Microsoft Releases 622 Security Fixes, Including Two Exploited Zero-Days

Microsoft’s July security release addresses 622 unique vulnerabilities, making it the company’s largest Patch Tuesday update to date. Two of the flaws are zero-days that Microsoft says attackers are a...

Microsoft’s July security release addresses 622 unique vulnerabilities, making it the company’s largest Patch Tuesday update to date. Two of the flaws are zero-days that Microsoft says attackers are already exploiting, while a third was publicly disclosed but has not been linked to active attacks.

Priority fixes affect SharePoint and AD FS

The most urgent issue for organizations running on-premises SharePoint is CVE-2026-56164, an elevation-of-privilege vulnerability that can be exploited remotely without authentication or user interaction. Microsoft credited Mandiant and Google’s FLARE team with reporting the issue and confirmed that it is being used in attacks. Administrators can also reduce exposure by enabling AMSI in Full Mode.

The second exploited flaw, CVE-2026-56155, affects Active Directory Federation Services. An authenticated attacker could use weak access controls to elevate privileges locally. Although the vulnerability is classified as local, compromise of an AD FS server could have broader consequences because the system issues authentication tokens trusted across an organization.

Neither vulnerability had been added to CISA’s Known Exploited Vulnerabilities catalog at the time of publication. Microsoft’s exploited status designation should nevertheless be treated as sufficient reason to prioritize remediation.

Other notable issues

  • CVE-2026-50661 is a publicly disclosed BitLocker bypass requiring physical access to a device.
  • CVE-2026-55040 is a SharePoint JWT authentication bypass disclosed by Rapid7. The researchers demonstrated how it could be combined with an unpatched remote-code-execution flaw, expected to receive a fix in August.
  • The release removes the rollback switch for Kerberos RC4 deprecation. Organizations should review audit events, identify service accounts still using RC4, and rotate credentials to generate AES keys before deploying the update.

Windows accounts for 416 of the listed issues, while Office has 82 and Edge 46. The release also includes vulnerabilities in developer tools, Azure, SQL Server, Exchange Server, Defender, and SharePoint. Notable entries include a Windows VMSwitch remote-code-execution flaw rated 9.9 and SQL Server RCE vulnerabilities rated 8.8.

Microsoft attributed the unusually high volume partly to expanded automated security testing. The size of the update also reinforces the need for risk-based prioritization: active exploitation, internet exposure, authentication infrastructure, and dependencies that could disrupt operations should guide deployment order more than severity scores alone.