Microsoft's July 2026 Patch Tuesday, released on July 14, delivers fixes for a record-breaking 570 vulnerabilities, but the real story is two actively exploited zero-days that demand immediate attention. The security updates address critical flaws in SharePoint Server and Active Directory Federation Services (AD FS) that attackers are already using in the wild, according to Microsoft's advisory. For organizations still running SharePoint Server 2016 or 2019, this release is doubly critical: it's the last scheduled security update before those versions reach the end of extended support on the same day.

The Patch Tuesday Deluge: What Actually Changed

July's security release is a monster by any measure. Depending on whether you count only Patch Tuesday CVEs or all Microsoft vulnerabilities disclosed in July, the total sits between 570 and 622 flaws. BleepingComputer tallied 570 new CVEs fixed on July 14, while The Hacker News reported 622 when including out-of-band patches and Edge fixes published earlier in the month. Regardless, both numbers shatter the previous record of 206 set in June.

Microsoft classified 59 of the July 14 vulnerabilities as Critical. According to BleepingComputer's analysis, 48 of those enable remote code execution (RCE), nine permit elevation of privilege, one bypasses a security feature, and one allows spoofing. The sheer volume spans almost every corner of the Microsoft ecosystem: Windows, Office, SharePoint Server, Exchange Server, SQL Server, Azure components, Visual Studio, GitHub Copilot, Defender, and even gaming software like Age of Empires II: Definitive Edition.

The critical RCE bugs alone paint a daunting picture. Qualys highlighted unauthenticated remote-code-execution paths in SharePoint Server, Windows Secure Socket Tunneling Protocol (SSTP), Microsoft Defender, Office apps (Word, Excel, PowerPoint), OneNote, Windows Media Foundation, and the Windows DHCP client. For server admins, vulnerabilities in DHCP Server (multiple CVEs) and Windows TCP/IP (CVE-2026-54999) could enable network-based attacks if left unpatched.

Two Zero-Days Under Active Exploitation

The two vulnerabilities that override all other patching priorities are:

  • CVE-2026-56164: An elevation-of-privilege flaw in on-premises Microsoft SharePoint Server. It allows an unauthenticated attacker to gain elevated privileges over a network with no user interaction required. Microsoft has confirmed exploitation in the wild, and the Cybersecurity and Infrastructure Security Agency (CISA) added it to its Known Exploited Vulnerabilities (KEV) catalog. The absence of authentication makes this exceptionally dangerous for any SharePoint farm exposed to the internet or untrusted networks. Microsoft credited Mandiant and Google’s FLARE team for reporting the bug—typically a sign it was found during incident response.
  • CVE-2026-56155: An elevation-of-privilege vulnerability in Active Directory Federation Services. An attacker with local access can exploit insufficient access controls to obtain administrative privileges. While it requires initial access, a compromised AD FS server can be catastrophic, allowing control over token issuance and federation trust, potentially enabling lateral movement across an entire identity infrastructure. Microsoft’s Detection and Response Team discovered the flaw.

A third zero-day, CVE-2026-50661, is a publicly disclosed BitLocker security-feature bypass that requires physical access. It hasn't been exploited yet, but it matters for organizations with high physical-security threat models. For most, the SharePoint and AD FS exploits are the emergency.

What It Means for You

The impact varies dramatically depending on your role and environment.

For Enterprise and IT Administrators

If you manage on-premises SharePoint Server, especially versions 2016 or 2019, you are at immediate risk. CVE-2026-56164 can be exploited by anyone who can reach the server over the network—no credentials needed. That includes internet-facing collaboration portals, extranet sites, and even internal servers if an attacker has a foothold on the perimeter. SharePoint farms often house sensitive documents and can integrate with Active Directory, making them high-value targets.

For AD FS administrators, CVE-2026-56155 is a post-compromise escalator that turns a limited breach into a domain-wide disaster. If an attacker already has local access to an AD FS server (via another exploit, phishing, or weak credentials), they can gain administrative control and potentially forge tokens, impersonate users, and access cloud resources that rely on federated identity.

Beyond these two, the massive list of RCE bugs in Windows networking components (SSTP, TCP/IP, DHCP), Office, and Defender means that unpatched systems are vulnerable to drive-by attacks, malicious documents, or network-based exploits. For example, the SharePoint RCE flaws CVE-2026-58644 and CVE-2026-50522—caused by deserialization of untrusted data—could allow unauthenticated code execution if not patched. Server admins running Hyper-V, Remote Desktop Services, Active Directory Domain Services, or SQL Server also face critical risks.

For Home Users and Small Businesses

If you manage your own Windows PCs, the primary concern is the wave of Office and Windows RCE vulnerabilities. Opening a malicious Word document, visiting a booby-trapped website, or connecting to an untrusted network could trigger exploitation. The DHCP client RCE flaw (CVE-2026-54128) could theoretically be exploited if your machine connects to a rogue DHCP server (e.g., on public Wi-Fi). The BitLocker bypass is a concern if your device is stolen. While not under active attack, these still justify a prompt update.

Home users typically don't run SharePoint Server or AD FS, so those critical zero-days pose no direct threat. However, if you use a work or school device that connects to a corporate SharePoint or federated identity, your organization's servers being compromised could expose your data.

For Developers

Developers using affected Microsoft tooling (Visual Studio, GitHub Copilot, .NET components) should update their environments. While the most urgent patches target server products, development workstations often run Visual Studio Code or SQL Server locally, and vulnerabilities in these could be exploited through malicious project files or extensions.

How We Got Here: A Record Year for Microsoft Vulnerabilities

The July 2026 Patch Tuesday didn't emerge in a vacuum. Microsoft has been on a steep vulnerability disclosure trajectory. According to PCWorld, the company patched 1,250 flaws in all of 2020—a year considered extreme at the time. By July 2026, the year-to-date count had already reached approximately 1,380, surpassing that annual record in just seven months.

Several factors may contribute to this explosion. Greater investment in security research, both internal and external, likely finds more bugs. Microsoft's expanded product portfolio (including GitHub, Azure services, and games) adds attack surface. Changes in how CVEs are assigned—sometimes splitting a class of similar flaws into separate IDs—can inflate the count without necessarily indicating a proportional increase in real risk. But for the IT teams who must test and deploy these patches, the distinction offers little comfort: each CVE represents a potential entry point that must be addressed.

The timing of the SharePoint zero-day is especially jarring because it coincides with the end of extended support for SharePoint Server 2016 and 2019. On July 14, 2026, those products received their final scheduled security update. From now on, they will no longer get monthly patches, leaving any remaining on-premises farms exposed to future vulnerabilities. Microsoft has long urged customers to migrate to SharePoint Server Subscription Edition or SharePoint Online, but many organizations have been slow to move. The active exploitation of a critical flaw on the very last day of support is a stark wake-up call.

What to Do Now: Prioritization, Mitigation, and Verification

Time is not on your side. Here's a practical action plan based on the threat landscape.

1. Patch Internet-Facing SharePoint Servers Immediately

If you run SharePoint Server on-premises and it is reachable from the internet, apply the July update today. CVE-2026-56164 is being actively exploited without authentication. If you absolutely cannot patch instantly, Microsoft provides a temporary mitigation: enable the Antimalware Scan Interface (AMSI) and set Request Body Scan mode to Full. This helps detect malicious POST requests but is not a substitute for the patch. After patching, investigate for signs of compromise, especially on servers exposed before July 14.

2. Secure Active Directory Federation Services

For AD FS servers, apply the update to address CVE-2026-56155 as soon as possible. Because this requires local access, it may not be the most imminent threat if your servers are well-isolated, but a compromise could be devastating. Review privileged group memberships and examine recent administrative activity on AD FS systems. Look for unfamiliar federation trusts or certificate changes—indicators that an attacker may have already exploited this or another vector.

3. Prioritize the Rest by Exposure, Not Severity

Not every patch can be deployed simultaneously. Begin with systems that expose the most critical services:
- Windows servers running SSTP (VPN), DHCP, Remote Desktop Gateway, or Hyper-V.
- Clients with Defender, Office, or Windows Media Foundation—these are often attacked via email or web.
- Domain controllers and Active Directory Certificate Services servers.
- Exchange Server, SQL Server, and Windows Admin Center instances.

Use vulnerability scanning tools to map which CVEs affect your specific assets. Microsoft's Security Update Guide provides a per-product drill-down.

4. Handle Office and Windows Client Updates

For managed fleets, push the July updates to test groups quickly. Key testing areas: VPN clients (due to SSTP changes), authentication workflows, storage drivers, and printing—Print Spooler fixes often cause regression. For Microsoft 365 Apps, verify that cloud-connected installations actually update; some organizations have found devices stuck on older builds.

5. Migrate Off Unsupported SharePoint Versions

If you're still on SharePoint Server 2016 or 2019, July's patch is the last you'll get. Start migration planning immediately—whether to SharePoint Server Subscription Edition or SharePoint Online. Even if you patched this month, the next zero-day for these legacy platforms will leave you defenseless.

6. Verify, Don't Assume

After deployment, confirm that the correct KB numbers and OS builds are installed. A green checkmark in WSUS or ConfigMgr doesn't always mean the patch took effect. Spot-check critical servers manually, and run a post-patch vulnerability scan to catch any missed systems.

Outlook: The New Normal?

With 1,380 vulnerabilities fixed in seven months, 2026 is on track to more than double any previous annual record. The August 11, 2026 Patch Tuesday will likely bring another large batch. Organizations must streamline their patch management: automate deployment where possible, prioritize by active exploitation, and reduce the attack surface by decommissioning unsupported software. The SharePoint support cliff is immediate, but the lesson applies broadly: legacy systems become liabilities faster than ever. For now, patch SharePoint and AD FS, then work through the list with urgency. This is not just another Patch Tuesday—it's a stress test for your security posture.