preloader

· security digital-security devops microsoft windows cve patch-management zero-day active-directory sharepoint europe

Microsoft’s Biggest Patch Tuesday Ever Just Landed, With Two Zero-Days Already Under Attack

Source: SecurityWeek

Microsoft’s July 2026 Patch Tuesday release fixes 622 vulnerabilities, more than three times June’s previous high of around 200 and the largest single release the company has ever shipped. Windows alone accounts for 416 of the fixes. Fifty-seven vulnerabilities are rated critical, made up of 48 remote code execution flaws, seven elevation of privilege bugs, one spoofing issue, and one security feature bypass.

Two zero-days already being used against real targets

The number that matters most is not 622, it is two. CVE-2026-56155 is an elevation of privilege flaw in Active Directory Federation Services caused by overly loose access controls, letting an attacker who already has a foothold escalate to administrative privileges over the identity service that federates authentication for Office 365, Azure, and a long list of on-premises applications. Microsoft’s own Detection and Response Team found it, which typically means it surfaced during a live incident response engagement rather than a lab exercise.

CVE-2026-56164 is arguably worse on paper: a missing-authentication flaw in SharePoint Server that lets an unauthenticated attacker perform spoofing over the network, no credentials and no user interaction required. Both are confirmed exploited in the wild before or at the point of patching, which is exactly the profile that pushes a CVE onto CISA’s Known Exploited Vulnerabilities catalogue and triggers mandatory remediation timelines for regulated sectors.

Why the sheer volume is its own problem

A record-breaking release is not just about the two zero-days. Fifty-seven critical, 48-of-them-RCE vulnerabilities landing in a single Tuesday means most patch management teams cannot realistically triage, test, and deploy everything on the usual cadence. Analysts tracking this release have pointed to AI-assisted vulnerability discovery inside Microsoft’s own security research as one driver of the volume, meaning organisations should expect this scale to become more common, not less, in future release cycles.

For European organisations, the AD FS and SharePoint Server flaws land squarely on infrastructure that NIS2 and DORA already require to be patched and monitored within defined timeframes. On-premises SharePoint and AD FS deployments are common in exactly the sectors those directives cover: financial services, healthcare, energy, and public administration. An unauthenticated, network-exploitable SharePoint bug sitting unpatched past a compliance deadline is both an operational risk and a regulatory one.

What to prioritise this week

Patch AD FS and SharePoint Server first, today if you run either on-premises, ahead of the rest of the 622-item queue. Confirm your vulnerability management process can actually identify which of your systems run these two products, shadow IT and forgotten legacy SharePoint farms are a recurring cause of missed patches. Then work through the remaining critical RCE flaws in order of internet exposure, prioritising anything internet-facing before internal-only systems.

If your organisation needs help triaging a patch release of this size, confirming exposure to CVE-2026-56155 or CVE-2026-56164, or building a patch management process that can keep pace with increasingly large Patch Tuesday releases, contact Excello Digital. We help European IT teams turn a record-breaking CVE list into a prioritised, actionable plan.

These news items are automatically aggregated from industry sources and are not individually reviewed. Any inaccuracies are unintentional — let us know and we'll correct or remove it.

We’ll help you resolve your infrastructure challenges

Our team of experts is ready to help you with your infrastructure challenges. We’ll give you honest and personal treatment. Get in touch to learn more.

Get in touch!