Microsoft has released its July 2026 Patch Tuesday security updates, delivering fixes for a record-breaking 570 vulnerabilities across Windows, Microsoft Office, Active Directory, SharePoint, and other Microsoft products.
The update addresses three zero-day vulnerabilities, including two that were actively exploited in the wild, making this one of the most significant Patch Tuesday releases in recent years.
The sheer volume of vulnerabilities reflects Microsoft's increasing investment in proactive vulnerability discovery, with the company recently confirming it has expanded its use of AI-powered security research to identify weaknesses before threat actors can exploit them.
Microsoft's July release includes:
| Vulnerability Type | Number |
|---|---|
| Elevation of Privilege | 254 |
| Remote Code Execution | 145 |
| Information Disclosure | 102 |
| Denial of Service | 35 |
| Security Feature Bypass | 17 |
| Spoofing | 16 |
It is worth noting that these figures only include vulnerabilities patched directly by Microsoft on Patch Tuesday.
They do not include fixes previously released for services such as Azure OpenAI, Microsoft 365 Copilot, Exchange Online, Microsoft Edge for Android, Microsoft Entra Provisioning Service, or Mariner.
Similarly, the release excludes the 468 Chromium vulnerabilities already addressed by Google and subsequently incorporated into Microsoft Edge.
Microsoft addressed three zero-day vulnerabilities this month, with two already being exploited in real-world attacks.
An actively exploited vulnerability in Active Directory Federation Services (AD FS) allows an authenticated attacker to elevate privileges locally.
The vulnerability stems from insufficient access control within AD FS, enabling attackers with authorised access to obtain administrative privileges.
The flaw was identified by Microsoft's Detection and Response Team (DART), suggesting it was discovered during an active incident response engagement.
Microsoft has not released technical details regarding how the vulnerability was exploited.
Microsoft also fixed an actively exploited privilege escalation vulnerability affecting Microsoft SharePoint Server.
The flaw allows an unauthenticated attacker to elevate privileges remotely due to missing authentication for a critical function.
Microsoft recommends organisations:
These mitigations can help reduce risk while systems are updated.
Researchers from Mandiant Incident Response, Google Cloud FLARE OTF, and Microsoft contributed to the discovery of this vulnerability.
The third zero-day had already been publicly disclosed before Microsoft released a fix.
This vulnerability affects Windows BitLocker and could allow an attacker with physical access to bypass BitLocker encryption protections and gain access to encrypted data.
Although exploitation requires physical access to the device, organisations should prioritise patching laptops, portable workstations, and other mobile assets.
Earlier this month Microsoft announced it has expanded the use of AI-assisted vulnerability discovery across the Windows codebase.
Rather than indicating Windows is becoming less secure, the larger number of vulnerabilities reflects Microsoft's efforts to identify and remediate flaws internally before attackers can weaponise them.
As AI-assisted security research matures, organisations should expect larger Patch Tuesday releases in the future.
Several aspects make this month's Patch Tuesday particularly significant:
For organisations delaying updates, the risk window increases significantly once attackers begin analysing Microsoft's patches to develop exploits.
Security teams should prioritise the following:
Alongside Microsoft, several major technology vendors also released important security updates, including:
Organisations should ensure their wider technology stack is also reviewed and patched where applicable.
Keeping systems up to date remains one of the most effective ways to reduce cyber risk. However, patching alone is only part of the picture.
Continuous vulnerability management, proactive monitoring, and rapid incident response are essential for identifying emerging threats before they become business-impacting security incidents.
With attackers increasingly targeting newly disclosed vulnerabilities within days—or even hours—of patches being released, organisations should ensure their patch management processes are supported by continuous visibility and expert monitoring.
To access the full description of each vulnerability and the systems it affects, you can view the full report here.