Microsoft Patches Record 622 Vulnerabilities, Including Two Exploited Zero-Days

Microsoft on Tuesday announced patches for a record-breaking 622 vulnerabilities, including two bugs in Active Directory and SharePoint Server that have been exploited in the wild as zero-days.

Tracked as CVE-2026-56155, the exploited AD flaw affects Federation Services (AD FS) and could allow attackers to elevate their privileges locally to administrator.

Also leading to privilege escalation, the SharePoint Server flaw is tracked as CVE-2026-56164 and can be exploited over the network without authentication.

Another security defect that Microsoft drew attention to is CVE-2026-50661, a BitLocker security feature bypass issue that can be exploited by physical attackers and which was publicly disclosed before the July 2026 Patch Tuesday.

“We surmise that this could be related to a flurry of zero-day vulnerabilities disclosed by the researcher known as Nightmare-Eclipse or Chaotic-Eclipse, though no official confirmation was made,” Tenable senior staff research engineer Satnam Narang commented.

According to Microsoft’s release notes, Windows received fixes for 416 vulnerabilities this month, while the Office suite received patches for 164 of them.

Advertisement. Scroll to continue reading.

Some of the security defects that deserve special attention include critical flaws in Windows VMSwitch, tracked as CVE-2026-57092 (CVSS score of 9.9), and SharePoint, tracked as CVE-2026-50522 and CVE-2026-50522 (CVSS score of 9.8), ZDI says.

An XSS in Exchange Server (CVE-2026-55008) and remote code execution (RCE) bugs in the Remote Desktop Protocol (CVE-2026-56190), Windows DHCP Server (CVE-2026-50518), Windows Server Network driver (CVE-2026-56188), and Minecraft Bedrock Dedicated Server (CVE-2026-55010) also deserve increased attention.

Microsoft’s massive round of security updates resolves security weaknesses across several other products, including Azure, Defender, Developer Tools, Exchange Server, Edge, and SQL Server.

With 622 vulnerabilities, the July 2026 Patch Tuesday rollout pushes Microsoft’s year-to-date CVE count above totals from other years, but it is not a surprise.

Last week, Windows executive VP Pavan Davuluri announced that AI is speeding up vulnerability discovery and that Microsoft is using multi-model agentic scanning harness (MDASH) to surface bugs faster across the Windows codebase.

“We continue to evolve our internal systems and practices so that vulnerability discovery is not treated as a separate activity, but as part of how we build, review, and improve Windows before new features or updates are released,” Davuluri said.

On the July 2026 Patch Tuesday, Adobe released fixes for 88 vulnerabilities, including critical bugs in ColdFusion, Commerce, Experience Manager, and Illustrator.

Related: SAP Patches Critical Vulnerabilities in NetWeaver, Approuter, Commerce Cloud

Related: Microsoft Patches Defender ‘RoguePlanet’ Vulnerability

Related: Progress Prompts ShareFile Storage Zone Controller Shutdown Amid Security Concerns

Related: Palo Alto Networks Patches 13 Vulnerabilities