Patch the SharePoint and AD FS zero-days first
July’s record Patch Tuesday is huge, but only two CVEs are already live in attacks—and one product just lost support.
Microsoft’s July 2026 Patch Tuesday is the largest on record by the company’s own Security Update Guide count: 622 CVEs. That is more than triple June’s previous high of roughly 200. Two of those fixes close elevation-of-privilege holes already under active attack. Neither is a flashy remote code execution critical. Both sit in identity and collaboration infrastructure that most large estates still run: on-premises SharePoint Server and Active Directory Federation Services (AD FS).
The volume grabs headlines. The order of work should not. Treat the two exploited privilege bugs as the real emergency, treat the Kerberos RC4 cutover as a change-management risk that can page you overnight, and treat the severity labels with more skepticism than usual this month.
Two live privilege bugs, not the usual RCE story
CVE-2026-56164 hits Microsoft SharePoint Server. Microsoft describes it as missing authentication for a critical function: an unauthenticated attacker can elevate privileges over the network, with no credentials and no user interaction. Microsoft credits Mandiant incident responders and Google’s FLARE team, which is a strong signal it was found inside real attacks rather than a research lab. Enabling the Antimalware Scan Interface (AMSI) in Full Mode on the server is listed as a partial mitigation while you roll the fix.
SharePoint has been a magnet since the ToolShell chain in 2025. That history matters more than the CVSS number Microsoft assigned this one (it is relatively low). Severity scores do not encode “this is where the documents and service accounts live.”
CVE-2026-56155 is an AD FS elevation of privilege. An already-authenticated attacker can elevate privileges locally through weak access controls. Microsoft’s own Detection and Response Team (DART) gets the credit, again pointing at incident response rather than pure research. “Local” on the box that signs federation tokens for the rest of the estate is not a soft label. Microsoft has not said what privileges the bug grants or how it was used.
Neither CVE was on CISA’s Known Exploited Vulnerabilities catalog at the time of the release. Microsoft’s own exploitability rating already marks both as exploited. Waiting for a KEV listing is not a plan.
A third zero-day, CVE-2026-50661, is a publicly disclosed BitLocker security feature bypass that needs physical access. Patch it in the normal queue. It continues a run of BitLocker bypasses, but it is not a remote emergency.
Why the CVE count jumped, and why counts disagree
July is usually a light month on Microsoft’s calendar. This one is not. Windows alone accounts for 416 of the 622. ZDI counted 95 remote code execution bugs across the release. Other rough piles from reporting: Office in the 80s (some outlets double-count an Office 2016 track and land near 164), Edge 46, Developer Tools 27.
BleepingComputer’s roundup lands at 570 because it excludes flaws Microsoft fixed earlier in the month in products such as Mariner, Azure OpenAI, Azure Synapse, M365 Copilot, Exchange Online, Edge for Android, and Entra Provisioning Service, plus Chromium re-listings. Both numbers can be true depending on what you count. For operators, the actionable number is not the total. It is how many of the systems you actually run appear in the two exploited rows and the high-impact RCE set (VMSwitch CVE-2026-57092 at 9.9 sits at the top of that list).
Microsoft has said publicly that an AI-powered multi-model agentic scanning harness (MDASH) is accelerating internal vulnerability discovery across the Windows codebase. That helps explain a quiet calendar month producing a record drop. Faster discovery is good. It also means patch pipelines and change windows need to scale with the new discovery rate, not with historical July averages.
SharePoint’s second clock: support ends the same day
Today is also the day SharePoint Server 2016 and 2019 reach the end of extended support. Unlike Windows Server or SQL Server, there is no paid Extended Security Updates program to fall back on. If you still run self-hosted 2016/2019, the zero-day patch and the support cliff land together.
Rapid7 also disclosed CVE-2026-55040, a JWT authentication bypass built for a Pwn2Own Berlin entry. Severity disagree: Rapid7 rates it 5.3 (Microsoft medium); ZDI reads the release as Critical at 9.1. What is not in dispute is the chain: Rapid7 combined the JWT bypass with a separate remote code execution bug to get unauthenticated RCE. Microsoft is scheduled to fix the RCE half in August. July’s bypass is the link that breaks that chain until then. A four-point spread on one bug is another reminder not to sort solely by score this cycle.
What to do in practice this week
Prioritize by exposure and exploit status, not by the size of the bulletin.
- SharePoint Server first. Apply the fix for CVE-2026-56164 on every on-premises farm. Turn on AMSI in Full Mode (Request Body Scan) if it is not already. If you are still on 2016 or 2019, treat migration or isolation as concurrent work, not a later project. Internet-facing SharePoint without the patch is the highest-risk configuration in this release.
- AD FS next. Patch CVE-2026-56155 on federation servers. Because the bug is local elevation after authentication, lock down who can log on to those hosts, review privileged group membership, and assume token-signing infrastructure is high value even when the CVSS vector says “local.”
- Kerberos RC4 cutover. This update finishes Microsoft’s multi-year RC4 hardening by removing the
RC4DefaultDisablementPhaserollback switch. After it lands, RC4 works only for accounts explicitly configured to allow it. Service accounts that still request RC4 tickets can fail authentication immediately. Order of operations: audit using the RC4 audit events Microsoft shipped in January, rotate passwords on flagged service accounts so Windows generates AES keys, then patch. Rotation only helps accounts missing AES keys. Anything pinned to RC4 by policy, or a client that cannot speak AES, needs its own fix before the update. - High-impact RCE and drivers. Queue the VMSwitch 9.9, DHCP RCEs, RDP, and the NTFS/ReFS driver cluster after the two zero-days. ZDI’s read that many of the filesystem driver bugs share a root cause is worth a single coordinated test pass rather than 21 independent change tickets.
- BitLocker and the rest. Physical-access BitLocker bypass goes with the laptop fleet cadence. Developer Tools (27 CVEs) and Edge Chromium re-listings follow normal browser and tooling channels.
If you only run cloud Microsoft 365 and managed Entra ID with no on-prem SharePoint or AD FS, the two zero-days may not touch you. The RC4 change and Windows/Office volume still do if you have hybrid identity, domain-joined clients, or self-managed Windows servers.
Severity is a weak sort key this month
The SharePoint zero-day is rated lower than many of the unexploited RCEs. The JWT bypass severity depends on who you ask. “Local” AD FS privilege elevation is more dangerous than a high-scoring bug on a service you do not expose. Sort by: already exploited, internet-reachable, identity/token path, then CVSS.
Neither live zero-day needs a novel exploit narrative for operators. Microsoft has not published exploitation details, and none are required to decide. Unauthenticated network privilege elevation on SharePoint and local admin elevation on AD FS are enough. Patch those two, finish the RC4 audit before the cutover bites, and do not wait for CISA to rubber-stamp what Microsoft already labeled exploited.
Sources & further reading
- Microsoft Patches Record 622 Flaws, Including Two Zero-Days Under Active Attack — thehackernews.com
- Microsoft July 2026 Patch Tuesday fixes massive 570 flaws, 3 zero-days — bleepingcomputer.com
- Microsoft Patches Record 622 Vulnerabilities, Including Two Exploited Zero-Days - SecurityWeek — securityweek.com
Ji-ho covers the increasingly tangled overlap between cloud architecture and security, drawing on a background as a penetration tester to keep his reporting grounded in real-world attack paths. He never lets a vendor claim go unquestioned and insists that every buzzword come with a proof of concept.
Discussion 0
No comments yet
Be the first to weigh in.