel or work outside secured facilities.
- Batch the remaining Elevation of Privilege and Information Disclosure fixes into your standard patch cycle, but don't push them past 30 days — chained exploitation is common.
Microsoft itself is now recommending Windows 11 quality updates be installed within three days of release, a notably tighter window than the traditional "patch within 30 days" guidance many organizations still follow. That recommendation reflects how fast AI-assisted attack tooling can now weaponize a disclosed CVE.
For federal agencies and critical infrastructure operators, this isn't optional guidance — it's a compliance clock. CISA has attached a hard critical infrastructure patching deadline to CVE-2026-56164 under Binding Operational Directive requirements, and has separately urged all organizations running on-premises SharePoint to treat hardening as urgent given the pattern of exploited SharePoint zero-days over the past year. If your organization falls under NIST, HIPAA, or GDPR reporting obligations, document your patch timeline now — a delayed patch on a CISA KEV-listed CVE is exactly the kind of gap auditors flag first.
Curious how many vulnerabilities Microsoft patched in July 2026 in total, or want the exact CVE-to-severity mapping for your compliance report? The full breakdown is in the table above — 570 vulnerabilities, 59 Critical, and the three zero-days detailed in this article are the ones to lead with in any internal report.
Expert Tips From the Trenches
- Don't trust severity ratings blindly. A "Moderate" SharePoint EoP bug with active exploitation deserves more urgency than a "Critical" bug with no known exploitation. Exploitability trumps CVSS score every time.
- Segment your SharePoint farm. If patching requires downtime you can't get approved instantly, at minimum restrict external access to the SharePoint front end until the fix is deployed.
- Treat AD FS like a crown jewel, not a utility service. Apply the same monitoring rigor you'd apply to a domain controller — because functionally, for identity, it often is one.
- Build an "emergency patch" lane into your change management process now. Waiting for the next scheduled maintenance window on an actively exploited zero-day is how breaches happen.
Related Cybersecurity Topics You Should Explore
- SonicWall SMA1000 Under Attack — Critical CVSS 10.0 Flaw Exposed
- Why SOC Analysts Run 'Tree' Before Anything Else
- This One Linux Command Exposed a Hacker's Fake Timestamps
- locate Command in Linux: Small Tool, Big Security Implications
- The Linux find Command: A SOC Analyst's Guide to Hunting Hackers
- mv Command Guide: How SOC Analysts Use It Safely (2026)
- I Found a Hacker Hiding in a Single Linux cp Command
- Kali Linux 2026.2 Released: 9 New Hacking Tools & Major Upgrades
- rm Command in Linux: The Tutorial (And the Mistake That Kills Servers)
- rmdir vs rm -r: The Linux Command Mistake That Costs Evidence
FAQ
Q: What is a zero-day vulnerability?
A: A zero-day is a flaw that's either publicly known or actively exploited before the vendor has released a patch, meaning defenders have "zero days" of advance warning to prepare.
Q: Do I need to patch immediately, or can this wait for my normal maintenance window?
A: For the two actively exploited zero-days (SharePoint and AD FS), patch outside your normal window if at all possible. These are already being used in real attacks.
Q: Is my organization at risk if we only use SharePoint Online (Microsoft 365)?
A: The actively exploited SharePoint flaw affects on-premises SharePoint Server deployments. Cloud-hosted SharePoint Online in Microsoft 365 is patched by Microsoft directly, but it's still worth confirming with your tenant admin.
Q: What's the interim fix if I can't patch SharePoint right away?
A: Enable the Antimalware Scan Interface (AMSI) with Request Body Scan mode set to Full. It's a mitigation, not a substitute for patching.
Q: Why did Microsoft release so many patches this month?
A: Microsoft attributes the record volume partly to AI-assisted vulnerability discovery tools scanning its codebase at a scale beyond manual research, surfacing more issues before attackers find them.
Q: Does the BitLocker bypass require physical access to my device?
A: Yes, based on current disclosure, exploitation requires physical access to the target system — it's not a remote attack vector.
Q: What is the Microsoft Copilot RCE vulnerability, and do I need to click anything to be affected?
A: CVE-2026-48561 affects Microsoft 365 Copilot for iOS and Android. No download or attachment is required — simply visiting a malicious website could cause Edge for Android to send crafted prompts to Copilot without user confirmation. Microsoft has addressed it as part of this release.
Q: How do I know if my organization has already been compromised via these zero-days?
A: Review AD FS and SharePoint authentication and access logs for anomalies in the weeks prior to patching, and consider engaging incident response support if you find suspicious activity predating your patch deployment.
Conclusion
Five hundred and seventy fixes in a single month isn't just a big number for a headline — it's a signal that the pace of vulnerability discovery, and likely the pace of exploitation, is accelerating faster than most patch management programs were built to handle. The SOC analyst from the opening scenario doesn't get to wait for a quieter week. Neither do you.
Prioritize the SharePoint and AD FS zero-days today, get BitLocker updates into your laptop fleet this week, and use this release as the trigger to build a faster emergency-patch process if you don't already have one. The next record-breaking Patch Tuesday is probably closer than you think.
Found this breakdown useful? Share it with your SOC team, bookmark it for your next patch review meeting, and drop a comment with how your organization is handling the SharePoint and AD FS zero-days.







