Microsoft shipped patches for 622 vulnerabilities on July 14, the largest single Patch Tuesday release in the program’s history. Two of those bugs were already being exploited in the wild before the fixes existed, one in SharePoint Server and one in Active Directory Federation Services (AD FS), the service that signs login tokens across an organization. Neither one needed a password to work.
Both carry mid-tier scores under Microsoft’s own severity system, 5.3 and 7.8 out of a possible 10. Security teams that sort this month’s patch queue by score alone will fix the wrong things first.
Two Mid-Tier Scores Are Under Live Fire Right Now
CVE-2026-56164 hits on-premises SharePoint Server, covering SharePoint Server 2016, 2019 and the Subscription Edition. Microsoft classifies it under CWE-306, missing authentication for a critical function. No credentials, no user interaction, exploitable remotely. An attacker who can reach the server over a network can jump straight to elevated privileges without ever logging in.
Microsoft’s own advisory assigns the bug a 5.3 severity score, labeled Moderate. The second live bug sits in AD FS, the Microsoft component that provides single sign-on and acts as a trust broker between an organization’s Active Directory and every application connected to it. Microsoft credited the discovery to Jeremy Kingston and Scott Clark of the company’s Detection and Response Team (DART), its incident-response unit, a detail suggesting the bug turned up during a live intrusion rather than routine research. The official advisory rates the flaw 7.8 and describes an authenticated attacker elevating privileges locally. AD FS issues and signs the tokens every connected app trusts, so administrator access there lets an attacker forge tokens and impersonate anyone across the federated estate, no second login required.
| Vulnerability | Product | Microsoft’s Score | Status | Federal Deadline |
|---|---|---|---|---|
| CVE-2026-56164 | SharePoint Server 2016, 2019, Subscription Edition | 5.3 (Moderate) | Actively exploited | July 17, 2026 |
| CVE-2026-56155 | Active Directory Federation Services | 7.8 (Important) | Actively exploited | July 28, 2026 |
| CVE-2026-55040 | SharePoint Server (JWT bypass) | 5.3 per Rapid7, 9.1 per ZDI | Breaks a chain toward an August RCE fix | Not on KEV |
| CVE-2026-50661 | Windows BitLocker | 6.1 (Important) | Publicly disclosed, not exploited | Not on KEV |
Two more SharePoint bugs sit at the opposite end of the scoreboard, CVE-2026-50522 and CVE-2026-58644, both scored 9.8 and both reachable without a password. Neither had a confirmed live victim when the patches shipped. The bugs everyone is actually fighting right now scored lower.
Why a 5.3 Score Undersold an Active Attack
Common Vulnerability Scoring System (CVSS) numbers freeze at the moment of publication. The scoring model measures theoretical severity under lab conditions, and it does not update automatically once real exploitation is confirmed later. That is how a 5.3 label and a credential-free, remote, already-active attack end up on the same advisory.
Automox’s July patch analysis put it directly.
Moderate severity and active exploitation are not the same thing. Don’t let the 5.3 talk you out of prioritizing it.
The Cybersecurity and Infrastructure Security Agency (CISA) reached a similar conclusion after studying the attack pattern. Investigators found attackers chaining old SharePoint bugs to steal IIS keys, establishing persistence on compromised servers and deploying malware. CISA added the SharePoint flaw to its Known Exploited Vulnerabilities (KEV) catalog on July 14, the same day the patch shipped, and gave federal civilian agencies until July 17 to fix it. The AD FS bug got until July 28. The National Vulnerability Database’s own assessment of the SharePoint flaw landed at 9.8, in the Critical band, a full four points above Microsoft’s number.
Patch Day Has Become Exploit Wednesday
Patching used to buy a few days of cover. Once Microsoft ships a fix, attackers can compare the new code against the previous build, isolate the exact line that changed, and build a working exploit before most security teams finish testing the patch. That shrinks the old cushion of a safe week into what researchers are now calling Exploit Wednesday.
It also breaks severity-based triage outright. With more than 600 CVEs landing in a single release and dozens scored Critical, the word stops functioning as a sorting tool. Jack Bicer, director of vulnerability research at Action1, told Dark Reading the growing volume is not the real challenge. “The real triage problem this month is the mix of exploited issues, a publicly disclosed BitLocker flaw, and a massive concentration of vulnerabilities in Windows and Office,” he said.
For teams working through the backlog this week, four moves matter more than the rest of the list:
- Patch SharePoint first – push the fix to every on-premises instance with internet exposure, and turn on AMSI in Full Mode as a stopgap wherever a maintenance window is still pending.
- Treat AD FS with equal urgency – DART’s involvement and the token-forging blast radius put it on par with the SharePoint bug, whatever the four-point score gap suggests.
- Isolate SharePoint 2016 and 2019 if migration is not immediate – pull those farms off direct internet exposure and add firewall rules until they can move to the Subscription Edition.
- Audit before installing the Active Directory update – check domain controller logs for old encryption use and reset any flagged service account password first.
None of this is optional busywork. It is the difference between closing the hole this week and finding out about it during an incident next month.
SharePoint’s Sunset Collides With a Kerberos Deadline
SharePoint Server 2016 and 2019 reached end of extended support on July 14, the same day this patch shipped. No further security fixes will arrive for either version, no matter what turns up next. Organizations that cannot move to the Subscription Edition right away are being told to pull those servers off the open internet and rely on firewall isolation instead.
Microsoft’s support calendar is not uniform across its catalog. The company separately extended free Windows 10 security updates to October 2027, a far longer runway than it gave this on-premises server line.
The same update finishes a quieter change that has nothing to do with an attacker. Kerberos is the authentication protocol behind Active Directory logins, and RC4 is the older, weaker encryption option it has long supported. Microsoft began phasing it out in January with audit logging for every RC4-dependent login. April brought AES-only defaults for accounts missing a modern encryption type. July 14 removes the rollback registry key entirely, and there is no reverting once the update installs.
Service accounts still running on RC4 only, typically ones nobody ever reset with modern encryption, will start failing authentication the moment the update lands, throwing failure code 0x19 on event ID 4769. That looks like broken SQL Server links, failed application-pool logins and PowerShell remoting errors, not a security incident. The fix order matters: audit domain controller logs for old ticket encryption first, reset the flagged accounts, then install the update. Doing it backward means finding out at 2 a.m.
The Same Fingerprint as Last Year’s ToolShell Breach
CISA’s investigators recognized the technique. Attackers chaining old and new SharePoint bugs to steal IIS machine keys is the same mechanical fingerprint as the ToolShell campaign that tore through unpatched servers in the summer of 2025, when state-linked hacking groups and a ransomware crew exposed over 100 organizations worldwide across finance, healthcare, government and energy.
SharePoint has not stopped being a target since. This release adds a second live concern on top of the two zero-days: CVE-2026-58644, a deserialization flaw scored 9.8, which Microsoft updated on July 15, a day after shipping, to confirm exploitation had also been detected in the wild.
Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, called the release “the mother of all releases” in a blog post, adding, “To call this record-breaking is an understatement.”
How Many CVEs Did Microsoft Patch?
Depends which tracker is asked. Microsoft’s own Security Update Guide counts 622 unique CVEs for July. The Zero Day Initiative counted 621 independently. Two trackers that published earlier in the day landed lower, at 570 and 569, because their initial snapshots excluded Microsoft fixes issued earlier in July for cloud products like Copilot and Exchange Online.
- Microsoft’s Security Update Guide: 622 unique CVEs, the figure most outlets ultimately settled on as the official count.
- The Zero Day Initiative: 621, a near match using its own independent tracking methodology.
- Early trackers including Tenable: 569 to 570, both published before the fuller tally that folded in earlier-month cloud fixes.
One an initial record of 570 flaws, tracking BleepingComputer’s first count, moved once the Security Update Guide filled in. Tenable’s own research team initially logged 569 CVEs for July using that same earlier snapshot. The gap is bookkeeping, not disagreement about the danger. Every version of the count still puts July’s release at more than triple June’s total of roughly 200.
622 Is Now the Floor for Patch Tuesday
Microsoft called this five days early. On July 9, Pavan Davuluri, the company’s executive vice president for Windows and Devices, warned of permanently larger security releases, crediting an AI system for the shift.
That system is MDASH, Microsoft Security’s multi-model agentic scanning harness. More than 100 specialized AI agents build attack-surface models of the codebase, a second set of agents debates whether each finding is genuinely exploitable, and a proving pipeline constructs working triggers before anything reaches a human engineer. It scored 88.45% on the public CyberGym benchmark when it launched in May, then climbed to 96.55% within three weeks. That same month, it surfaced 16 previously unknown Windows bugs on its own, four of them critical. Microsoft has not said how many of July’s 622 came from that pipeline specifically. What it has said is that the pipeline does not pause between cycles.
Cisco engineer Jerry Gamblin ran the numbers a different way. Of more than 35,000 CVEs published across every vendor in the first half of 2026, only 85, a shade under a quarter of one percent, ever showed up on CISA’s KEV catalog. The volume curve has gone vertical. The exploitation curve has not followed it at anywhere near the same pace.
Tenable’s Satnam Narang expects the annual total to keep climbing regardless. He noted Microsoft is on pace to beat the prior full-year record of 1,245 CVEs set in 2020, with 2026’s total potentially clearing 2,000, maybe 3,000. Two numbers inside this month’s 622 did more damage than the rest combined: 5.3 and 7.8, both already being used against real networks before anyone had patched them.








