Microsoft shipped its biggest Patch Tuesday to date today, beating June’s record of 200 flaws by nearly 3x: roughly 570 vulnerabilities (Microsoft’s own Security Update Guide and third-party trackers differ slightly, with counts ranging 569–622 depending on how bundled Edge/Chromium and non-Windows CVEs are tallied), 59 of them rated Critical, and three zero-days — two already under active exploitation.

The exploited zero-days

CVE-2026-56155 — Active Directory Federation Services elevation of privilege. Insufficient granularity of access control in AD FS lets an attacker who already holds local, low-privileged access — via stolen credentials or a compromised service account — escalate to administrator. CVSS 7.8. Microsoft credits its own Detection and Response Team (DART) with the discovery, meaning it surfaced during a real incident-response engagement rather than research disclosure. Any organization federating identity through AD FS should treat this as evidence of live intrusion activity in the wild, not a theoretical risk.

CVE-2026-56164 — SharePoint Server elevation of privilege. A missing-authentication flaw in SharePoint Server 2016, 2019, and Subscription Edition (on-prem; SharePoint Online is unaffected) that lets an unauthenticated, network-based attacker send a crafted POST request and gain elevated privileges — no user interaction required. Rated only Moderate (CVSS 5.3) by Microsoft’s own scoring, which undersells the risk: on-prem SharePoint has been a favored initial-access vector all year, and “unauthenticated over the network” plus “confirmed exploited” is a bad combination regardless of the CVSS number. Microsoft notes its AMSI integration can flag the malicious POST pattern as an interim detection signal.

CVE-2026-50661 — BitLocker security feature bypass. Publicly disclosed before patching but not yet confirmed exploited. Requires physical access to the device; successful exploitation lets an attacker read encrypted disk contents. Distinct from May’s YellowKey BitLocker WinRE bypass patched last month — this is a separate flaw in the same subsystem, underscoring how much attacker interest BitLocker’s boot-time trust chain is drawing this year.

The Critical list

Of the 48 Critical RCEs, two stand out for infrastructure teams:

  • CVE-2026-58644 — SharePoint Server RCE. On-prem SharePoint again, this time full remote code execution. Combined with CVE-2026-56164 above, any internet-facing on-prem SharePoint farm is now carrying two live reasons to patch immediately or take it offline.
  • CVE-2026-58608 — Windows Print Spooler RCE. The Print Spooler’s history (PrintNightmare and its many descendants) makes any new Critical RCE here a same-day patch item for domain environments where print spooling remains enabled on servers.

The remaining Critical bucket breaks down as 48 RCE, 9 elevation-of-privilege, 1 security-feature-bypass, and 1 spoofing bug, spanning the usual core-infrastructure surface — Windows components, .NET, and several Azure-adjacent services.

Kerberos RC4 hardening completes today

Independent of this month’s CVEs, today also marks the end of Phase 2 of Microsoft’s multi-year Kerberos RC4 deprecation: RC4 encryption types are now disabled by default in Kerberos authentication across supported Windows Server versions. Environments with legacy applications, older Unix/Linux Kerberos clients, or unmigrated trust relationships that still negotiate RC4 will start failing authentication after this update lands — test in a non-production domain controller first if you haven’t already validated AES-only Kerberos across your estate.

What to do now

Patch AD FS servers and on-prem SharePoint farms first — both have confirmed in-the-wild exploitation this month. Take internet-facing SharePoint offline if immediate patching isn’t possible; it has been the entry point for multiple incidents this year already. Print Spooler RCE gets same-day treatment on domain controllers and file/print servers where spooling can’t be disabled. For BitLocker-protected fleets, apply the update and continue prioritizing TPM+PIN over TPM-only on any hardware that leaves physical custody. Finally, validate Kerberos authentication across any RC4-dependent integrations before this rollout reaches your domain controllers, if it hasn’t already.

References: BleepingComputer’s July 2026 Patch Tuesday report, Tenable’s analysis of CVE-2026-56155 and CVE-2026-56164, Krebs on Security’s coverage, and MSRC advisories for CVE-2026-56155, CVE-2026-56164, and CVE-2026-50661.