On this page · 11 sections
- What actually shipped
- The three zero-days
- Why the Exploitability Index stopped being a triage tool
- Microsoft changed its own deployment guidance
- A triage order that survives 570 CVEs
- SharePoint is the one that will bite you
- What else shipped the same week
- India-specific considerations
- FAQ
- How eCorpIT can help
- References
Summary. On 14 July 2026, Microsoft shipped security updates for a record-breaking 570 flaws, including 2 zero-days already exploited in attacks and 1 publicly disclosed. Tenable counted 569 CVEs and called it the largest Patch Tuesday ever, against a previous record of 198 CVEs set the month before. The split, by BleepingComputer's count: 254 elevation of privilege, 145 remote code execution, 102 information disclosure, 35 denial of service, 17 security feature bypass and 16 spoofing, with 59 rated Critical. That excludes 468 Edge and Chromium flaws Google fixed the same month. The cause is not a bad month for Windows. Microsoft confirmed on 9 July 2026 that it now uses AI to find flaws in its own codebase, and told customers to expect more updates every month as a result. The two zero-days under active attack are CVE-2026-56155 in Active Directory Federation Services and CVE-2026-56164 in SharePoint Server. Neither is rated Critical. Both should go out before anything that is, which tells you most of what has changed about triage in 2026.
What actually shipped
Two numbers circulate for this release, and the difference is a counting method rather than an error. BleepingComputer reports 570 flaws. Tenable counts 569 CVEs. Microsoft's own category breakdown, as tabulated by BleepingComputer, sums to 569 and is labelled approximate. Use the shape, not the decimal.
| Category | Count | Share of the release |
|---|---|---|
| Elevation of privilege | 254 | Roughly 45% |
| Remote code execution | 145 | Roughly 25% |
| Information disclosure | 102 | Roughly 18% |
| Denial of service | 35 | Roughly 6% |
| Security feature bypass | 17 | Roughly 3% |
| Spoofing | 16 | Roughly 3% |
Of the 59 Critical entries, 48 are remote code execution, 9 are elevation of privilege, 1 is a security bypass and 1 is spoofing.
The count leaves things out, which matters if you are reporting coverage upward. It excludes fixes shipped earlier in the month for Mariner, Azure OpenAI, Azure Synapse, M365 Copilot, Exchange Online, Edge for Android and Entra Provisioning Service. It also excludes the 468 Edge and Chromium flaws Google fixed and Microsoft ported. Your actual July exposure is larger than 570.
The three zero-days
| CVE | Product | Status | What it does |
|---|---|---|---|
| CVE-2026-56155 | Active Directory Federation Services | Exploited in the wild; rated Important | Insufficient access-control granularity lets an authorised attacker elevate privileges locally |
| CVE-2026-56164 | SharePoint Server | Exploited in the wild; rated Moderate | Missing authentication for a critical function lets an unauthorised attacker elevate privileges over a network |
| CVE-2026-50661 | Windows BitLocker | Publicly disclosed, not yet exploited; rated Important | Bypasses BitLocker Device Encryption; needs physical access to reach encrypted data |
Read the severity column, then read the status column, and notice that they disagree. The SharePoint zero-day under active network exploitation is rated Moderate. The AD FS zero-day found by Microsoft's own incident responders is rated Important. Meanwhile 59 Critical entries have no known exploitation at all. If your patch process sorts by severity, it will deploy 59 things before it deploys the two that attackers are already using.
Dustin Childs, head of threat awareness at the Zero Day Initiative, was direct about the AD FS flaw: "[This vulnerability] stems from insufficient access-control granularity and does require local access and low privileges to start, but AD FS is exactly the kind of identity infrastructure attackers love to pivot through once they're in. It can also be paired with an RCE as we often see in ransomware. Test and deploy this patch quickly."
That is the pattern to internalise. A local, low-privilege elevation bug in identity infrastructure is not a low-priority bug. It is the second half of somebody else's intrusion.
Microsoft credited CVE-2026-56155 to Jeremy Kingston and Scott Clark of its Detection and Response Team, which is the incident response unit. A finding credited to DART usually means it was recovered from a real intrusion rather than a lab. Microsoft has published no detail on how either zero-day was exploited. Alongside the patch, it has started hardening the Access Control List on the AD FS Distributed Key Manager container, documented in KB5121391.
CVE-2026-56164 in SharePoint was reported by Jayson Frost of Mandiant Incident Response, Genwei Jiang of Google Cloud FLARE OTF, and an anonymous researcher. Two incident response teams from two companies independently reporting the same class of bug in the same month is a signal in itself.
For BitLocker, CrowdStrike noted the likely provenance: "While not confirmed at this time, this CVE may be the patch for GreatXML, a BitLocker bypass exploit released by the Nightmare-Eclipse persona." The same persona published a stripped-down proof of concept for a still-unpatched Windows elevation of privilege flaw, dubbed LegacyHive, on release day.
Why the Exploitability Index stopped being a triage tool
For a decade, the sane way to handle a big Patch Tuesday was to sort by Microsoft's Exploitability Index and start at the top. That index assumes a human is writing the exploit.
Satnam Narang, senior staff research engineer at Tenable, put the problem concretely: "For example, Microsoft originally tagged CVE-2026-45659, a SharePoint vulnerability, as exploitation less likely. However, the vulnerability was added to the CISA KEV on July 1."
He then cited the number that should end the argument: "Anthropic's Red Team's own findings for known vulnerabilities (n-days) revealed how fragile this system has become, with its Mythos Preview model being able to produce proof-of-concept exploits for 13 of 14 vulnerabilities that were rated 'Exploitation Less Likely' or 'Exploitation Unlikely.' What this means is that our way of looking at Patch Tuesday has changed, because the exploitability index is centered around humans, not AI tools, and as these tools continue to improve, defense needs to improve alongside it."
13 of 14. The rating "exploitation less likely" now describes how hard the bug is for a person, and attackers stopped being limited to people. We covered the fallout from that specific SharePoint CVE in our CVE-2026-45659 enterprise patch guide; the short version is that the "unlikely" label aged in weeks, not years.
The same machine-speed discovery is what produced the 570. Microsoft's multi-model agentic scanning harness scans critical binaries and validates candidates through debate across model families, then passes survivors to a Windows-specific pipeline that strips false positives before a human engineer sees them. Microsoft says human engineers still review every proposed fix. The result is a permanent step change in patch volume, announced in advance: expect this every month now.
There is a defensive read here that is worth saying plainly. Finding your own bugs with AI before attackers find them with AI is the correct move, and the 570 is evidence the pipeline works. The problem it creates is entirely downstream, in your change window.
Microsoft changed its own deployment guidance
Buried under the CVE count is the operationally important part. Microsoft has shortened its recommended patch timelines, and said why: "If you're not delivering critical quality updates with security fixes until a couple of weeks after they've been issued, that's ample time for attackers using AI to find and exploit known security gaps."
The new recommendation, in Microsoft's words: "To address this, we've updated our recommendations for deploying Windows updates to less than three days as the deferral period for quality updates, setting deadlines for those updates to zero or one day, and the update grace period to a maximum of two days."
| Setting | Microsoft's July 2026 recommendation | What it controls |
|---|---|---|
| Deferral period, quality updates | Less than 3 days | How long a released update waits before it reaches the ring at all |
| Update deadline | 0 to 1 day | How long a device may postpone once the update is offered |
| Update grace period | 2 days maximum | The extra window a device gets after the deadline passes |
| Stated reason | Attackers using AI close the gap in days | Microsoft's own justification for shortening all three |
| Scope | Windows quality updates | The settings live in Windows Update for Business and Intune rings |
Those are three numbers you can change this week in Windows Update for Business or Intune. The catch is honest: compressing the deferral window trades regression risk for exposure risk, and Microsoft is now telling you which way it thinks the trade has moved.
A triage order that survives 570 CVEs
Severity sorting fails at this volume. Sort by reachability and evidence of use instead.
- Exploited zero-days on internet-facing identity and collaboration infrastructure, first. CVE-2026-56164 on any SharePoint server reachable from outside, then CVE-2026-56155 on AD FS. Both are being used now. Neither is rated Critical.
- Everything else internet-facing. The SharePoint remote code execution fixes CVE-2026-50522 and CVE-2026-58644, and the critical security feature bypass CVE-2026-55040, all shipped in the same release.
- Critical RCE on servers that process untrusted input. The 48 Critical RCEs, filtered by whether the service actually receives outside traffic.
- Elevation of privilege on anything an attacker already touches. This is 254 of the 570 and cannot be done at once. Prioritise where a foothold is plausible: build agents, jump boxes, shared developer machines.
- Physical-access and local-only bugs, on the normal cycle. CVE-2026-50661 in BitLocker matters for lost laptops, not for the perimeter. Patch it, but not tonight.
The judgement underneath that list: an unrated bug on a box the internet can reach beats a Critical on a box it cannot. Vendor severity describes the bug, not your exposure.
SharePoint is the one that will bite you
If you run SharePoint Server on-premises, this month is not routine.
CVE-2026-56164 is already under attack. CISA urged organisations running SharePoint to apply additional hardening on 14 July 2026, noting attackers are also exploiting two recently patched flaws, CVE-2026-32201 and CVE-2026-45659. Enabling the Antimalware Scan Interface and setting Request Body Scan mode to Full is documented as a mitigation for the zero-day, but Microsoft is clear the update is the better option, partly because it also closes the other three SharePoint flaws in this release.
Then there is what has not shipped yet. Adam Barnett, Principal Software Engineer at Rapid7, described CVE-2026-55040: "Discovered by Rapid7 Senior Principal Security Researcher Stephen Fewer, and published (...) in coordination with Microsoft, [CVE-2026-55040] is the first in a pair of exploits which, when chained together, can lead to unauthenticated remote code execution against a vulnerable SharePoint server." The second half of that chain is still embargoed, and Barnett expects Microsoft to patch it in August 2026.
An unauthenticated RCE chain against SharePoint, half-disclosed, with the other half landing next month. Plan the August window now.
What else shipped the same week
Patch Tuesday is not the whole month, and July was busy elsewhere. Adobe patched seven maximum-severity ColdFusion and Campaign flaws, including CVE-2026-48282, later exploited in attacks. Cisco confirmed CVE-2026-20230 is under active exploitation. Progress Software patched a path traversal zero-day that had already forced an emergency shutdown of ShareFile Storage Zone Controllers. The Linux kernel fixed Januscape, a VM escape allowing code execution on the host. SAP shipped four critical fixes across NetWeaver, Commerce Cloud and AppRouter. Ubiquiti fixed a maximum-severity command injection in UniFi OS, and BeyondTrust patched two critical authentication bypasses in Remote Support and Privileged Remote Access.
If your vulnerability management only watches Microsoft, six of those are already past you.
The Five Eyes cybersecurity agencies used the same week to advise organisations to fold AI tools into security operations to "detect vulnerabilities earlier, improve software quality, monitor unusual behaviour, and respond faster to incidents." The asymmetry is the point: Microsoft is finding bugs at machine speed, attackers are writing exploits at machine speed, and most patch windows still run at meeting speed.
India-specific considerations
Two things make this release harder for Indian teams than the CVE count suggests.
The first is SharePoint on-premises, which remains common across Indian manufacturing, BFSI and public sector deployments that never moved to Microsoft 365. Those are exactly the servers CVE-2026-56164 targets, and they are frequently internet-facing for vendor and dealer portals. An on-premises SharePoint farm reachable from the public internet is the highest-priority box in your estate this week.
The second is the Digital Personal Data Protection Act, 2023. An elevation of privilege on an identity server is not an IT problem once it reaches personal data; it becomes a reportable breach, and the obligation lands on the data fiduciary. "It was rated Moderate" will not survive a regulator's question about why a known-exploited flaw sat unpatched for a month. Teams still sizing that exposure can start with our breakdown of DPDP compliance costs for Indian startups.
Practical note for teams running lean: you cannot deploy 570 fixes in a week, and nobody expects you to. You can find every internet-facing SharePoint and AD FS box by Friday. Do that instead.
FAQ
How eCorpIT can help
eCorpIT helps engineering and IT teams turn a 570-CVE month into a short, ordered list they can actually ship. Our senior engineering teams map which of your systems are genuinely internet-reachable, prioritise by exposure rather than vendor severity, and tighten Windows Update for Business and Intune ring settings against Microsoft's shortened July 2026 guidance. We design these controls aligned with DPDP requirements for teams handling personal data in India. If you are staring at this month's list and your SharePoint farm is on-premises, talk to us.
References
- Microsoft July 2026 Patch Tuesday fixes massive 570 flaws, 3 zero-days - BleepingComputer, 14 July 2026.
- AI-driven bug hunting fuels record Microsoft Patch Tuesday - Help Net Security, 15 July 2026.
- Microsoft's July 2026 Patch Tuesday addresses 569 CVEs - Tenable, July 2026.
- The July 2026 Security Update Review - Zero Day Initiative, 14 July 2026.
- Patch Tuesday - July 2026 - Rapid7, July 2026.
- CVE-2026-56155 - Active Directory Federation Services elevation of privilege - Microsoft Security Response Center.
- CVE-2026-56164 - Microsoft SharePoint Server elevation of privilege - Microsoft Security Response Center.
- KB5121391: AD FS DKM container ACL hardening - Microsoft, July 2026.
- CISA urges SharePoint hardening after new exploitations - CISA, 14 July 2026.
- Evolving Windows vulnerability management to meet the speed of AI-powered discovery - Windows Experience Blog, 9 July 2026.
- Patch Tuesday analysis, July 2026 - CrowdStrike, July 2026.
- Microsoft Patches a Record 570 Security Flaws - Krebs on Security, July 2026.
- Microsoft updates Windows update deployment timelines - Help Net Security, 10 July 2026.
- Microsoft warns customers AI will mean busier Patch Tuesdays - The Register, 10 July 2026.
_Last updated: 16 July 2026._