Microsoft has released the largest Patch Tuesday update in its history, addressing 622 unique security vulnerabilities across Windows, SharePoint Server, Office, Edge, SQL Server, Defender and several other products.
The sheer number is striking. It is more than three times the roughly 200 Microsoft vulnerabilities addressed during the previous record-breaking month. However, security teams should not treat all 622 flaws as equally urgent.
Two vulnerabilities are already being exploited in real-world attacks. Both affect critical identity and collaboration infrastructure: on-premises SharePoint Server and Active Directory Federation Services.
That makes this month's update less about installing every patch in numerical order and more about identifying which systems expose the greatest organisational risk.
The Two Zero-Days That Should Be Patched First
The most urgent vulnerability is CVE-2026-56164, an elevation-of-privilege flaw affecting on-premises SharePoint Server.
Microsoft says an unauthenticated attacker can exploit the weakness remotely without requiring credentials or user interaction. Although it is categorised as a privilege-escalation issue rather than remote code execution, the attack conditions make it particularly dangerous.
An internet-facing SharePoint server can hold sensitive documents, internal communications, employee records and integration credentials. It may also have trusted connections to other parts of the corporate environment.
A successful compromise could therefore give attackers more than access to a document portal. It may provide a route into wider business systems.
Microsoft has confirmed that the flaw is already being used in attacks, although it has not publicly explained who is responsible or how the vulnerability is being exploited.
SharePoint 2016 and 2019 Reach a Dangerous Turning Point
The timing of the SharePoint vulnerability creates an additional concern for organisations still operating SharePoint Server 2016 or 2019.
Both versions reached the end of extended support on the same day as the update. Unlike some Microsoft enterprise products, they do not have a paid Extended Security Updates programme that allows customers to continue receiving ordinary security fixes after support ends.
Organisations running these versions should therefore treat the latest patch as more than routine maintenance. It may be one of the final opportunities to secure those deployments before moving to a supported platform.
Microsoft also recommends enabling the Antimalware Scan Interface in Full Mode on SharePoint servers. This does not replace the security update, but it may help detect or block suspicious activity while administrators complete their patching work.
SharePoint has remained a frequent target because it is commonly exposed to the internet, deeply connected to corporate environments and often difficult to update quickly.
Why the AD FS Zero-Day Matters More Than Its Label Suggests
The second actively exploited vulnerability is CVE-2026-56155 in Active Directory Federation Services.
This flaw allows an already authenticated attacker to elevate privileges locally through improper access controls.
At first glance, the need for existing access and local execution may make it appear less urgent than a remote, unauthenticated vulnerability. However, the role of an AD FS server changes the risk calculation.
AD FS is responsible for issuing and signing authentication tokens that other applications trust. If attackers gain elevated control over that system, they may be able to interfere with identity processes, access protected services or create authentication tokens that appear legitimate.
In other words, the vulnerability affects a server that sits near the centre of an organisation's trust architecture.
Microsoft has confirmed active exploitation but has not disclosed the exact privileges attackers can gain or how the flaw has been used during incidents.
Do Not Wait for the CISA Catalogue
At the time of reporting, neither exploited vulnerability had appeared in the US Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities catalogue.
That should not be interpreted as evidence that the flaws are less urgent.
Microsoft's own security guidance already marks both vulnerabilities as exploited. Organisations should not wait for a second agency to publish another warning before beginning remediation.
The delay also highlights a weakness in patching processes that depend entirely on one external list. A vulnerability may be actively exploited before it is added to every major tracking system.
Security teams should combine multiple signals, including vendor exploitation notices, public threat intelligence, system exposure and the importance of the affected asset.
A Publicly Disclosed BitLocker Bypass Is Less Urgent
Microsoft also addressed CVE-2026-50661, a BitLocker security-feature bypass that had been publicly disclosed before the patch became available.
Unlike the two actively exploited flaws, this vulnerability requires physical access to the targeted device.
That means it should still be patched, particularly on laptops carrying sensitive information, but it does not deserve the same emergency priority as the SharePoint and AD FS vulnerabilities.
The flaw continues a series of BitLocker bypass discoveries reported during the year. These issues show that disk encryption should not be treated as the only layer protecting a lost or stolen device.
Secure boot configuration, device management, strong account protection and rapid remote response remain important even when storage encryption is enabled.
Another SharePoint Fix Breaks Part of a Serious Attack Chain
SharePoint received another important security update for CVE-2026-55040, a JSON Web Token authentication bypass.
Researchers demonstrated that the bypass could be combined with a separate remote code execution vulnerability to achieve unauthenticated code execution against a vulnerable SharePoint server.
The authentication-bypass portion has now been patched, but Microsoft is not expected to fix the separate remote-code-execution weakness until August.
This makes the July update strategically important because it breaks the chain before the remaining component is addressed.
There has also been disagreement over the vulnerability's severity. One assessment placed it at medium severity with a score of 5.3, while another interpreted Microsoft's release information as critical with a score of 9.1.
The disagreement demonstrates why organisations should not rely on CVSS numbers alone. A vulnerability with a moderate standalone score may become far more dangerous when combined with another weakness.
Microsoft Completes Its Kerberos RC4 Crackdown
This month's update also advances Microsoft's long-running effort to phase out the outdated RC4 encryption algorithm in Kerberos authentication.
The update removes the RC4DefaultDisablementPhase rollback option that administrators could previously use to delay stricter enforcement.
After the change, RC4 will work only for accounts that have been explicitly configured to allow it.
That is good for security, but it could create authentication failures in environments that still depend on legacy service accounts or applications.
Administrators should not simply install the update and hope for the best.
They should first review the RC4 audit events introduced earlier in the year, identify accounts requesting RC4 Kerberos tickets and determine why those systems are not using AES encryption.
For service accounts that lack AES keys, rotating their passwords can generate the necessary keys. However, password rotation will not solve every situation.
Applications deliberately configured to require RC4, or legacy clients incapable of using newer encryption, will need separate remediation.
This is not the kind of vulnerability that gives an attacker immediate access. Instead, it is the kind of compatibility change that can unexpectedly break business applications after patching.
Why the Order of Work Matters
For organisations with older systems, the safer sequence is to audit first, remediate incompatible accounts and applications, and then deploy the update.
Skipping the assessment could result in failed logins, broken integrations and service outages after installation.
Healthcare, manufacturing, government and financial environments may be particularly exposed because older applications often depend on service accounts that have not been updated for years.
The security improvement is worthwhile, but it needs to be introduced with operational planning.
Where the 622 Vulnerabilities Are Concentrated
Windows accounts for the majority of the release, with 416 vulnerabilities.
Among them is CVE-2026-57092, a VMSwitch remote code execution flaw carrying a severity score of 9.9. The Windows updates also include several DHCP remote code execution vulnerabilities and more than 20 issues affecting NTFS and ReFS drivers.
Microsoft Office received fixes for 82 unique vulnerabilities. Some reports show a higher Office total because the same set is counted again under a separate Office 2016 update track.
Microsoft Edge accounts for 46 vulnerabilities, although some originate from Chromium rather than Microsoft's own code.
Developer products received 27 fixes across Visual Studio, Visual Studio Code and GitHub Copilot. Many involve injection, path-traversal or security-feature-bypass weaknesses.
SharePoint Server received 17 fixes, including the actively exploited zero-day, the JWT authentication bypass and two critical remote code execution vulnerabilities.
Azure received 11 fixes, while SQL Server received eight, including two remote code execution flaws rated 8.8.
Microsoft Defender received five fixes, two of which are classified as critical remote code execution vulnerabilities.
Exchange Server also received five updates. One addresses a stored cross-site scripting vulnerability in Outlook Web Access rated 9.6. Although Microsoft categorises it as spoofing, the potential impact makes that label sound less serious than the underlying behaviour.
Why Did Patch Tuesday Suddenly Become So Large?
July has historically been one of Microsoft's lighter patching months, making the record-breaking release especially unusual.
Microsoft had warned customers in advance that future security releases could contain much higher numbers of vulnerabilities. The company attributes part of the increase to expanded use of artificial intelligence in vulnerability research.
Automated and multi-model systems can review large codebases, compare software behaviour and identify patterns that would take human researchers considerably longer to investigate.
Microsoft previously revealed that one of its AI-assisted scanning systems identified 16 vulnerabilities included in an earlier Patch Tuesday release.
The company has not disclosed how many of July's 622 vulnerabilities were found through similar tools, but the record total suggests that automated discovery is becoming a larger part of its security programme.
AI-Assisted Discovery Helps Defenders and Attackers
Finding more vulnerabilities is beneficial because flaws can be corrected before they are widely exploited.
However, automation also accelerates the work of attackers.
Once a security update is published, threat actors can compare the patched and unpatched versions of the software. This process, known as patch diffing, helps them identify what changed and determine which code contained the vulnerability.
AI-assisted tools can speed up that analysis and help produce working exploits before many organisations have completed their normal testing cycle.
The traditional practice of waiting a week or longer before installing updates is therefore becoming increasingly risky, particularly for internet-facing and identity-related systems.
The gap between Patch Tuesday and practical exploitation is shrinking.
CVSS Scores Are Becoming Less Useful for Prioritisation
A release containing more than 600 vulnerabilities exposes the limits of severity-based patch management.
When dozens of vulnerabilities are labelled critical and hundreds are considered important, those categories no longer provide enough information to decide what should be fixed first.
The two exploited zero-days demonstrate the problem. Neither carries the highest severity score in the release, yet both are already being used against real organisations.
A vulnerability's practical risk depends on more than its numerical rating.
Security teams should consider whether it is actively exploited, whether the affected system is internet-facing, how valuable that system is to attackers and whether compromise could lead to wider access.
A medium-rated vulnerability in an identity server may be more urgent than a critical vulnerability in a feature the organisation does not use.
A More Practical Patch Priority
The most sensible starting point this month is on-premises SharePoint Server, especially systems accessible from the internet.
AD FS servers should follow closely because of their role in issuing trusted authentication tokens.
Organisations should then address the SharePoint authentication bypass that can form part of a remote-code-execution chain, followed by other exposed services carrying critical RCE vulnerabilities.
The Kerberos RC4 changes require a different approach. They should be deployed promptly, but only after administrators have audited legacy dependencies and prepared for authentication failures.
Endpoints, Office applications, Edge, SQL Server, Defender and developer tools should then be updated according to exposure and business importance.
Final Thoughts
Microsoft's record-breaking Patch Tuesday is not simply a story about 622 security flaws.
It is a reminder that vulnerability volume is growing faster than many organisations' ability to test and deploy updates.
Two relatively unremarkable-looking privilege vulnerabilities are already being exploited because they affect systems that attackers value: SharePoint and AD FS. Meanwhile, a medium-rated authentication bypass becomes far more serious when combined with a separate code-execution flaw.
The lesson is clear. Patch prioritisation can no longer begin and end with the highest CVSS number.
Organisations should prioritise confirmed exploitation, internet exposure, identity infrastructure and the potential impact of compromise. They should also assume that attackers will reverse-engineer patches faster than they did in the past.
The number of vulnerabilities may continue rising as Microsoft expands AI-assisted security testing. Defenders will need to become equally efficient at identifying what matters, testing quickly and patching before a security update becomes an attacker's instruction manual.


Comments