Microsoft Patches Record 622 Flaws in July Patch Tuesday
Microsoft released its largest Patch Tuesday update on record, addressing a total of 622 vulnerabilities. This update is more than triple the size of the previous high of around 200 vulnerabilities fixed in June. Among the 622 vulnerabilities, two are zero-day flaws that are already being actively exploited by attackers.
Two Zero-Day Exploits Highlight Urgent Patches
The two zero-day vulnerabilities are elevation-of-privilege flaws in critical infrastructure components:
-
CVE-2026-56164: Affects on-premises SharePoint Server and allows unauthenticated attackers to escalate privileges remotely. This flaw was discovered by Mandiant's incident responders and Google's FLARE team during active attacks. Organizations running self-hosted SharePoint are urged to prioritize this patch, especially as SharePoint Server 2016 and 2019 reach the end of extended support today.
-
CVE-2026-56155: Affects Active Directory Federation Services (AD FS) and allows authenticated attackers to escalate privileges locally. This flaw was identified by Microsoft's DART incident-response unit. AD FS is critical for signing login tokens, making this vulnerability a high priority despite its "local" classification.
Neither of these vulnerabilities is currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, but Microsoft has marked them as exploited. Organizations are advised not to wait for official KEV listings to begin remediation.
Additional Notable Vulnerabilities
-
CVE-2026-50661: A publicly disclosed but not yet exploited BitLocker bypass vulnerability. While it requires physical access to a device, it continues a trend of BitLocker bypasses discovered in recent months.
-
CVE-2026-55040: A SharePoint JWT authentication bypass disclosed by Rapid7 Labs. This vulnerability was part of a chain used to achieve unauthenticated remote code execution (RCE). Microsoft plans to patch the RCE component in August, making the July bypass fix critical to breaking the attack chain.
Kerberos RC4 Deprecation
This update also completes Microsoft's multi-year effort to harden Kerberos by removing support for RC4 encryption. After this update, RC4 will only work for accounts explicitly configured to allow it. Organizations must audit their environments for RC4 usage, rotate passwords for affected service accounts, and ensure compatibility before applying the update to avoid authentication failures.
Why July Set a Record
July is typically a light month for Microsoft updates, making this record-breaking release particularly notable. Windows alone accounts for 416 of the 622 vulnerabilities, with 95 remote code execution flaws identified. Other affected products include Office, Microsoft Edge, SharePoint Server, and Exchange Server.
Microsoft attributes the surge in vulnerabilities to AI-driven tools like MDASH, which have helped uncover more issues. However, this also means attackers can quickly reverse-engineer patches to develop exploits, reducing the time organizations have to apply updates safely.
Key Takeaways for Organizations
- Prioritize patches for actively exploited vulnerabilities: Focus on the two zero-day flaws (CVE-2026-56164 and CVE-2026-56155) and other high-risk issues.
- Audit and prepare for RC4 deprecation: Ensure no critical services rely on RC4 encryption before applying the update.
- Adapt to faster patching cycles: The increasing volume and complexity of vulnerabilities require organizations to accelerate their patch management processes.