Skip to content
feed: live
>_ 0dayNews
microsoft
● Breaking

Microsoft July Patch Tuesday: 570 CVEs, 3 zero-days out

Microsoft's July 2026 Patch Tuesday ships 570 CVEs, including two exploited zero-days in AD FS and SharePoint plus a publicly disclosed BitLocker bypass. Patch AD FS first.

Microsoft July Patch Tuesday: 570 CVEs, 3 zero-days out
Photo: Christina Morillo / Pexels · Pexels License
fuse Marisol "Fuse" Delgado · Published · 3 min read

Microsoft shipped its July 2026 Patch Tuesday today with 570 CVEs — a record haul, credited by Redmond partly to an AI-assisted triage system now churning through the Windows codebase. Three of them are zero-days: two under active exploitation, one publicly disclosed but not yet observed in the wild. Priority order is at the bottom. Patch AD FS first.

The three zero-days:

  • CVE-2026-56155 — Active Directory Federation Services elevation of privilege. CVSS 7.8, rated Important by Microsoft. “Insufficient granularity of access control” lets an authorized attacker escalate locally. Credited to Microsoft’s DART team; already added to the CISA KEV catalog today. If you’re still fronting Microsoft 365 or on-prem app federation with AD FS, this is the one that matters this week.
  • CVE-2026-56164 — SharePoint Server elevation of privilege, “missing authentication for critical function” per Microsoft. CVSS 5.3, rated Moderate — but “over a network” and “unauthorized attacker” in the same sentence is a lower-severity score that reads worse than it sounds. Also on CISA KEV as of today. Microsoft’s mitigation note is to enable AMSI plus Request Body Scan; the patch is what actually fixes it.
  • CVE-2026-50661 — Windows BitLocker security feature bypass. CVSS 6.1, publicly disclosed, no confirmed exploitation yet. Requires physical access to the device to bypass BitLocker Device Encryption. Lower urgency for most fleets; higher urgency for anyone shipping laptops through logistics chains or handling recovered/stolen hardware.

Category breakdown across the 570: 254 elevation of privilege, 145 remote code execution, 102 information disclosure, 35 denial of service, 17 security feature bypass, 16 spoofing. Microsoft tagged 59 as Critical — 48 of those are RCE. Notable ones from the Critical bucket: CVE-2026-54121 (AD Certificate Services EoP), CVE-2026-49164 (Active Directory RCE), CVE-2026-48561 (Copilot RCE), CVE-2026-55011 and CVE-2026-55012 (Defender RCE), plus a cluster of Office RCEs at CVE-2026-55045, CVE-2026-55049, and CVE-2026-55129.

Separately, but landing in the same 24 hours and worth pulling into the same maintenance window: Rapid7 disclosed CVE-2026-55040 today — a SharePoint JWT authentication bypass that’s the first half of an unauthenticated RCE chain against SharePoint Server. Microsoft has patched the auth-bypass half in today’s update; the RCE half is expected in a future release. That means “SharePoint patched” is not one CVE this cycle — it’s at least three you should be tracking (56164, 55040, and whatever comes next).

The honest timeline:

  • 2026-07-14 morning — Microsoft publishes 570 advisories via MSRC.
  • 2026-07-14 same day — CISA lists CVE-2026-56155 and CVE-2026-56164 under BOD 26-04; federal remediation clocks start now.

Priority order for the maintenance window:

  1. AD FS servers — CVE-2026-56155 first. Exploited, KEV, credentialed identity plane. If it fronts any downstream authentication, it is not something to defer to the weekend patch cycle.
  2. SharePoint Server, on-prem — both CVE-2026-56164 and Rapid7’s CVE-2026-55040 in the same maintenance touch. Don’t split them into two windows; you’re already taking the outage.
  3. AD Certificate Services — CVE-2026-54121 (Critical, EoP). Cert-services compromise is quiet and expensive; get it in the same domain-controller-adjacent maintenance pass as AD FS.
  4. Everything else Critical-rated for RCE — Copilot, Defender, Office. Standard Patch Tuesday rollout channels; nothing here is on fire, but the Office RCE cluster (three CVEs) is the one users will trip on first because it’s file-format-driven.
  5. BitLocker (CVE-2026-50661) — real risk, but requires physical access. Roll it out through your normal Windows patch channel; don’t jump the queue.

The 570 number will scare some teams into freezing the whole cycle for testing. Don’t. The three zero-days plus the 59 Criticals are the load-bearing ones; the long tail of EoPs and IDs is what regression testing is for over the next two weeks. Related: SAP shipped three criticals in its July cycle the same day, and Progress ShareFile 5.12.5 / 6.0.2 is also in this week’s queue.

Found this useful? Share it.