Microsoft Patch Tuesday July 2026: a record 570 flaws and 3 zero-days
> In short: Microsoft's July 2026 Patch Tuesday is the largest on record — 570 flaws patched, 59 of them Critical, and 3 zero-days (2 actively exploited, 1 publicly disclosed). The two exploited zero-days are CVE-2026-56155 (AD FS elevation of privilege) and CVE-2026-56164 (SharePoint elevation of privilege). The disclosed one is CVE-2026-50661 (BitLocker security feature bypass).
The numbers
570 flaws is a record, and Microsoft warned it expects more: the company has started using an AI-powered vulnerability-discovery system across its Windows codebase, which is surfacing bugs faster than the traditional pipeline. From a defender's point of view, that is good news (bugs found internally before attackers) but it means Patch Tuesday volumes are likely to stay high.
The breakdown this month:
Note: this count excludes Edge/Chromium flaws (468 this month, fixed by Google) and products patched earlier in the month (Mariner, Azure OpenAI, Exchange Online, Copilot, Entra Provisioning).
The three zero-days
CVE-2026-56155 — AD FS Elevation of Privilege (actively exploited). Insufficient granularity of access control in Active Directory Federation Services lets an authorized attacker elevate privileges locally. Credited to Microsoft's own DART incident-response team — usually a sign the flaw was found while investigating a real intrusion. Treat any AD FS deployment as potentially compromised until patched.
CVE-2026-56164 — SharePoint Server Elevation of Privilege (actively exploited). Missing authentication for a critical function. Microsoft lists AMSI integration (Request Body Scan mode set to Full) as a partial mitigation. Credited to Mandiant and Google Cloud FLARE OTF — another strong signal of active threat-actor use. This one is part of the broader SharePoint exploitation campaign that also includes CVE-2026-58644.
CVE-2026-50661 — Windows BitLocker Security Feature Bypass (publicly disclosed). An attacker with physical access can bypass BitLocker Device Encryption and access encrypted data. Not exploited according to Microsoft, but disclosed — which means the details are out. Relevant for stolen/lost laptops and for any fleet that relies on BitLocker as a primary control.
What a SaaS team should pull out of this
Most of the 570 flaws are Windows desktop and Office RCE/EoP — relevant to IT, less directly to a SaaS product team. Three things should actually move on the SaaS side:
The other vendors this week
Patch Tuesday is also when the rest of the industry ships. This July brought critical updates from Adobe (ColdFusion CVE-2026-48282, exploited), BeyondTrust (auth bypass in Remote Support / PRA), Cisco (CVE-2026-20230 confirmed exploited), Fortinet (FortiSandbox, in KEV), Gitea (Docker auth bypass, exploited), SAP (NetWeaver / Commerce Cloud critical), Ubiquiti (UniFi OS max severity), VMware (Avi Load Balancer) and Zimbra (Classic Web Client XSS). We've covered the most SaaS-relevant ones individually.
The operational lesson
With Patch Tuesday volumes climbing and AI-discovered bugs accelerating, the old "quarterly patch review" cadence is dead. For a SaaS vendor, the realistic posture is: a weekly review of MSRC + your stack's advisories, a defined SLA for Critical/EoP (we recommend 7 days), and a written process for the days a zero-day drops with active exploitation. NIS2 and your enterprise clients now expect exactly that.
Building HR, payroll, or recruiting software? CleanIssue performs security audits for HR SaaS in real-world conditions, no source code access needed. For a first read of your exposure, start with an external review of your application.
Related articles
Three adjacent analyses to keep exploring the same attack surface.
SharePoint CVE-2026-58644: a critical RCE zero-day added to the CISA KEV catalog
A deserialization flaw (CVSS 9.8) in Microsoft SharePoint Server lets an attacker authenticated as Site Owner execute arbitrary code remotely. Actively exploited as a zero-day, added to the CISA KEV catalog on July 16, 2026 with a July 19 remediation deadline.
Adobe ColdFusion CVE-2026-48282: a max-severity RCE exploited within 2 hours of disclosure
A maximum-severity flaw (CVSS 9.8) in Adobe ColdFusion 2025.9, 2023.20 and earlier allows unauthenticated remote code execution. Exploitation started within 2 hours of Adobe's disclosure. ~800 instances exposed online. Fix available.
Zoom CVE-2026-53412: a critical account takeover in the Windows desktop client
An improper input validation flaw (CVSS 9.8) in Zoom Workplace for Windows, the VDI Client, and the Meeting SDK lets an unauthenticated attacker take over accounts via network access. Affects versions before 7.0.0. Fix available.
Sources
Related services
If this topic maps to a real risk in your stack, these are the most relevant CleanIssue audits.