Microsoft shipped fixes for two actively exploited zero-day vulnerabilities on July 14, 2026, as part of a massive Patch Tuesday that also set a record for the number of security flaws resolved in a single month. The immediate priority for Windows admins isn’t the historic volume—570 vulnerabilities by one count, 622 by another—but the pair of issues attackers were already using before the patches arrived: CVE-2026-56155 in Active Directory Federation Services and CVE-2026-56164 in Microsoft SharePoint Server.

What Actually Changed

The July 2026 Patch Tuesday rollup is the largest Microsoft has ever released. BleepingComputer’s tally arrived at 570 vulnerabilities in the July 14 batch, excluding earlier-in-the-month fixes and upstream Chromium patches. Malwarebytes reported 622 CVEs using a broader monthly scope. The discrepancy stems from how “Patch Tuesday” is defined—narrowly as that day’s advisories or widely as all Microsoft security activity over the month—so neither number is wrong. Under BleepingComputer’s July 14 count, 59 issues are rated Critical. The payload spans elevation-of-privilege (254), remote-code-execution (145), information-disclosure (102), denial-of-service (35), security-feature-bypass (17), and spoofing (16) flaws.

But the most urgent items are three zero-days:

  • CVE-2026-56155 (Active Directory Federation Services): An elevation-of-privilege flaw that lets an authenticated attacker gain local administrative control over a federated identity system already in use at many organizations. Microsoft confirms it was exploited in the wild.
  • CVE-2026-56164 (SharePoint Server): A missing-authentication vulnerability in a critical function that allows an unauthenticated network attacker to elevate privileges on on-premises SharePoint Server. Active exploitation confirmed.
  • CVE-2026-50661 (BitLocker): A security-feature bypass that requires physical access and could let an attacker read encrypted data from system drives. Publicly disclosed but not reported as exploited.

For Windows 11 users, the cumulative updates are KB5101650 (versions 25H2 and 24H2) and KB5099414 (version 23H2). Windows 10 systems on Extended Security Updates get KB5099539.

What It Means for You

For IT Administrators

The attack surface matters more than the total count. If your organization runs on-premises AD FS or SharePoint Server, treat these patches as emergency items. An attacker with a foothold on an AD FS server could pivot to administrative control, compromising token-signing and encryption certificates. The SharePoint flaw lets unauthenticated attackers hit internet-exposed servers, making it a prime target for opportunistic scanning.

Both fixes come with operational nuances:
- AD FS (CVE-2026-56155): The July update only initiates hardening by running the Distributed Key Manager container ACL in Audit mode. It logs insecure permissions under Event ID 1132 in the AD FS Admin event log but doesn’t automatically correct them. You must review those logs and then opt into the full ACL remediation—a step that can impact certificate behavior if rushed.
- SharePoint Server (CVE-2026-56164): Microsoft recommends enabling the Antimalware Scan Interface (AMSI) and setting Request Body Scan mode to Full as a compensating control. That’s not a substitute for patching, just a bridge for testing windows.

BitLocker’s fix (CVE-2026-50661) is lower urgency but still important for laptops, field hardware, and any device at risk of physical loss. It’s a reminder that full-disk encryption is only as strong as the patch level, Secure Boot posture, and TPM hygiene.

For Home and Small Business Users

If you’re using Windows Update, the path is simple: install the latest cumulative update, reboot, and verify the build number. For most individuals, the biggest protection gain comes from closing the elevation-of-privilege and remote-code-execution holes that wormable malware could exploit. The BitLocker fix matters only if someone physically steals your device. There’s no extra step unless you rely on AD FS or SharePoint Server, which are enterprise products.

How We Got Here

On July 9, Microsoft warned that a larger-than-usual Patch Tuesday was coming, citing a new AI-assisted vulnerability-discovery pipeline called MDASH. The system uses multiple models to scan critical binaries, validate potential flaws, and filter out false positives before engineering teams build patches. The spike in findings doesn’t mean Windows suddenly became more buggy; it means the company can now find—and fix—flaws faster.

But speedier discovery also changes the rhythm for defenders. Where previous Patch Tuesdays rarely topped 150 CVEs, the last few months have trended upward. June’s release already surpassed 400 fixes, and July’s record suggests AI is surfacing issues that manual review might have missed. The bottleneck shifts from vulnerability discovery to enterprise testing and deployment.

Microsoft’s tools—Autopatch, Intune, Known Issue Rollback, hotpatch—can help, but they don’t eliminate the need for admins to test line-of-business applications against each update. The sheer volume of July’s fixes means IT pros must prioritize: patch the actively exploited zero-days immediately, then cycle through the rest using normal change-control processes.

What to Do Now

  1. Deploy the patch for AD FS (CVE-2026-56155) on all federation servers. After rebooting, open the AD FS Admin event log and filter for Event ID 1132. Each flagged entry indicates a permission that should be tightened. Plan the ACL remediation carefully, validate token-signing and token-decryption operations, and confirm federation trusts remain healthy before locking anything down.

  2. Patch all on-premises SharePoint Servers (CVE-2026-56164) as quickly as possible. If an immediate maintenance window isn’t possible, enable AMSI and set Request Body Scan mode to Full. But schedule the update within days, not weeks—attackers are already exploiting the flaw.

  3. Apply the BitLocker fix (CVE-2026-50661) to laptops and mobile devices. It’s not actively exploited, but physical-access threats are real for field staff, travelers, and organizations that rely on BitLocker for compliance.

  4. For the remaining 567+ vulnerabilities, follow your usual deployment cadence. Use rings or phased rollouts to catch compatibility issues early. Monitor update-health dashboards in Windows Update for Business or endpoint management tools for known issues.

  5. For home users: Open Settings > Windows Update, click Check for updates, install everything offered, and restart. Confirm the build matches the one in the update history (e.g., KB5101650 for Windows 11 25H2/24H2).

Outlook

Microsoft has made no secret that AI will accelerate vulnerability discovery, and July’s release is the clearest proof yet. This doesn’t just mean larger Patch Tuesdays; it signals a future where critical fixes may drop outside the traditional second-Tuesday-of-the-month window, or where out-of-band updates become more common. The defensive value is clear—finding flaws before attackers do—but it also demands that IT teams reassess their update pipelines. Automation, staging rings, and application compatibility testing will matter more than ever. For now, the immediate focus is on those two exploited zero-days. Patch AD FS and SharePoint first, audit your identity infrastructure, and then settle in for the rest of a very busy month.