Microsoft shipped a record-shattering 570 security fixes on July 14, including two zero-days already used in attacks and a third publicly disclosed weakness that punches through BitLocker encryption. The sheer volume overshadows every previous Patch Tuesday, but for most people the immediate priority narrows to two server-side vulnerabilities that are being actively exploited right now.

The Patches That Demand Immediate Action

Two elevation-of-privilege flaws have been confirmed as exploited before Microsoft published a fix. The more urgent is CVE-2026-56164, which hits Microsoft SharePoint Server. It stems from missing authentication for a critical function, meaning any unauthenticated attacker who can reach an on-premises SharePoint server over the network can use the bug to gain elevated privileges. Once inside a collaboration platform loaded with documents, workflows, and credentials, an intruder can move laterally or exfiltrate data without tripping ordinary security alarms.

Microsoft credits researchers from Mandiant Incident Response, Google Cloud, and FLARE for the discovery, along with an anonymous contributor, but hasn’t detailed the campaigns that leveraged the flaw. The July update for SharePoint Server Subscription Edition arrives as KB5002882, with separate packages for other supported SharePoint releases. If you manage SharePoint farms, especially any that are internet-facing, treat this as an emergency deployment that sits above your normal monthly patching routine.

The second exploited zero-day, CVE-2026-56155, affects Active Directory Federation Services. Discovered by Microsoft’s own Detection and Response Team (DART), it requires an attacker to already have local access to an AD FS server. That limitation makes it less exposed than the SharePoint hole, but AD FS sits at the heart of many organizations’ identity infrastructure. An adversary who has gained any foothold on a federation server can use this bug to widen their control, potentially forging tokens or impersonating users across the environment. Administrators who still operate AD FS servers need to patch them quickly and review logs for suspicious local logons or privilege changes.

A Record-Breaking Volume—But Not All on Windows

While the 570 figure is the largest in Patch Tuesday history, the number spans Microsoft’s entire product portfolio—not just the Windows operating system. BleepingComputer tallied 254 elevation-of-privilege vulnerabilities, 145 remote-code-execution flaws, 102 information-disclosure bugs, 35 denial-of-service issues, 17 security-feature bypasses, and 16 spoofing vulnerabilities. Fifty-nine of these are rated Critical. Windows, SharePoint Server, Office, .NET, Visual Studio, SQL Server, and other Microsoft software all got fixes.

Some outlets reported even higher totals—above 600—by combining the Patch Tuesday release with separate updates issued earlier in July for Azure OpenAI, Microsoft 365 Copilot, Exchange Online, Entra Provisioning Service, and Edge for Android. Neither number is wrong, but neither is a complete picture of what you’re running. The Security Update Guide remains the authoritative map for any organization’s exposure.

For home users, the scale is less overwhelming. The July cumulative update for Windows 11 versions 24H2 and 25H2—KB5101650—bundles all the Windows-specific fixes. After installing it, your system moves to OS build 26200.8875 (25H2) or 26100.8875 (24H2). It also upgrades the built-in curl utility to version 8.21.0, adds SHA-2 certificate thumbprint support for trusted Remote Desktop publishers, and continues Microsoft’s push of replacement Secure Boot certificates ahead of expirations that started in June 2026.

BitLocker Bypass: When Physical Access Becomes a Threat

The third zero-day, CVE-2026-50661, is a BitLocker security-feature bypass that was publicly disclosed before the patch but wasn’t known to be actively exploited at the time of release. It involves a protection-mechanism failure that could let an attacker with physical device access bypass a BitLocker control and reach encrypted data.

This doesn’t matter if your desktop is locked inside an office all day, but it matters a great deal for laptops, tablets, kiosks, and any machine that routinely leaves your sight. BitLocker’s entire purpose is to protect data when a device is lost or stolen, so a bypass in that scenario cuts to the heart of the feature’s security promise. Organizations with mobile fleets should push the July update quickly and verify that recovery keys are properly escrowed and that preboot authentication policies make sense for the risk profile.

Individuals need to take one simple precaution: make sure your BitLocker recovery key is stored somewhere you can reach before you restart after the update. Too many people discover they don’t know where the key is only when a routine reboot triggers a recovery screen. Save a copy to your Microsoft account, a USB drive, or a secure password manager now.

What to Do Right Now

For IT administrators:
- Patch any on-premises SharePoint servers immediately, especially internet-facing ones. Apply the specific SharePoint update (KB5002882 for Subscription Edition) and then run the configuration wizard across the farm.
- Move AD FS servers next. Even though the bug requires local access, an identity server is too important to leave unpatched when a known exploit exists.
- Prioritize BitLocker-protected laptops and devices at heightened risk of theft. The physical-access requirement makes this a lower urgency for stationary desktops, but mobile fleers should not wait.
- Deploy the remaining Windows, Office, .NET, and other Microsoft patches through your normal testing rings, but accelerate where possible. The volume means a larger-than-usual window of vulnerability if you stick to a slower monthly cadence.
- Test applications that use low-level network transport drivers. A hardening change in this update can break software that relies on unregistered third-party Transport Driver Interface (TDI) transports. Registered TDI transports aren’t affected, but legacy networking, security, or industrial applications might be.

For home users and small businesses:
- Open Settings > Windows Update, click “Check for updates,” and install everything that’s offered. The cumulative update will protect your PC against all the Windows-specific flaws.
- Before restarting, take 30 seconds to locate your BitLocker recovery key. If you’ve encrypted your system drive, go to the recovery keys page in your Microsoft account (https://account.microsoft.com/devices/recoverykey) or check wherever you saved it during initial setup.
- If you’re still on Windows 11 version 24H2 Home or Pro, note that Microsoft lists October 13, 2026 as the end of monthly updates for that edition. You’ll want to move to 25H2 before then, but the July patch keeps you protected today.

How We Got Here

Microsoft’s monthly patch cycle has been trending upward for years, but the jump from just over 200 fixes in June to 570 in July is extraordinary. The company expanded the products included in this month’s rollout, and several large vulnerability categories—especially elevation-of-privilege and remote-code-execution—spiked. Simultaneously, the security community’s focus on SharePoint and identity infrastructure has intensified as on-premises collaboration platforms have become a favored target for ransomware and espionage actors.

The exploited SharePoint zero-day fits that pattern. On-premises SharePoint farms are notoriously complex to update, and many organizations lag behind because applying patches requires manual steps beyond clicking “Install” in Windows Update. Attackers know this and weaponize the gap.

The AD FS zero-day is a reminder that identity federation remains a high-value target. Even though most enterprises have moved toward cloud-native authentication, plenty of hybrid and on-premises deployments still run AD FS. A local privilege elevation there can give attackers the keys to the kingdom.

The BitLocker bypass, while less immediately threatening, echoes similar physical-access defects disclosed in prior years. BitLocker’s security model assumes an attacker has physical possession; any hole in that wall undermines the very reason organizations deploy full-disk encryption.

The Bigger Picture: Beyond the Numbers

Record-breaking patch counts grab headlines, but they obscure the real decisions admins must make. A Critical-rated remote-code-execution flaw in a server you don’t run is irrelevant to you, while a low-severity elevation-of-privilege bug that has already been exploited on your internet-facing SharePoint server is a crisis. The only reliable way to prioritize is to cross-reference Microsoft’s Security Update Guide with your own asset inventory.

Compatibility changes in this release deserve attention, too. The TDI transport tightening could trip up legacy apps, and the Secure Boot certificate transition will eventually affect any machine that relies on UEFI Secure Boot. Microsoft has been phasing in new certificates for months; failing to keep firmware and bootloaders current will lead to boot failures when the old certificates expire.

For most Windows users, the takeaway is simple: install the update, check your BitLocker key, and move on. For anyone running servers—especially SharePoint or AD FS—the clock started ticking the moment the patches dropped.

Outlook

Microsoft hasn’t detailed the attacks that used the SharePoint and AD FS zero-days, but that information typically surfaces in threat-intelligence reports weeks or months later. Expect more analysis from Mandiant and DART. In the near term, watch for proof-of-concept code for the BitLocker bypass; public disclosure often triggers reverse engineering that helps attackers develop exploits. The next Patch Tuesday falls on August 11, 2026, but given July’s volume, don’t be surprised if out-of-band fixes appear for any bugs that slip through or get discovered post-release.

For now, the message is clear: update SharePoint servers first, then AD FS, then everything else. A record patch count is manageable when you know where to start.