Microsoft has just delivered its most extensive Patch Tuesday release to date, a monumental update addressing a staggering 622 vulnerabilities. Among these, two critical zero-day flaws are already being actively exploited by attackers, demanding immediate attention from IT professionals worldwide. This unprecedented volume, more than triple June’s previous high, underscores a heightened threat landscape and the continuous cat-and-mouse game between defenders and malicious actors.
Critical Zero-Days Demand Immediate Attention
The most pressing concerns in this record-setting update are two elevation-of-privilege vulnerabilities that are currently under active exploitation. These aren’t the “splashy” remote code execution (RCE) flaws often highlighted, but their impact on core identity and collaboration infrastructure makes them exceptionally dangerous. Microsoft credits incident responders for their discovery, indicating these bugs were found in the wild.
SharePoint Server: An Unauthenticated Privilege Escalation (CVE-2026-56164)
The first critical flaw, CVE-2026-56164, affects on-premises SharePoint Server. This vulnerability allows an unauthenticated attacker to escalate privileges over the network without requiring any credentials or user interaction. Its discovery by Mandiant’s incident responders and Google‘s FLARE team strongly suggests active exploitation, though Microsoft has not disclosed specific details about the attacks or perpetrators.
For organizations running self-hosted SharePoint, patching this vulnerability is paramount. The urgency is further amplified by the fact that SharePoint Server 2016 and 2019 have reached the end of extended support, meaning no paid ESU program is available as a fallback. Beyond patching, Microsoft advises enabling AMSI in Full Mode on the server to mitigate potential attacks. SharePoint has historically been a prime target for attackers, a trend that continues unabated.
Active Directory Federation Services (AD FS): Local Privilege Escalation (CVE-2026-56155)
The second actively exploited zero-day, CVE-2026-56155, impacts Active Directory Federation Services (AD FS). This flaw enables an already-authenticated attacker to elevate privileges locally through weak access controls. While labeled “local,” its significance should not be underestimated. AD FS is the cornerstone for signing authentication tokens across an enterprise, making any compromise of this system a severe risk. Microsoft’s own DART incident-response unit discovered this vulnerability, though details on the specific privileges granted or attack methods remain undisclosed.
It’s crucial to note that neither of these CVEs was listed on CISA’s Known Exploited Vulnerabilities catalog at the time of writing, despite Microsoft’s internal exploitability rating confirming active exploitation. Security teams should not wait for external validation; immediate patching is essential. Furthermore, the SharePoint bug’s relatively low severity rating serves as a stark reminder that the severity score alone doesn’t always reflect the true risk posed by actively exploited vulnerabilities.
Other Notable Vulnerabilities and Key Updates
BitLocker Bypass: A Physical Access Threat (CVE-2026-50661)
A third zero-day, CVE-2026-50661, was publicly disclosed but is not currently under active attack. This BitLocker bypass requires physical access to the device, making it less of an immediate remote emergency. While it doesn’t jump the queue for urgent patching, it continues a trend of BitLocker bypasses seen throughout the year and should be addressed in due course.
SharePoint JWT Authentication Bypass and Upcoming RCE (CVE-2026-55040)
SharePoint also received another significant fix for CVE-2026-55040, a JWT authentication bypass disclosed by Rapid7 Labs. While Rapid7 rated it medium severity (5.3), ZDI classified it as Critical (9.1). The consensus, however, is on its functionality: Rapid7 demonstrated chaining this bypass with a separate remote code execution (RCE) bug to achieve unauthenticated RCE. Crucially, the RCE component of this chain is not yet patched and is slated for an August fix. This July update, therefore, is vital in breaking the chain and preventing future exploitation.
Kerberos RC4 Hardening: A Potential Authentication Minefield
This Patch Tuesday also marks the culmination of Microsoft’s multi-year effort to harden Kerberos RC4. The July rollout permanently removes the RC4DefaultDisablementPhase rollback switch, meaning RC4 will now only function for accounts explicitly configured to allow it. This change carries a significant risk: any service account still requesting RC4 Kerberos tickets could experience authentication failures immediately after the update.
To avoid service disruptions, a meticulous audit is required before patching. Utilize the RC4 audit events introduced by Microsoft in January to identify affected service accounts. Subsequently, rotate the passwords for these flagged accounts to ensure Windows generates AES keys. Only then should the update be applied. Password rotation addresses accounts lacking AES keys; however, any system hard-pinned to RC4 by configuration or legacy clients will require specific remediation prior to the update. Skipping this audit won’t necessarily lead to a breach, but it could lead to critical system outages.
Why a “Quiet” Month Set a Record
Historically, July is one of Microsoft’s quieter months for security updates, making this record-breaking release particularly noteworthy. Windows alone accounts for 416 of the 622 CVEs, and ZDI reports 95 remote code execution bugs across the entire release. This unusually high volume underscores the relentless pace of vulnerability discovery and the critical importance of staying vigilant with patching cycles.
For more details, visit our website.
Source: Link










Leave a comment