Microsoft's July 2026 Patch Tuesday, released this afternoon, fixes a record-breaking 570 security flaws, including two zero-days that attackers are already exploiting in the wild. It is the largest single Patch Tuesday Microsoft has ever shipped, eclipsing last month's record, and 59 of the flaws are rated critical. The two actively exploited bugs are both privilege-escalation flaws, one in Active Directory Federation Services and one in SharePoint Server, and a third publicly disclosed zero-day bypasses BitLocker. Our read: the eye-catching number matters less than the two zero-days already under attack, and those are what you patch tonight.
- 570 fixed flaws make this the biggest Patch Tuesday on record; 59 are critical, and 48 of those are remote code execution bugs.
- Two zero-days are under active exploitation: CVE-2026-56155 in Active Directory Federation Services and CVE-2026-56164 in SharePoint Server, both elevation-of-privilege flaws.
- A third zero-day, CVE-2026-50661, is a publicly disclosed BitLocker security-feature bypass that requires physical access to the device.
- Microsoft attributes part of the surge to a new AI-powered vulnerability-discovery system, and the 570 count excludes 468 Chromium flaws Google patched separately in Edge.
What did Microsoft fix this month?
The July update covers 570 vulnerabilities across Windows, Office, SharePoint, Azure, Visual Studio, and Microsoft's identity stack, making it the single largest Patch Tuesday the company has shipped. Fifty-nine carry a critical rating, and the split inside that critical tier is what should worry defenders: 48 are remote code execution, nine are elevation of privilege, one is a security-feature bypass, and one is spoofing. Across the full 570, elevation-of-privilege flaws lead at 254, followed by 145 remote code execution, 102 information disclosure, 35 denial of service, 17 security-feature bypass, and 16 spoofing. That elevation-of-privilege dominance is the modern intrusion pattern in miniature: attackers rarely need a single magic RCE when they can phish a low-privileged foothold and then chain a local privilege escalation to own the machine.
RelatedProgress Confirms ShareFile Zero-Day Behind Server Shutdown
Which zero-days are being exploited right now?
Two of the three zero-days are confirmed under active attack, and both let an attacker climb from limited access to control. CVE-2026-56155 is an elevation-of-privilege flaw in Active Directory Federation Services, rated Important and credited to Microsoft's Detection and Response Team, which typically means it was found while investigating a live intrusion. It lets an authorized attacker elevate privileges locally, and because ADFS brokers single sign-on across an organization's cloud and on-premises apps, a compromise there is a route to impersonating users org-wide. CVE-2026-56164 is an elevation-of-privilege bug in SharePoint Server, rated Moderate but more dangerous in practice because it is exploitable over the network by an unauthenticated attacker. Microsoft's mitigation guidance is specific: enable the Antimalware Scan Interface and set Request Body Scan to Full, which blunts exploitation on servers that cannot be patched immediately.
| Zero-day | ADFS | SharePoint | BitLocker |
|---|---|---|---|
| CVE | CVE-2026-56155 | CVE-2026-56164 | CVE-2026-50661 |
| Type | Elevation of privilege | Elevation of privilege | Security bypass |
| Severity | Important | Moderate | Important |
| Status | Actively exploited | Actively exploited | Publicly disclosed |
| Vector | Local | Network, unauth | Physical access |
Why does the BitLocker flaw matter despite needing physical access?
CVE-2026-50661 is a BitLocker security-feature bypass that Microsoft says was publicly disclosed before a patch existed, and while it demands physical access, that is not the reassurance it sounds like. An attacker who can hold the target device can read data on an otherwise fully encrypted drive, which is exactly the threat model for a stolen or seized laptop, a border inspection, or a targeted "evil maid" attack against an executive's machine left in a hotel room. Full-disk encryption is the last line of defense when hardware leaves your control, so a bypass undermines the one control most organizations rely on for lost-device risk. It is rated Important rather than critical because it is not remotely exploitable, but for anyone whose threat model includes device theft, it belongs high on the patch list.
What is driving the record 570-flaw count?
Microsoft attributes part of the jump to a new AI-powered vulnerability-discovery system, and that detail reframes the whole release. A rising CVE count is usually read as software getting worse, but here it partly reflects the vendor's own machine tooling surfacing more latent bugs before attackers do, which is arguably the count getting healthier even as it gets scarier. The number is also narrower than it looks: it excludes flaws already fixed earlier in cloud services such as Azure OpenAI, Exchange Online, and M365 Copilot, and it does not include the 468 Chromium vulnerabilities Google patched separately in Microsoft Edge. The uncomfortable flip side is volume as a defensive problem. When a single month ships 570 fixes, no team triages all of them, so the ability to quickly separate the two exploited zero-days from the long tail is now the core patch-management skill.
RelatedOpenAI Mandates Hardware Passkeys for Cyber Access
What should IT teams patch first?
Prioritize the two actively exploited zero-days over everything else, because those are the flaws attackers are using today rather than theoretically. Patch the Active Directory Federation Services and SharePoint Server bugs first; if a SharePoint server cannot be updated at once, apply Microsoft's interim mitigation of enabling AMSI and setting Request Body Scan to Full. Next, work the 48 critical remote code execution flaws, focusing on any internet-facing service, then the BitLocker bypass on laptops and any device that leaves a controlled environment. Treat the remaining hundreds as normal cadence patching. The winning move this month is not patching everything at once, it is patching the right handful tonight and letting automation handle the rest.
- CISA KEV. Whether CVE-2026-56155 and CVE-2026-56164 land on the Known Exploited Vulnerabilities catalog with a federal remediation deadline, which they almost certainly will.
- SharePoint scanning. Whether internet-wide exploitation of the unauthenticated SharePoint bug spikes now that the patch reveals the flaw to reverse-engineers.
- The AI-discovery trend. Whether Microsoft's machine-found bug count keeps inflating future Patch Tuesdays, and whether other vendors follow.
- BitLocker proof-of-concept. Whether public exploit code for the physical-access bypass appears, raising the risk for stolen-device scenarios.
Our take
The 570 headline will do the rounds, but it is the least important fact in this release. Record counts are becoming routine precisely because vendors are pointing AI at their own code, and a bigger number found by the defender is not the same crisis as a bigger number found by attackers. What actually demands action is small and specific: two privilege-escalation zero-days already being exploited, one in the identity layer that federates your logins and one reachable over the network without credentials. Those two, plus the 48 critical RCEs, are the night's work. The BitLocker bypass is a reminder that encryption is not magic once hardware leaves your hands. If there is a durable lesson here, it is that patch management has inverted: the scarce skill is no longer applying updates but ruthlessly ranking them, because when 570 fixes ship at once, treating them as equal is the same as triaging none.
- OfficialMicrosoft Security Update Guide the authoritative per-CVE advisories and affected builds
- KEVCISA Known Exploited Vulnerabilities federal remediation deadlines for the exploited zero-days
- ContextGenZTech CVE watchlist what is actively exploited right now
Original analysis by GenZTech. Reporting informed by BleepingComputer.
