Microsoft released its largest-ever Patch Tuesday on July 14, 2026, with a staggering 622 security fixes—more than tripling the previous record. But IT teams should ignore the big number and zero in on two actively exploited flaws: one lets attackers hijack SharePoint servers without authentication, and the other abuses an identity service to gain elevated privileges. Both are under attack right now, and the clock is ticking for organizations that expose either technology to the internet.

What actually changed in the July patch bundle

The 622 CVEs span Windows, Office, SharePoint, Edge, Azure, developer tools, and more. Within that mountain, 416 affect the Windows product family. Two vulnerabilities have been confirmed as actively exploited in the wild: CVE-2026-56164 in on-premises Microsoft SharePoint Server and CVE-2026-56155 in Active Directory Federation Services (AD FS). The Cybersecurity and Infrastructure Security Agency (CISA) added both to its Known Exploited Vulnerabilities (KEV) catalog on the same day, alongside a third publicly disclosed BitLocker bypass (CVE-2026-50661) that is not currently exploited but could be used by anyone with physical device access.

The SharePoint zero-day (CVE-2026-56164) is a missing-authentication flaw. An unauthenticated attacker can exploit it over the network to elevate privileges. According to CISA, attackers are chaining this vulnerability with older SharePoint weaknesses to steal Internet Information Services (IIS) machine keys, establish persistence, and deploy malware. For federal civilian agencies, the remediation deadline is July 17—three days after the patch. That urgency signals how dangerous this is for any organization running self-hosted SharePoint, especially on internet-facing servers.

The AD FS vulnerability (CVE-2026-56155) involves overly permissive access-control lists on the Distributed Key Manager (DKM) container. An attacker who already has local access could tamper with token-signing and token-encryption key material, gaining elevated privileges in the identity fabric. The July fix starts in audit mode, writing Event ID 1132 to the AD FS Admin event log when insecure permissions are detected. Microsoft has telegraphed that stronger automatic remediation will follow on October 13, 2026.

A third notable entry, CVE-2026-50661, is a BitLocker security-feature bypass that requires physical access. While not actively exploited, it matters for laptops, field devices, and shared workstations that could fall into the wrong hands.

The sheer volume of patches also brought critical fixes for remote code execution in Windows DNS Server, DHCP Server, Remote Desktop Services, Hyper-V, HTTP.sys, SQL Server, and Office. Microsoft confirmed that many of these findings came from its internal AI-assisted vulnerability discovery system, called MDASH, which is now scanning deep, legacy code at scale.

What this means for you

For the vast majority of home users, the risk is minimal. The two actively exploited flaws target on-premises enterprise products—SharePoint Server and AD FS—that rarely exist in a home environment. Standard Windows updates delivered through Windows Update will handle the rest, including the BitLocker bypass. There is no reason to panic, but do apply the monthly patches without delay.

For IT administrators, the picture is stark. If your organization runs SharePoint Server on-premises and any instance is reachable from the internet, you are exposed to an active campaign that can lead to full compromise. CISA’s advisory is blunt: patch, verify the patch is installed, investigate for signs of compromise before rotating secrets, enable AMSI integration and Defender protections for SharePoint, and remove direct internet exposure wherever possible.

Identity teams should immediately update all AD FS federation servers and start monitoring for Event ID 1132. The October hardening deadline might feel distant, but misconfigured DKM permissions are not something to leave unexamined for months. An overlooked identity vulnerability can become the root of a much larger breach.

End-of-life SharePoint deployments add another layer to this crisis. Support for SharePoint Server 2016 and SharePoint Server 2019 ended on July 14—the same day these patches landed. Organizations still running those versions may receive the final round of fixes now, but they are effectively unsupported going forward. An internet-facing, end-of-life SharePoint server is an architectural security decision that demands an owner, a retirement plan, and immediate compensating controls.

Developers and service integrators who rely on SharePoint or AD FS in their solutions should review their dependencies and ensure any downstream customer environments are patched, especially those hosting custom web parts, workflows, or authentication pipelines that interface with these services.

How we got here—the numbers, the AI, and the lifecycle squeeze

This month’s record didn’t come out of nowhere. Microsoft’s security teams have been scaling up automated discovery using AI. In a June security blog, the company described MDASH, a system of specialized AI agents that comb through old, convoluted code in critical components like the Windows kernel, Hyper-V, Active Directory, and networking protocols. The agents route confirmed findings into engineering pipelines for validation and remediation. The result is a faster tempo of defect discovery.

That’s a net positive, but it also means Patch Tuesday is evolving from a routine chore into a significant change-management operation. The limiting factor for many organizations is no longer intelligence—it’s the capacity to test, deploy, and verify updates safely, especially when active exploitation compounds the urgency.

The SharePoint situation has been brewing for years. Many organizations delay upgrading because SharePoint customizations and data migrations are complex. The end of extended support for the 2016 and 2019 versions was known, yet countless servers remain online. Threat actors have noticed, and they are exploiting the gap.

What to do now—a practical priority list

A blanket freeze on all July updates is dangerous where active exploitation is confirmed. Nor is it realistic to push every update everywhere instantly. A narrow, risk-based approach is the smart play:

  1. Patch and investigate all SharePoint Server instances. Prioritize internet-facing servers, then internal ones. Confirm the fixes installed successfully, review IIS and SharePoint logs for signs of tampering, and rotate any suspect secrets.
  2. Update every AD FS server. Enable logging for Event ID 1132 and assign someone to own the DKM ACL remediation before October 13.
  3. Deploy the BitLocker fix to mobile and physically accessible devices. If a laptop or shared terminal is lost or stolen, this bypass could undermine disk encryption.
  4. Prioritize server-side roles next: DNS, DHCP, Remote Desktop, Hyper-V, SQL Server, and any high-value Windows servers before broad workstation rollout.
  5. Triple-check patch installation and service health. A green deployment report does not always mean the mitigation is effective. Test server functionality after patches, especially for identity and collaboration workloads.
  6. For SharePoint 2016/2019 out of support: If you cannot migrate to SharePoint Server Subscription Edition immediately, isolate the servers behind a VPN, enforce strict firewall rules, and disable internet exposure entirely.

Outlook

The AI-assisted vulnerability hunt is not slowing down. Every month could bring a flood of new CVEs, and the next actively exploited zero-day may already be lurking in the queue. Organizations must build muscle memory for rapid triage rather than clinging to “critical-only” filters. Patch Tuesday is no longer a simple hygiene exercise; it’s a monthly litmus test of operational readiness. The teams that thrive will be those that can separate the two or three fires from the smoke.