On July 14, Microsoft unloaded a record-breaking 570 security fixes across its product portfolio — the largest Patch Tuesday in the company’s history. Two of the vulnerabilities are zero-days already being exploited in attacks against Active Directory Federation Services (AD FS) and SharePoint Server, while a third publicly disclosed flaw could allow a BitLocker encryption bypass with physical device access. For home users, the immediate step is straightforward: run Windows Update. For organizations running the affected services, this is a patch-now event with additional hardening steps required beyond the standard cumulative update.
The active threats: two zero-days under exploitation
The most urgent item in the July 2026 release is CVE-2026-56155, an elevation-of-privilege bug in AD FS. According to Microsoft’s advisory, an authorized local attacker can exploit insufficient access controls to gain administrative rights on the system. The flaw was discovered by Jeremy Kingston and Scott Clark of the Microsoft Detection and Response Team (DART) — an origin that strongly suggests it was spotted during active incident investigations. Microsoft has confirmed exploitation in the wild but has not shared indicators of compromise, attack scope, or the initial access vector, leaving defenders to operate without the forensic breadcrumbs they normally rely on. The fix involves more than the monthly rollup: administrators must also apply specific hardening to the Access Control List of the Distributed Key Manager container per guidance in KB5121391.
The second exploited zero-day, CVE-2026-56164, targets on-premises SharePoint Server. Missing authentication for a critical function permits an unauthenticated attacker to escalate privileges over the network. Researchers from Mandiant Incident Response, Google Cloud, and FLARE OTF, along with an anonymous contributor, are credited with the discovery. The remote attack surface makes this flaw especially dangerous for internet-facing SharePoint farms. While the patch is the ultimate defense, Microsoft offers a temporary mitigation: enable Antimalware Scan Interface integration on SharePoint and set Request Body Scan mode to “Full.” Organizations that cannot patch immediately should treat this as an emergency workaround and actively hunt for signs of compromise on their SharePoint servers.
The publicly disclosed BitLocker bypass
A third zero-day, CVE-2026-50661, was publicly disclosed before a fix was ready, though Microsoft says it has seen no active exploitation. The vulnerability is a security-feature bypass in Windows BitLocker: an attacker with physical access to the device could potentially defeat encryption on the system drive and extract data. Physical-access requirements drastically reduce the risk for most desktop users, but the threat model flips for company laptops, shared workstations, and devices traveling through airports or handled by untrusted staff. If you carry sensitive data on a portable Windows machine, apply the update without delay.
Counting the record: what 570 really means
BleepingComputer broke down the 570 CVEs into 254 elevation-of-privilege flaws, 145 remote-code-execution bugs, 102 information-disclosure vulnerabilities, 35 denial-of-service issues, 17 security-feature bypasses, and 16 spoofing problems. Fifty-nine are rated Critical, the bulk of them remote code execution. But the number is neither static nor uniform: Tenable reports 569 CVEs, SecurityWeek tallied 622. The discrepancies come from how analysts count duplicates, product entries, Chromium fixes inherited by Edge, and updates shipped outside the main Tuesday window. BleepingComputer explicitly excluded fixes for earlier July issues in Azure OpenAI, Microsoft 365 Copilot, Exchange Online, and Edge for Android, which pushes their count lower than some peers.
Operationally, the precise total matters far less than the quality of the patches. Wrapped into this enormous release are fixes that touch the deepest parts of the Windows ecosystem — from the kernel and networking stack to identity services and encryption. And Microsoft has warned that a networking hardening change may break applications that use sockets over unregistered third-party Transport Driver Interface (TDI) transports. Organizations with legacy security, industrial, or custom networking software should include those apps in their testing rings, but compatibility concerns must not become an excuse to delay patching externally exposed SharePoint or AD FS systems.
Why so many patches? The AI factor
The jump from roughly 200 fixes in June to 570 in July does not signal a sudden collapse in code quality. Microsoft has been transparent about its growing use of AI-assisted vulnerability discovery to find flaws before attackers do. More aggressive internal hunting naturally produces a larger patch batch, at least in the short term, while reducing the long-term attack surface. For users and IT teams, the immediate consequence is a heavier monthly burden — and a strong reminder that automated discovery doesn’t remove the need for rapid, well-tested deployment.
Windows 11 builds advance with cumulative updates
Two Windows 11 cumulative updates anchor the desktop side of Patch Tuesday:
- Windows 11 24H2 and 25H2 receive KB5101650, advancing to OS builds 26100.8875 and 26200.8875 respectively.
- Windows 11 23H2 gets KB5099414, moving to build 22631.7376.
Microsoft says it is not currently aware of any issues with either update, but as always, that statement can change as telemetry rolls in. Enterprise administrators should continue staged rollouts and monitor the Windows release health dashboard.
These cumulative updates carry more than just CVE fixes. The built-in curl tool has been upgraded to version 8.21.0. Remote Desktop now supports SHA-2 certificate thumbprints for trusted RDP publishers; SHA-1 remains available for backward compatibility but is slated for eventual removal, giving admins another reason to audit their .rdp files and Certificate Trust Lists.
A less visible but potentially disruptive change affects older networking software. After installing July’s updates, applications that rely on sockets over unregistered third-party TDI transports may stop working. Registered TDI transports are fine, but if your organization depends on industrial systems, legacy VPN clients, or custom security tools that hook directly into the networking stack, this is a testing priority.
The update also continues the ongoing rollout of replacement Secure Boot certificates, which began expiring in June 2026. Most consumer devices will receive the new certificates automatically through Windows Update. Managed fleets, however, should verify certificate readiness rather than assuming the automatic path covers every endpoint.
What to do now: actions for different audiences
For home users and small businesses:
- Open Settings > Windows Update > Check for updates and install the latest cumulative update.
- Because Windows updates are cumulative, installing the current patch also brings in any earlier fixes you missed.
- If you carry a laptop with BitLocker-enabled drives, treat this update as urgent to close the physical-access bypass.
For enterprise administrators and IT staff:
- Prioritize AD FS and SharePoint Server immediately. Exploitation is confirmed, and both products have remediation steps beyond the general update. For AD FS, apply the DKM container ACL hardening outlined in KB5121391. For SharePoint, either patch now or enable the AMSI mitigation while planning a rapid deployment.
- Use a phased deployment order: patch exposed identity and collaboration servers first, review logs and endpoint telemetry for unusual activity, then accelerate workstation and general server rings after application compatibility checks.
- Look for breakage from the TDI networking deprecation on machines running legacy networking or industrial software. Include those applications in the first test ring so you can catch failures before broad rollout.
- Audit RDP publisher certificates for SHA-1 reliance and begin planning the transition to SHA-2.
- Check the status of Secure Boot certificates on managed devices to ensure the rollout has been received; some machines may require manual intervention.
For developers:
- If your software uses Windows sockets over TDI transports, verify compatibility with the July builds and switch to registered transports if needed.
- Note the curl version bump to 8.21.0 if your app bundles or depends on a specific libcurl version.
The larger context: end-of-servicing dates loom
Two support deadlines intensify the urgency: Windows 11 24H2 Home and Pro editions reach end of servicing on October 13, 2026, while Windows 11 23H2 Enterprise and Education hit that wall on November 10, 2026. Organizations still on these versions must manage both an emergency patching cycle and a migration to newer releases that will continue receiving security fixes after the autumn cutoff. If you’re still on 23H2 or 24H2, the July Patch Tuesday is a sharp reminder that the clock is ticking.
Outlook: what to watch next
Expect Microsoft to continue using AI-driven vulnerability discovery, which may keep monthly patch counts elevated. The transparency around that process is positive, but it places a sustained operational load on IT teams. At the same time, the end-of-servicing dates for older Windows 11 versions are creating a hard deadline for businesses that have delayed feature updates. In the coming months, watch for any guidance on the BitLocker bypass — if exploitation becomes active, the risk calculus changes for every mobile worker. For now, the most consequential takeaway is that two zero-days are already in an attacker’s toolkit. Patching those should be every admin’s immediate priority.