Back to blog
CVEMicrosoftPatch Tuesdaytechnique

Microsoft Patch Tuesday July 2026: a record 570 flaws and 3 zero-days

Published on 2026-07-147 min readCleanIssue

> In short: Microsoft's July 2026 Patch Tuesday is the largest on record — 570 flaws patched, 59 of them Critical, and 3 zero-days (2 actively exploited, 1 publicly disclosed). The two exploited zero-days are CVE-2026-56155 (AD FS elevation of privilege) and CVE-2026-56164 (SharePoint elevation of privilege). The disclosed one is CVE-2026-50661 (BitLocker security feature bypass).

The numbers

570 flaws is a record, and Microsoft warned it expects more: the company has started using an AI-powered vulnerability-discovery system across its Windows codebase, which is surfacing bugs faster than the traditional pipeline. From a defender's point of view, that is good news (bugs found internally before attackers) but it means Patch Tuesday volumes are likely to stay high.

The breakdown this month:

  • 254 Elevation of Privilege
  • 145 Remote Code Execution (48 of the 59 Critical are RCE)
  • 102 Information Disclosure
  • 35 Denial of Service
  • 17 Security Feature Bypass
  • 16 Spoofing
  • Note: this count excludes Edge/Chromium flaws (468 this month, fixed by Google) and products patched earlier in the month (Mariner, Azure OpenAI, Exchange Online, Copilot, Entra Provisioning).

    The three zero-days

    CVE-2026-56155 — AD FS Elevation of Privilege (actively exploited). Insufficient granularity of access control in Active Directory Federation Services lets an authorized attacker elevate privileges locally. Credited to Microsoft's own DART incident-response team — usually a sign the flaw was found while investigating a real intrusion. Treat any AD FS deployment as potentially compromised until patched.

    CVE-2026-56164 — SharePoint Server Elevation of Privilege (actively exploited). Missing authentication for a critical function. Microsoft lists AMSI integration (Request Body Scan mode set to Full) as a partial mitigation. Credited to Mandiant and Google Cloud FLARE OTF — another strong signal of active threat-actor use. This one is part of the broader SharePoint exploitation campaign that also includes CVE-2026-58644.

    CVE-2026-50661 — Windows BitLocker Security Feature Bypass (publicly disclosed). An attacker with physical access can bypass BitLocker Device Encryption and access encrypted data. Not exploited according to Microsoft, but disclosed — which means the details are out. Relevant for stolen/lost laptops and for any fleet that relies on BitLocker as a primary control.

    What a SaaS team should pull out of this

    Most of the 570 flaws are Windows desktop and Office RCE/EoP — relevant to IT, less directly to a SaaS product team. Three things should actually move on the SaaS side:

  • AD FS and SharePoint are identity and document infrastructure for your enterprise clients. If your SSO integrates with a client's AD FS, or your product reads/writes documents on a client's SharePoint Server, those clients are now part of your threat surface. Reach out to enterprise customers on NIS2 / important-entity contracts and confirm they've patched.
  • BitLocker bypass + physical access resets the laptop-threat model for any team that handles secrets locally. If your developers keep source code, credentials, or customer data on laptops protected only by BitLocker, the publicly-disclosed bypass means a stolen laptop is closer to a breach than it was last week. Add MDM remote-wipe, enforce secure enclave / TPM + PIN, and re-check that no production secrets live on workstations.
  • Microsoft Exchange Server got four fixes this month including a Critical spoofing (CVE-2026-55008). If you run Exchange on-premises (some HR/legaltech vendors still do, for sovereignty reasons), patch in this cycle — Exchange RCE/s spoofing flaws have a history of turning into mass exploitation within days.
  • The other vendors this week

    Patch Tuesday is also when the rest of the industry ships. This July brought critical updates from Adobe (ColdFusion CVE-2026-48282, exploited), BeyondTrust (auth bypass in Remote Support / PRA), Cisco (CVE-2026-20230 confirmed exploited), Fortinet (FortiSandbox, in KEV), Gitea (Docker auth bypass, exploited), SAP (NetWeaver / Commerce Cloud critical), Ubiquiti (UniFi OS max severity), VMware (Avi Load Balancer) and Zimbra (Classic Web Client XSS). We've covered the most SaaS-relevant ones individually.

    The operational lesson

    With Patch Tuesday volumes climbing and AI-discovered bugs accelerating, the old "quarterly patch review" cadence is dead. For a SaaS vendor, the realistic posture is: a weekly review of MSRC + your stack's advisories, a defined SLA for Critical/EoP (we recommend 7 days), and a written process for the days a zero-day drops with active exploitation. NIS2 and your enterprise clients now expect exactly that.

    Building HR, payroll, or recruiting software? CleanIssue performs security audits for HR SaaS in real-world conditions, no source code access needed. For a first read of your exposure, start with an external review of your application.

    Sources

    Related services

    If this topic maps to a real risk in your stack, these are the most relevant CleanIssue audits.

    Need an external review of your HR SaaS?

    Share your product, stack, and client context. We will come back with the right review scope.

    Discuss your audit