On July 14, 2026, Microsoft dropped one of its largest Patch Tuesday releases in recent memory, addressing 570 security flaws across Windows, Office, and enterprise services — including two vulnerabilities already being exploited in the wild. The actively attacked bugs target SharePoint servers and Active Directory Federation Services (ADFS), putting organizations that rely on these platforms at immediate risk. The massive update, which also patches critical issues in gaming components, PC firmware, and server management controllers, arrives as the tech giant’s AI-enhanced bug-busting tools uncover a record number of flaws.

The Two Zero-Days You Can’t Afford to Ignore

The most urgent items in July’s patch batch are CVE-2026-56164 and CVE-2026-56155. Microsoft’s Security Update Guide confirms both are being actively exploited.

CVE-2026-56164 affects SharePoint Server. Microsoft describes the vulnerability as a network-based attack vector where insufficient authentication could allow an unauthenticated attacker to gain access to a SharePoint farm. If your SharePoint servers are internet-facing or accessible over internal networks with sensitive data, this should top your remediation queue. Exploitation doesn’t require user interaction — just a reachable server.

CVE-2026-56155 hits Active Directory Federation Services. While exploitation requires an attacker to already have some level of access, ADFS is the identity gatekeeper for countless enterprise apps and cloud services. A successful breach here can unlock lateral movement across your entire directory. Treat every federation server as a priority, not a back-burner item.

The correct patch isn’t a one-size-fits-all KB number. It depends on your exact SharePoint edition, build, and servicing branch, or your Windows Server version and ADFS deployment. Head to the Microsoft Security Update Guide, plug in your product and version, and download the matching cumulative update. After installing, verify that every server in a SharePoint farm is on the same patch level and test a normal sign-in flow against a non-production relying party for ADFS.

Beyond the Zero-Days: A Broadening Attack Surface

The July Patch Tuesday isn’t just about the two zero-days. The 570-vulnerability haul, as counted by BleepingComputer, includes 59 rated critical. Several of them directly affect gamers, home users, and the hardware layer beneath Windows.

Gaming Platforms Join the Fray

CVE-2026-55010 is a critical heap-based buffer overflow (CVSS 9.8) in the Minecraft Bedrock Dedicated Server. It’s reachable over the network without authentication or user interaction. This isn’t a threat to every Bedrock player — it targets self-hosted or third-party server instances. If you run a Bedrock server, especially one exposed to the internet, stop what you’re doing and update. Download the latest server package from Minecraft’s official page, verify its hash, and restrict inbound connections to known player networks. Microsoft hasn’t reported active exploitation of this CVE yet, but a CVSS 9.8 and no-auth access is a red flag.

Age of Empires II: Definitive Edition gets its own security fix with CVE-2026-50663 (CVSS 8.8). Versions before 101.103.46651.0 are vulnerable to a relative path manipulation attack that can lead to code execution if a user opens a maliciously crafted map or mod. Update through Steam, the Microsoft Store, or the Xbox app, and double-check the build number afterward.

CVE-2026-50382 (CVSS 8.8) affects DirectX and related Windows components. It’s a local privilege escalation — an attacker who already has low-level access to your PC could exploit it to run arbitrary code. While not internet-facing, it’s a valuable step in a multi-stage attack chain. Patch this by installing the latest Windows cumulative update on all endpoints, especially shared or gaming rigs.

Firmware-Level Threats from Lenovo and Supermicro

Lenovo’s security bulletin LEN-220440 addresses five BIOS vulnerabilities (CVE-2026-10587 through CVE-2026-25271) that affect consumer and gaming laptops, including Legion and LOQ models. These flaws reside in System Management Mode (SMM), a privileged execution environment that OS-based security tools can’t easily monitor. Attackers need local administrator access to exploit them, but if malware gets that far, an SMM backdoor can persist through OS reinstalls. Owners of affected devices should match their exact machine type against Lenovo’s bulletin and flash the firmware update immediately. Before you start, back up your BitLocker recovery key and plug in the charger.

Supermicro’s CVE-2026-3821 (CVSS 8.8) is a baseboard management controller (BMC) vulnerability that affects many X13, H12, H13, and H14 motherboards. An authenticated user with low privileges could execute arbitrary code on the BMC over the network. A compromised BMC gives an attacker remote console access, power controls, and the ability to mount media — completely bypassing the operating system. Admins should match their motherboard model and BMC revision to Supermicro’s advisory, update the firmware in a maintenance window, and ensure BMC interfaces sit on a dedicated management network, never the public internet.

How We Got Here: The Expansion of Microsoft’s Patch Tuesdays

July’s 570 CVEs aren’t a one-off anomaly. Microsoft has been integrating AI into its security research pipeline, and both TechCrunch and SecurityWeek reported that the company credited its internal AI tools with finding a large chunk of the latest flaws. The sheer volume is partly a reflection of better automated fuzzing and broader coverage. On top of that, Microsoft now bundles patches for Edge, Office, .NET, and even third-party Chromium vulnerabilities into its monthly roll-ups, inflating the total compared to years past.

This trend means that “Patch Tuesday” is no longer a simple Windows update. It’s a sweeping remediation event that touches enterprise collaboration (SharePoint), identity (ADFS), gaming servers (Minecraft), desktop gaming (Age of Empires II, DirectX), endpoint encryption (BitLocker), and the firmware underpinning laptops and data-center hardware. The modern Windows ecosystem is huge, and attackers are probing every seam.

What to Do Now: Your Priority Patching Checklist

Because the update lacks a universal KB number, use Microsoft’s Security Update Guide as your source of truth. Here’s a practical order of operations:

Priority Component Action Verification
Immediate SharePoint servers Apply the update identified for your exact SharePoint edition/build in Microsoft’s Security Update Guide. Update every server in the farm. All farm members show the same patch level; test document access and collaboration workflows.
Immediate ADFS servers Apply the update for your Windows Server version/ADFS role. Validate a test sign-in against a non-production relying party.
High Minecraft Bedrock Dedicated Server Download the latest Windows server package from Minecraft.net, cleanly deploy it with your world/config files, and record its hash. Compare the deployed bedrock_server.exe version with the advisory’s fixed version; restrict network access.
High All Windows endpoints (includes DirectX, BitLocker) Install the latest cumulative security update via Windows Update, WSUS, or Configuration Manager. Check for the monthly Quality Rollup in Update History; verify BitLocker recovery keys are escrowed.
Moderate Age of Empires II: Definitive Edition Update through your game platform (Steam, Microsoft Store, Xbox app) to at least version 101.103.46651.0. In-game or launcher, confirm the build number.
Moderate Lenovo laptops (Legion, LOQ, etc.) Match your machine type to bulletin LEN-220440, download the BIOS update from Lenovo Support. After flashing, check BIOS version in Lenovo Vantage or msinfo32.
Moderate Supermicro BMC Match your motherboard model/revision to Supermicro’s advisory, apply the firmware in a maintenance window. After reboot, verify BMC firmware version; test console and health reporting functionality.

For SharePoint and ADFS specifically, do not rely on automatic update approximations. The menu in Microsoft’s Security Update Guide lets you select the exact product edition, servicing branch, and build to get the right patch. Record the KB or cumulative update name for change control, and after deployment, use Get-HotFix or Windows Update history to confirm success. If you discover a farm member that missed the patch, bring it in line immediately — mixed patch levels can cause instability.

Gamers and home users need not panic about the Minecraft server or Supermicro BMC unless they actually run those services. However, every Windows PC should get the monthly cumulative update to snag the DirectX and BitLocker fixes. And if you have a Lenovo laptop, checking your model against LEN-220440 is free and quick.

Outlook

This Patch Tuesday underscores that modern Windows security is a multi-layered beast. The same monthly update can save a SharePoint farm from remote takeover, lock down a Minecraft server, and prevent a BIOS implant. As Microsoft’s AI tooling matures, expect patch loads to stay large — and expect to see gaming, firmware, and management-plane vulnerabilities regularly appear alongside traditional OS fixes. The smart move for admins and power users is to stop thinking in terms of “Windows update” and start thinking in terms of “ecosystem update.” Prioritize by reachability and privilege, not by product family, and you’ll stay ahead.