Microsoft Releases 622 Security Fixes, Including Two Zero-Days Under Attack

Microsoft’s July 2026 security update addresses 622 vulnerabilities across its product portfolio, making it the company’s largest Patch Tuesday release to date. Two of the flaws were reportedly exploi...

Microsoft’s July 2026 security update addresses 622 vulnerabilities across its product portfolio, making it the company’s largest Patch Tuesday release to date. Two of the flaws were reportedly exploited in the wild before patches became available.

The exploited vulnerabilities affect Active Directory Federation Services and SharePoint Server. CVE-2026-56155 is a local privilege-escalation issue in AD FS that could enable an attacker to obtain administrator-level rights. CVE-2026-56164 affects SharePoint Server and can be exploited remotely over a network without authentication, also for privilege escalation.

Microsoft also highlighted CVE-2026-50661, a BitLocker security-feature bypass vulnerability. The issue was publicly disclosed before the monthly update and requires physical access to the targeted device, potentially allowing an attacker to circumvent certain disk-encryption protections. Security researchers have speculated that the disclosure may be connected to a series of vulnerabilities attributed to a researcher using the names Nightmare-Eclipse or Chaotic-Eclipse, although Microsoft has not confirmed that link.

Broad product coverage

According to Microsoft’s release information, Windows accounts for 416 of the patched vulnerabilities, while Office accounts for 164. The remaining fixes cover products and services including Azure, Defender, Exchange Server, Edge, SQL Server and developer tools.

Several additional vulnerabilities received heightened attention from security researchers. They include a critical Windows VMSwitch flaw, CVE-2026-57092, rated 9.9 on the CVSS scale, as well as critical SharePoint issues rated 9.8. Other notable problems include a cross-site scripting vulnerability in Exchange Server and remote-code-execution flaws affecting Remote Desktop Protocol, Windows DHCP Server, the Windows Server network driver and Minecraft Bedrock Dedicated Server.

The unusually high volume follows Microsoft’s disclosure that artificial intelligence is helping accelerate vulnerability discovery. Windows executive vice president Pavan Davuluri said the company is using a multi-model, agent-based scanning system known as MDASH to examine the Windows codebase and identify defects earlier in development.

Organizations should prioritize the two exploited vulnerabilities and the publicly disclosed BitLocker issue, then evaluate the remaining fixes according to product exposure, exploitability and business impact. Adobe separately issued patches for 88 vulnerabilities during the same update cycle, including critical defects in ColdFusion, Commerce, Experience Manager and Illustrator.