Microsoft releases patches for 622 flaws, including two actively exploited Zero-day
- Evelyn Carter

- 1 day ago
- 4 min read
On July 14, 2026, Microsoft released security updates addressing 622 vulnerabilities, including 416 flaws affecting Windows. Two zero-days, CVE-2026-56164 in Microsoft SharePoint Server and CVE-2026-56155 in Active Directory Federation Services are being actively exploited and have been added to CISA’s Known Exploited Vulnerabilities Catalog.
The scale of the July 2026 release creates a significant testing and deployment workload for IT teams. However, the presence of 622 vulnerabilities does not mean organizations should prioritize remediation solely according to CVSS scores or Critical severity labels.
What happened in Microsoft patch tuesday July 2026?
Microsoft released updates for 622 vulnerabilities across Windows and multiple products in its broader ecosystem. Rapid7 reported that 416 of the flaws affect Windows, while Cisco Talos noted that Microsoft classified 57 vulnerabilities in the release as Critical.
Microsoft confirmed that two vulnerabilities—CVE-2026-56164 and CVE-2026-56155—have already been exploited in real-world attacks. CVE-2026-50661, a Windows BitLocker vulnerability, had also been publicly disclosed before patches became available, although there is no confirmation of widespread exploitation.
CVE | Affected Component | Status | Main Exploitation Requirement | Recommended Priority |
CVE-2026-56164 | Microsoft SharePoint Server | Actively exploited; listed in CISA KEV | Remote exploitation without authentication | Emergency |
CVE-2026-56155 | Active Directory Federation Services | Actively exploited; listed in CISA KEV | Attacker requires existing local access | Emergency |
CVE-2026-55040 | Microsoft SharePoint Server | Publicly disclosed; no confirmed widespread exploitation | JWT authentication bypass | High |
CVE-2026-50661 | Windows BitLocker | Publicly disclosed | Requires physical access to the device | Based on asset risk |
The July release is also substantially larger than Microsoft’s June 2026 security update, which addressed more than 200 vulnerabilities. Monitoring consecutive Patch Tuesday releases can help organizations assess the growing patch-management workload and adjust their testing, deployment, and post-update monitoring capabilities.

Why should the SharePoint and AD FS Zero-day be prioritized?
CVE-2026-56164 is a missing-authentication vulnerability affecting a critical function in Microsoft SharePoint Server. It allows an unauthorized attacker to elevate privileges over a network without requiring an account or user interaction.
Affected products include SharePoint Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. CISA recommends that organizations inspect on-premises SharePoint deployments, install the latest security updates, and verify the integration of Antimalware Scan Interface, or AMSI, to improve inspection of potentially malicious web requests.
Organizations operating on-premises SharePoint environments should also review IPSIP Vietnam’s analysis of critical Microsoft SharePoint vulnerabilities. The analysis provides additional context on why SharePoint servers are frequently targeted and which security controls should be reviewed after patching.
What should organizations do immediately after Microsoft releases the patches?
Organizations should separate the response into two workstreams: emergency remediation of actively exploited vulnerabilities and controlled testing of the operational impact caused by Kerberos changes.
Delaying the entire update cycle while assessing RC4 compatibility could unnecessarily extend the exposure window for SharePoint and AD FS systems.
24-Hour response checklist
Identify all SharePoint Server 2016, SharePoint Server 2019, SharePoint Server Subscription Edition, and AD FS servers.
Determine which SharePoint servers are exposed to the Internet or accessible from lower-trust network zones.
Prioritize patches for CVE-2026-56164 and CVE-2026-56155 through the emergency change-management process.
Verify that AMSI is enabled on on-premises SharePoint servers.
Review Event IDs 1132 and 1133, along with alerts associated with the AD FS Distributed Key Manager container.
Preserve IIS, SharePoint, Windows Security, PowerShell, and AD FS logs before they are rotated or overwritten.
Search for newly created accounts, unusual privilege changes, web shells, and suspicious PowerShell processes.
Test applications that rely on Kerberos service accounts after applying the updates.
Compare the organization’s asset inventory with the CISA KEV Catalog instead of relying only on CVSS scores.
What does the IPSIP Vietnam expert perspective highlight?
SharePoint commonly stores internal documents, project records, collaborative data, and approval workflows. AD FS is part of the trust chain used by many enterprise applications.
A security incident involving either platform can affect sensitive data, access control, single sign-on operations, and the continuity of critical business processes.
Patch prioritization should therefore be based on exploitation status, system exposure, asset criticality, and the attacker’s ability to expand privileges. CVSS remains a useful reference, but it should not be used as the only remediation criterion.
What can organizations implement internally?
Internal security and IT teams should begin with asset inventory, risk-based patch management, least-privilege access, and centralized monitoring.
SharePoint and AD FS servers should be placed in appropriate network segments, with administrative ports restricted and unnecessary direct Internet access removed.
Organizations should also exercise incident-response scenarios involving web shells, newly created administrator accounts, and abnormal authentication tokens. The objective is to reduce the time between alert generation, system isolation, evidence preservation, and confirmation of the affected scope.
Giải pháp nào của IPSIP Việt Nam phù hợp?
The 24/7 Security Operations Center is suitable for organizations that need centralized log collection and correlation across SharePoint, AD FS, Windows Server, and network security devices. Continuous monitoring can help detect post-compromise activity that patch installation alone cannot remove.
Penetration Testing services can help validate whether exploitable paths remain between SharePoint, identity infrastructure, and critical data assets. The assessment scope should be clearly defined and performed under controlled conditions to reduce operational risk to production systems.
IT Helpdesk and IT Operations Management are appropriate for organizations that lack the internal resources required to inventory systems, test updates, deploy patches in stages, and monitor compatibility issues. Operational support becomes particularly important when security updates, Kerberos RC4 dependencies, and SharePoint upgrade planning must be addressed at the same time.

Microsoft Patch Tuesday July 2026 demonstrates that vulnerability management is no longer a matter of installing every available patch in the same order.
The immediate priority is to patch the two actively exploited zero-days, investigate indicators of compromise, and review Kerberos RC4 dependencies. Over the longer term, organizations should replace unsupported products, improve asset inventories, and adopt a remediation process based on real-world risk.
References










Comments