Microsoft shipped its July 2026 security update on July 14, patching two zero-day vulnerabilities that attackers were already exploiting in the wild. One allows unauthenticated network access to SharePoint Server, the other hands administrative control to a local attacker on Active Directory Federation Services. The mammoth update addresses a record 622 flaws across the Windows ecosystem, including 57 rated critical—the highest single-month tally ever recorded by Cisco Talos.
AD FS and SharePoint are not your average patches this month. CVE-2026-56155 is an elevation-of-privilege bug in AD FS that stems from overly loose access controls. An authorized attacker with a foothold on the system can escalate to administrative privileges, compromising the identity service that federates authentication for Office 365, Azure, and countless on-premises apps. Microsoft’s own Detection and Response Team (DART) discovered the flaw, hinting that it likely surfaced during an incident response investigation. So far, Microsoft hasn’t shared details about how attackers used it or which organizations were hit.
The more immediately dangerous of the two is CVE-2026-56164, a missing-authentication vulnerability in SharePoint Server that lets an unauthenticated attacker perform spoofing over the network. Although Talos classifies it as spoofing, Microsoft’s advisory treats it as elevation of privilege; either way, the impact is severe. Any SharePoint farm that’s accessible to the internet—or even to a large internal user base—could be a target. Microsoft offers a partial mitigation: enable the Antimalware Scan Interface (AMSI) on SharePoint and set Request Body Scan mode to Full. That might slow down an attack, but it’s no substitute for a full patch. SharePoint administrators should treat this as an emergency.
A third zero-day, CVE-2026-50661, is a BitLocker security-feature bypass that was publicly disclosed before a fix was available. Microsoft hasn’t seen active exploitation of it yet, but it requires only physical access to a device to potentially decrypt protected data. Laptops, kiosks, and field systems are particularly at risk.
Beyond the Exploit Wall: Critical RCEs Everywhere
The sheer volume of this Patch Tuesday is staggering. Talos identified 48 critical remote-code-execution (RCE) vulnerabilities, seven critical elevation-of-privilege flaws, and one each of critical spoofing and security-feature bypass. Eleven of the critical RCEs carry Microsoft’s “exploitation more likely” label, meaning attackers will probably weaponize them soon.
DHCP sits uncomfortably at the top of that list. CVE-2026-50518 is a heap-based buffer overflow in the DHCP Server service that an unauthenticated attacker can trigger over the network without any user interaction. CVE-2026-50370 targets the same service but from an adjacent network, while CVE-2026-54128 is a use-after-free in the DHCP client that allows local code execution. If your Windows network relies on DHCP—which it almost certainly does—these demand immediate attention.
SharePoint picks up two more critical RCEs: CVE-2026-50522 and CVE-2026-58644, both unsafe deserialization bugs reachable over the network. Combined with the actively exploited CVE-2026-56164, there are now three reasons to prioritize SharePoint patches this month. Other critical RCEs rated more likely to be exploited include:
- CVE-2026-54992 in Microsoft Message Queuing (MSMQ)
- CVE-2026-56188 in the Windows Server Network driver
- CVE-2026-55944 in Dynamics NAV and Dynamics 365 Business Central on-premises
- CVE-2026-55010 in Minecraft Bedrock Dedicated Server
Exchange Server and SharePoint also carry critical bugs beyond RCE: CVE-2026-55008 is a cross-site scripting spoofing flaw in Exchange, and CVE-2026-55040 is an authentication bypass in SharePoint. Both are rated “more likely” to be exploited.
Office applications account for a huge slice of the critical RCE list. Talos highlighted flaws in Word, PowerPoint, and the Office suite itself—CVE-2026-50314, CVE-2026-50467, CVE-2026-55033, CVE-2026-55127, CVE-2026-55043, CVE-2026-55123, and others. All require a user to open a malicious document, which maps neatly onto phishing campaigns. Protected View and attachment filters help but don’t eliminate the risk; patching Office across all update channels is non-negotiable.
Then there are the important-severity vulnerabilities that Microsoft nonetheless flags as “more likely” to be exploited. These are typically elevation-of-privilege bugs in the Windows kernel, Win32k, Desktop Window Manager, SMB, and the Cloud Files Mini Filter driver. Attackers often chain such flaws with an initial-access vector: a malicious document, a compromised credential, or an unpatched service lets them onto a machine, and then a kernel bug allows them to seize SYSTEM-level control. Notable entries include CVE-2026-58631, a remote code execution in Windows Admin Center, and CVE-2026-58638, a boot loader security feature bypass.
Counts, Context, and Cloud Caveats
Depending on which source you read, July’s update totals either 622 (Talos) or 570 (BleepingComputer) vulnerabilities. The difference comes down to counting: Talos includes fixes for cloud services like Azure OpenAI, Microsoft 365 Copilot, and Exchange Online that were deployed earlier in the month, while BleepingComputer focuses on the July 14 drop. Neither number is wrong—but for your organization, the real count is how many of those vulnerabilities affect the software you actually run. A pure Windows shop with no SharePoint, no Exchange, and no Dynamics will have a lighter workload than one that manages a full Microsoft stack.
Cloud-service advisories still matter even though you don’t install a patch yourself. Microsoft typically fixes its cloud platforms automatically, but you should still read the advisory for any configuration changes, tenant-level remediation steps, or indicators of compromise to check your environment.
What to Do Right Now
Patch SharePoint Server immediately, especially internet-facing farms. Enable AMSI and full request-body scanning as a temporary shield while you test the patch. The mitigation is documented in Microsoft’s advisory for CVE-2026-56164.
For AD FS, apply the patch for CVE-2026-56155 quickly, particularly if your AD FS connects to external authentication flows. Review privileged account activity for signs of compromise—Microsoft’s DART discovery suggests attackers may have already used this technique in the field.
Treat DHCP Server patches as urgent. Any unauthenticated network RCE on infrastructure that touches nearly every device in your organization is a recipe for lateral movement. Segment your network to limit exposure, but understand that segmentation only reduces risk, not eliminates it, for a service designed to hand out IP addresses broadly.
Office users: verify that Microsoft 365 Apps and any perpetual Office installations have received the July security updates. Don’t rely on Windows Update alone to cover Office; use click-to-run update channels or your patch management system to confirm.
Deploy updated Snort rules from Cisco Talos to detect exploitation attempts. The new rules cover some—but not all—of the vulnerabilities. Snort 2 rule ranges 1:66733–1:66743, 1:66745–1:66785, 1:66791–1:66793, and 1:66800–1:66807, and Snort 3 rules 1:301555–1:301579 and 1:301581–1:301583 are available. These won’t block attacks on an unpatched system but can alert you to probes in progress.
Scan for signs of prior exploitation. For SharePoint, check web server logs for unusual requests targeting known paths. For AD FS, look for suspicious logins and process creations. The BitLocker bypass might be harder to detect after the fact; if a laptop has been out of your sight, consider it potentially compromised.
Lastly, don’t forget the non-critical but “more likely” bugs. Those kernel elevation-of-privilege flaws are the kind that turn a simple malware infection into a full system compromise. Plan to roll them out in your next patch cycle, but don’t let them slip past the next maintenance window.
The Road Ahead
July 2026 sets a new benchmark for Patch Tuesday volume, and the presence of active zero-day exploitation makes it a milestone most security teams would rather avoid. With technical details still thin for the AD FS and SharePoint zero-days, we can expect further information—and possibly additional attack waves—as researchers reverse-engineer the patches. The upcoming Patch Tuesdays may seem smaller by comparison, but the trend of critical vulnerabilities in widely used infrastructure services isn’t going away. For now, the priority is clear: patch the exploited zero-days, lock down DHCP, and don’t let your Office deployment get left behind.