
MICROSOFT’S July 2026 Patch Tuesday released fixes for a record‑breaking 622 vulnerabilities, surpassing previous months and highlighting a sharp rise in reported flaws across its product line, as Rapid7 reported. Among the updates are several zero‑day weaknesses that are already being exploited in the wild, prompting urgent action from administrators.
The advisory notes CVE‑2026-55040, rated CVSS 9.1 critical, as an authentication bypass in SharePoint that permits remote code execution without user interaction. Another critical flaw, CVE‑2026-56164, carries a CVSS 5.3 score and describes an elevation of privilege issue in SharePoint Server caused by a missing authentication check on a critical function, details of which are available via the CISA KEV entry. Both vulnerabilities are listed as known exploited by CISA and affect supported versions of SharePoint.
A third actively exploited issue, CVE‑2026-56155, scores CVSS 7.8 high and resides in Active Directory Federation Services, where insufficient granularity of access control allows an authenticated user with low privileges to escalate rights locally, as noted in the CISA KEV catalogue. The flaw requires an existing session but can be chained with other post‑compromise techniques to gain broader domain access. Microsoft has issued patches for all three zero‑days in the current update release, as outlined in the MSRC release note.
CISA added CVE‑2026-56155 and CVE‑2026-56164 to its Known Exploited Vulnerabilities catalogue on 14 July, confirming that attackers are already leveraging these flaws against targets. Although no specific threat actors have been named, the volume of vulnerabilities, 416 affecting Windows alone, shows a continuation of the upward trend seen in recent Patch Tuesday cycles, a point highlighted by DarkReading. Security analysts note that the increase correlates with expanded use of AI‑driven discovery tools that surface more issues faster.
Administrators should prioritize applying the July updates, beginning with the SharePoint patches for CVE‑2026-55040 and CVE‑2026-56164, followed by the ADFS fix for CVE‑2026-56155 to close the actively exploited paths. Where immediate reboot is not feasible, enabling AMSI logging for SharePoint and enforcing least‑privilege access on ADFS can reduce risk until patches are deployed, advice echoed in the CISA guidance. Organizations are also urged to consult the CISA KEV entries for each vulnerability to verify remediation steps and confirm that mitigations are in place.
Beyond this release, security teams should adopt a continuous patching strategy that integrates asset inventory, vulnerability prioritisation and automated deployment to keep pace with the growing flow of disclosures. Maintaining an up‑to‑date configuration baseline and regularly reviewing privileged access will help limit the impact of future zero‑day discoveries.