Microsoft Patch Tuesday July 2026: 570 Vulnerabilities Fixed

Microsoft Patch Tuesday July 2026 has set a new record, delivering patches for 570 vulnerabilities across the Microsoft product landscape. This update includes fixes for three zero-day vulnerabilities, two of which are already under active exploitation. Organisations running SharePoint Server, Active Directory Federation Services (AD FS), or relying on Windows BitLocker should review the risks closely and prioritise patching.

Record Number of Vulnerabilities in July 2026 Microsoft Patch Tuesday

On 14 July 2026, Microsoft released its largest Patch Tuesday update to date, addressing a staggering 570 unique security flaws. This follows the previous record of 206 vulnerabilities patched in June 2026. The July release covers a broad array of Microsoft products and services, including:

  • Windows operating systems (client and server)
  • Microsoft Office and Office 365
  • SharePoint Server
  • Active Directory Federation Services (AD FS)
  • Remote Desktop Services
  • Windows Admin Center

The vulnerabilities patched this cycle break down as follows:

  • Elevation of Privilege: 249
  • Remote Code Execution: 143
  • Information Disclosure: 102
  • Denial of Service: 35
  • Security Feature Bypass: 17
  • Spoofing: 16
  • Tampering: 8

Most of these vulnerabilities require manual patching and are not automatically resolved through cloud-based updates, making prompt action vital for organisations.

Three Zero-Day Vulnerabilities: SharePoint, AD FS, and BitLocker

Of the vulnerabilities addressed, three are classified as zero-days. Two have been confirmed as exploited in the wild, raising the stakes for organisations using affected on-premises Microsoft systems.

SharePoint Server Elevation of Privilege (CVE-2026-56164)

This vulnerability impacts Microsoft SharePoint Server and enables attackers to escalate privileges on an already compromised or authenticated session. Although Microsoft has rated it as “Moderate,” real-world attacks often chain lower-severity Elevation of Privilege (EoP) bugs with Remote Code Execution (RCE) flaws for full server compromise. The fact that CVE-2026-56164 is being actively exploited makes it especially urgent for organisations with on-premises SharePoint farms to apply patches immediately. Attackers continue to favour SharePoint as an entry point due to its critical business function and frequent exposure to external networks.

Active Directory Federation Services Elevation of Privilege (CVE-2026-56155)

Targeting AD FS, Microsoft’s identity federation and single sign-on technology, CVE-2026-56155 has also been exploited in the wild. AD FS is core to hybrid identity infrastructures, bridging on-premises Active Directory and Azure AD. Successful exploitation can let attackers escalate privileges and move laterally through authentication infrastructure. This risk echoes previous “golden SAML” campaigns that targeted AD FS to compromise entire identity estates. Organisations with hybrid or cloud-connected environments should prioritise patching to prevent broader compromise.

Windows BitLocker Security Feature Bypass (CVE-2026-50661)

While not yet confirmed as exploited, CVE-2026-50661 was publicly disclosed before a patch was available. The flaw allows attackers with physical access to a device to bypass BitLocker disk encryption, particularly by exploiting weaknesses in the recovery environment. This follows the pattern set by the earlier “YellowKey” BitLocker bypass (CVE-2026-45585) seen earlier in 2026. Organisations relying on BitLocker to protect sensitive data on lost or stolen devices should urgently review their physical security controls and ensure prompt patching.

Critical Remote Code Execution Flaws: SharePoint and Print Spooler

In addition to the zero-days, two Critical-rated Remote Code Execution (RCE) vulnerabilities demand attention:

  • CVE-2026-58644: SharePoint Server RCE, which could be paired with privilege escalation bugs for full takeover.
  • CVE-2026-58608: Windows Print Spooler RCE, a longstanding favourite of ransomware and advanced persistent threat groups due to Print Spooler’s broad attack surface and integration across Windows estates.

These vulnerabilities are particularly attractive to attackers because RCE bugs enable code execution on a remote system, often with high privileges. Both SharePoint and Print Spooler have a history of being targeted in ransomware and nation-state campaigns, making prompt patching critical for large and small organisations alike.

Who is Affected and Timeline of the Attack

The affected products span multiple Microsoft software families:

  • SharePoint Server (all supported versions)
  • Active Directory Federation Services (multiple versions in on-premises and hybrid configurations)
  • Windows OS (all maintained client and server versions, with emphasis on those running BitLocker and Print Spooler)

The vulnerabilities were disclosed and patched on 14 July 2026. Exploitation of the SharePoint and AD FS zero-days was confirmed prior to public release, with Microsoft and security researchers observing active campaigns against exposed servers. The BitLocker bypass was disclosed publicly but has not yet been observed in active attacks as of publication.

Why This Patch Tuesday Matters

This record-breaking update signals a significant risk for organisations that rely on Microsoft products, especially on-premises deployments. The volume of vulnerabilities, the presence of multiple zero-days, and the confirmed exploitation of privilege escalation bugs in key infrastructure components all heighten the threat level. Attackers continue to exploit chaining techniques, combining EoP and RCE flaws for maximum impact.

Immediate Steps for Organisations

  • Prioritise patching SharePoint Server and AD FS, especially for on-premises deployments
  • Review and strengthen controls around Windows BitLocker, particularly for devices at risk of physical theft or loss
  • Apply patches for Print Spooler and other critical RCE bugs as soon as possible
  • Monitor official Microsoft advisories for further updates or mitigation guidance

Originally reported by cybersecuritynews.com.

Share this bulletin

About the Author

Rob McBride Headshot - CyPro Partner and leading cyber security expert

Rob McBride

Partner

  • CISSP
  • ACA Chartered Accountant
  • MPhil
  • BSc
  • SOC 2
  • ISO 27001

Rob McBride

Rob is a Founding Partner at CyPro and a highly experienced CISO. Beginning his career with a successful tenure at Deloitte, Rob has since amassed a wealth of experience, notably serving as a cyber security advisor to the UK government and spearheading cloud security transformations for several global banks.

At CyPro, Rob leads the managed service business line, working extensively across multiple sectors including telecommunications, technology, higher education, travel, and retail. He is passionate about equipping small and medium-sized businesses (SMBs) with robust cyber security strategies to fuel their growth.

View Profile
Back to Bulletins

Related CyPro Services

  • Managed Detection and Response (MDR)

    Managed Detection and Response (MDR) is an end-to-end managed service designed to help organisations detect, analyse and respond to cyber threats quickly and effectively. It...
    View Service
CyPro Cookie Consent

Hmmm cookies...

Our delicious cookies make your experience smooth and secure.

Privacy PolicyOkay, got it!

We use cookies to enhance your experience, analyse site traffic, and for marketing purposes. For more information on how we handle your personal data, please see our Privacy Policy.

Schedule a Call