Microsoft dropped its July 2026 security updates on July 14, and two of the patched vulnerabilities have already been used in real-world attacks. One allows attackers to escalate privileges on SharePoint servers without needing a password; the other can let them decrypt the cryptographic keys that protect Active Directory Federation Services (AD FS) logins. If your organization runs either on-premises SharePoint or AD FS, this month’s Patch Tuesday isn’t just another update cycle—it’s a race to shut down vulnerabilities attackers are exploiting right now.
Two Exploited Flaws Demand Immediate Patching
The first actively exploited vulnerability, CVE-2026-56164, lives in SharePoint Server. Microsoft rates it "Moderate" with a CVSS score of just 5.3, because it only allows elevation of privilege, not remote code execution. But don’t be fooled by the label: an attacker can trigger it over the network with no user interaction, and Microsoft has confirmed detection in the wild. The flaw affects SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition.
The second, CVE-2026-56155, targets the Distributed Key Manager (DKM) container used by AD FS. If an attacker can gain access to the DKM material—which stores private keys for token-signing and encryption certificates—they could potentially forge authentication tokens, undermining your entire identity infrastructure. Microsoft has already seen this vulnerability exploited, and the Cybersecurity and Infrastructure Security Agency (CISA) has added both to its Known Exploited Vulnerabilities catalog, giving federal agencies and enterprises a firm nudge to patch quickly.
More Than Just Zero-Days: A Monster Patch Tuesday
This month’s release is massive. Security analysts at BleepingComputer counted 570 Microsoft fixes, including 59 rated Critical. Other third-party trackers pushed that number above 600. While the exact tally varies depending on how you count, the volume alone signals a heavier-than-usual July update. Alongside the exploited bugs, the patches cover a broad set of Microsoft products, from Windows and Office to Azure, SQL Server, Exchange, and Dynamics.
Among the most critical flaws:
- CVE-2026-57092: A Windows VMSwitch elevation-of-privilege vulnerability with a near-maximum CVSS score of 9.9, putting Hyper-V environments at risk.
- Four remote-code-execution bugs in SharePoint itself (CVE-2026-58644, CVE-2026-50522, CVE-2026-55040) that can be exploited over the network without authentication, scoring 9.8 and 9.1.
- A trio of DHCP Server remote-code-execution vulnerabilities (CVE-2026-56159, CVE-2026-50518, CVE-2026-56188) all clocking in at 9.8.
- Critical fixes for Windows Server network drivers, TCP/IP, WSUS, Print Spooler, and even Microsoft Defender (CVE-2026-55011, CVE-2026-55012).
The Windows 11 cumulative updates KB5101650 and KB5099414 also shipped. KB5101650 advances version 25H2 to build 26200.8875, version 24H2 to build 26100.8875, and KB5099414 moves version 23H2 to build 22631.7376. These packages include all the security fixes plus quality improvements, such as a fix for OLE Automation issues with third-party apps and a File Explorer bug that could break OneDrive shortcuts when running Explorer as admin.
What It Means for You
The updates touch nearly every corner of the Microsoft ecosystem, but the real-world risk depends on what you run.
For home users and small businesses: Most people who rely on Windows Update will get these patches automatically. The SharePoint and AD FS flaws don’t affect you unless you run those servers locally (unlikely). Still, there are plenty of other dangerous bugs in this release that can be triggered through malicious Office documents, media files, or web content. Install the updates, enable automatic Microsoft Defender updates, and avoid opening unsolicited attachments.
For IT administrators: This month requires surgical prioritization. If you manage on-premises SharePoint farms or AD FS infrastructure, those systems should be patched immediately, ahead of your regular deployment ring. The SharePoint exploit doesn’t need user interaction and can be launched over the network—any internet-facing SharePoint server is a prime target. Check your web and server logs for signs of prior compromise: look for unexplained configuration changes, new accounts, or unusual requests.
For Hyper-V, DHCP, and domain controller admins: The 9.9 VMSwitch bug and 9.8 DHCP flaws are not yet exploited publicly, but their severity means they could be weaponized quickly. Test and deploy these patches to your server fleet as soon as possible. Active Directory Domain Services (CVE-2026-49164) and Certificate Services (CVE-2026-54121) also got critical patches—don’t lag here.
For anyone with BitLocker: CVE-2026-50661 is a publicly disclosed (but not exploited) zero-day in BitLocker. The update fixes it, so install it to close that disclosure gap before exploit code appears.
How We Got Here
Patch Tuesday happens every second Tuesday of the month, but July 2026 is unusually large. Microsoft hasn’t officially explained the spike, but the inclusion of two actively exploited zero-days alongside hundreds of other fixes suggests a convergence of internal discoveries, researcher submissions, and perhaps delayed patches from previous months. The SharePoint bug (CVE-2026-56164) stems from missing authentication on a critical function, a class of error that should have been caught earlier but slipped through. The AD FS flaw (CVE-2026-56155) involves overly permissive access controls on the DKM container, a misconfiguration that Microsoft is now hardening in stages.
Microsoft’s response to the AD FS bug is notable: rather than just patching the service, they’re introducing a phased approach. After installing the July update, AD FS enters an “Audit” mode that logs warnings (Event ID 1132) whenever the DKM container’s permissions are too loose, but doesn’t change them automatically. This gives administrators time to test and manually remediate by setting a registry key (RemediateDkmAcl = 1) on Windows Server 2016 and later. Microsoft will begin automatic remediation on October 13, 2026, so you have a few months to get your house in order—but you should start now.
The SharePoint bug, by contrast, is fixed directly in the SharePoint security updates. Microsoft also suggests enabling Antimalware Scan Interface (AMSI) integration and setting SharePoint’s Request Body Scan mode to “Full” as a supplementary defensive measure, but the update itself is the main line of defense.
What to Do Now
- Identify your exposure: Inventory all SharePoint servers (2016, 2019, Subscription Edition) and any AD FS servers. Note which are internet-facing.
- Install the SharePoint security updates immediately on all SharePoint servers. These are separate from the Windows cumulative updates; you must use SharePoint’s own patching process (usually through the SharePoint Products Configuration Wizard or Central Administration).
- Patch AD FS servers and then monitor the AD FS Admin event log for Event ID 1132. If you see it, audit the DKM container permissions. For servers with the right OS version, you can enable automatic remediation by setting
HKLM\Software\Microsoft\ADFS\RemediateDkmAcl(DWORD) to 1. Test this in a non-production environment first. - Apply Windows Server patches for VMSwitch, DHCP, and other critical roles as soon as testing allows. Don’t wait for your next maintenance window if you can fast-track these.
- Roll out Windows 11 cumulative updates to end-user devices. For Dell systems with some Intel processors, check compatibility: a known hold prevents KB5101650 from installing due to potential overheating and shutdowns. See Microsoft’s release health dashboard and Dell’s advisory.
- Update Microsoft Defender platform and intelligence separately to ensure the Defender-specific patches (CVE-2026-55011, CVE-2026-55012) reach your endpoints.
- Verify all Office applications are updated; multiple Word and PowerPoint remote-code-execution flaws are patched.
- Scan for compromise: For SharePoint, review logs for anomalous activity predating your patch. For AD FS, check for unusual token requests or account changes.
Outlook: What to Watch
The October 13 AD FS enforcement deadline is the next big date. Between now and then, Microsoft’s audit logs will reveal how many organizations have misconfigured DKM containers. Expect guidance from Microsoft and third-party security vendors on how to automate the fix at scale. Also, the high number of Critical-rated remote-code-execution bugs this month—especially in SharePoint and networking services—suggests that attackers may soon develop exploits for the ones not yet targeted. Keep an eye on CISA’s Known Exploited Vulnerabilities catalog and your own security telemetry; if any of these new CVEs pop up in attack frameworks, you’ll need to move even faster.
For everyday Windows users, Patch Tuesday remains a good reminder to let automatic updates do their job and to stay skeptical of unsolicited Office files and links. The bad guys are already using some of these flaws; the only safe practice is to patch as soon as you can.