570 Vulnerabilities Fixed, Including Three Zero-Day Flaws
Microsoft has released its July 2026 Patch Tuesday security updates, delivering fixes for a record-breaking 570 vulnerabilities across Windows, Microsoft Office, Active Directory, SharePoint, and other Microsoft products.
The update addresses three zero-day vulnerabilities, including two that were actively exploited in the wild, making this one of the most significant Patch Tuesday releases in recent years.
The sheer volume of vulnerabilities reflects Microsoft's increasing investment in proactive vulnerability discovery, with the company recently confirming it has expanded its use of AI-powered security research to identify weaknesses before threat actors can exploit them.
July 2026 Patch Tuesday at a Glance
Microsoft's July release includes:
- 570 vulnerabilities patched
- 3 zero-day vulnerabilities
- 2 actively exploited zero-days
- 1 publicly disclosed zero-day
- 59 Critical vulnerabilities
- 48 Critical Remote Code Execution (RCE) flaws
Vulnerability Breakdown
| Vulnerability Type | Number |
|---|---|
| Elevation of Privilege | 254 |
| Remote Code Execution | 145 |
| Information Disclosure | 102 |
| Denial of Service | 35 |
| Security Feature Bypass | 17 |
| Spoofing | 16 |
It is worth noting that these figures only include vulnerabilities patched directly by Microsoft on Patch Tuesday.
They do not include fixes previously released for services such as Azure OpenAI, Microsoft 365 Copilot, Exchange Online, Microsoft Edge for Android, Microsoft Entra Provisioning Service, or Mariner.
Similarly, the release excludes the 468 Chromium vulnerabilities already addressed by Google and subsequently incorporated into Microsoft Edge.
Three Zero-Day Vulnerabilities Patched
Microsoft addressed three zero-day vulnerabilities this month, with two already being exploited in real-world attacks.
CVE-2026-56155 – Active Directory Federation Services Privilege Escalation
An actively exploited vulnerability in Active Directory Federation Services (AD FS) allows an authenticated attacker to elevate privileges locally.
The vulnerability stems from insufficient access control within AD FS, enabling attackers with authorised access to obtain administrative privileges.
The flaw was identified by Microsoft's Detection and Response Team (DART), suggesting it was discovered during an active incident response engagement.
Microsoft has not released technical details regarding how the vulnerability was exploited.
CVE-2026-56164 – Microsoft SharePoint Server Elevation of Privilege
Microsoft also fixed an actively exploited privilege escalation vulnerability affecting Microsoft SharePoint Server.
The flaw allows an unauthenticated attacker to elevate privileges remotely due to missing authentication for a critical function.
Microsoft recommends organisations:
- Enable the Antimalware Scan Interface (AMSI)
- Configure Request Body Scan Mode to Full
These mitigations can help reduce risk while systems are updated.
Researchers from Mandiant Incident Response, Google Cloud FLARE OTF, and Microsoft contributed to the discovery of this vulnerability.
CVE-2026-50661 – Windows BitLocker Security Feature Bypass
The third zero-day had already been publicly disclosed before Microsoft released a fix.
This vulnerability affects Windows BitLocker and could allow an attacker with physical access to bypass BitLocker encryption protections and gain access to encrypted data.
Although exploitation requires physical access to the device, organisations should prioritise patching laptops, portable workstations, and other mobile assets.
AI Is Driving More Vulnerability Discovery
Earlier this month Microsoft announced it has expanded the use of AI-assisted vulnerability discovery across the Windows codebase.
Rather than indicating Windows is becoming less secure, the larger number of vulnerabilities reflects Microsoft's efforts to identify and remediate flaws internally before attackers can weaponise them.
As AI-assisted security research matures, organisations should expect larger Patch Tuesday releases in the future.
Why This Update Matters
Several aspects make this month's Patch Tuesday particularly significant:
- Two vulnerabilities were already being actively exploited.
- Nearly 60 Critical vulnerabilities were addressed.
- Almost half of all vulnerabilities allow privilege escalation.
- A substantial number of Remote Code Execution flaws could allow attackers to execute malicious code without physical access.
For organisations delaying updates, the risk window increases significantly once attackers begin analysing Microsoft's patches to develop exploits.
Recommended Actions
Security teams should prioritise the following:
- Deploy the July 2026 Microsoft security updates as soon as possible.
- Prioritise internet-facing servers, Active Directory infrastructure, and SharePoint environments.
- Ensure SharePoint AMSI protection is enabled and configured correctly.
- Verify BitLocker-protected devices receive the latest updates.
- Review endpoint detection and monitoring for indicators of compromise.
- Confirm backup and recovery procedures remain up to date.
Other Security Updates Released This Month
Alongside Microsoft, several major technology vendors also released important security updates, including:
- Adobe
- BeyondTrust
- Cisco
- Fortinet
- Ivanti
- Linux Kernel
- NVIDIA
- Progress Software
- SAP
- VMware
- Zimbra
- Ubiquiti
Organisations should ensure their wider technology stack is also reviewed and patched where applicable.
Stay Ahead of Emerging Threats
Keeping systems up to date remains one of the most effective ways to reduce cyber risk. However, patching alone is only part of the picture.
Continuous vulnerability management, proactive monitoring, and rapid incident response are essential for identifying emerging threats before they become business-impacting security incidents.
With attackers increasingly targeting newly disclosed vulnerabilities within days—or even hours—of patches being released, organisations should ensure their patch management processes are supported by continuous visibility and expert monitoring.
To access the full description of each vulnerability and the systems it affects, you can view the full report here.