Microsoft Patch Tuesday July 2026: 570 Flaws, Two Actively Exploited Zero-Days in AD FS and SharePoint
On 14 July 2026, Microsoft issued the largest security update in company history — a Patch Tuesday that patched approximately 570 vulnerabilities across Windows, Office, Azure, and enterprise server products. Buried inside that record-breaking release are two flaws that are already being actively exploited in the wild: one targeting the identity backbone of on-premises Microsoft environments, and another silently walking unauthenticated attackers into SharePoint servers across Indian enterprises and global organisations alike. If your team has not already prioritised these patches, you are operating with an open door.
- Microsoft’s July 2026 Patch Tuesday addressed ~570 CVEs — more than triple the previous month and the highest single-month count on record.
- CVE-2026-56155 (AD FS, CVSS 7.8) is being actively exploited and was discovered by Microsoft’s own incident-response team, indicating it has already hit real organisations.
- CVE-2026-56164 (SharePoint Server, CVSS 5.3) is also under active exploitation; its deceptively low score masks network-accessible, no-authentication-required privilege escalation.
- Both CVEs were added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on 14 July 2026.
- Microsoft credited AI-assisted internal security testing as a key driver of the dramatic CVE volume surge — expect record-sized patches to continue.
- Federal agencies under BOD 26-04 face mandatory remediation deadlines; best practice is to treat the same urgency regardless of sector.
A Record-Breaking Release: The Numbers Behind July 2026 Patch Tuesday
To appreciate the scale of yesterday’s release, some context: Microsoft’s June 2026 Patch Tuesday addressed approximately 200 vulnerabilities — itself a sizeable monthly drop. July’s release, at roughly 570 CVEs, represents more than a tripling of that figure in a single month. Analysts at Tenable, BleepingComputer, and the Zero Day Initiative have all characterised this as unprecedented in Microsoft’s patching history.
Why the sudden explosion in CVE count? Microsoft acknowledged in a parallel blog post that advances in AI-assisted vulnerability discovery are now enabling internal security engineers to identify and close security issues before external threat actors can weaponise them. The implication: as AI tooling accelerates internal auditing, these large batches are likely to become the new normal. For IT and security teams, that means monthly patch cycles must be treated with greater rigour — the days of leisurely three-week patch windows are over.
Of the ~570 CVEs, security researchers at the Zero Day Initiative classified 63 as Critical severity. Three were zero-days — two actively exploited in the wild, and one publicly disclosed before a patch was available. The two being actively abused are the ones demanding your immediate attention.
The Two Zero-Days Under Active Exploitation
Both actively exploited vulnerabilities were added to CISA’s KEV catalog on 14 July 2026. US federal civilian agencies have binding deadlines to remediate KEV entries; private-sector organisations should treat the same urgency as a benchmark for their own response timelines.
CVE-2026-56155 — Active Directory Federation Services (AD FS): The Identity Backbone Attack
CVSS Score: 7.8 (Important) | Type: Elevation of Privilege
This is the more technically alarming of the two. CVE-2026-56155 stems from insufficient granularity of access control on the Distributed Key Manager (DKM) container in Active Directory — the container that stores the private keys used to sign and encrypt AD FS authentication tokens.
In plain terms: an attacker who has already established a foothold inside your network — even as an ordinary domain user — can read DKM material from Active Directory and reconstruct the private keys that AD FS uses to authenticate users. With those keys in hand, the attacker can forge valid authentication tokens for any user in your organisation, granting them seamless access to every application, cloud service, and on-premises system that trusts your AD FS farm: Office 365, Azure, Salesforce, SAP — anything federated through your identity provider.
Critically, this vulnerability was discovered and reported by Jeremy Kingston and Scott Clark of Microsoft’s Detection and Response Team (DART) — Microsoft’s own incident response unit. That attribution is a significant signal. DART does not typically discover vulnerabilities in a lab; they find them while actively investigating breaches at customer organisations. The public disclosure almost certainly means this path has already been used against real enterprise targets.
Microsoft’s patch introduces automated ACL monitoring: after applying the update and restarting the AD FS service, the system checks the DKM container’s access control list at startup and every 24 hours thereafter, logging Event ID 1132 if an insecure configuration is detected. Administrators should verify this event is not firing in their environment post-patching.
CVE-2026-56164 — Microsoft SharePoint Server: No Authentication Required
CVSS Score: 5.3 (Moderate) | Type: Elevation of Privilege (via missing authentication)
Do not let the Moderate CVSS rating lull you into complacency. Microsoft’s own description of CVE-2026-56164 reads: “Missing authentication for critical function in Microsoft Office SharePoint allows an unauthorized attacker to elevate privileges over a network.” The attack vector is network-accessible and requires zero authentication — an unauthenticated, remote attacker can send a crafted POST request to an on-premises SharePoint Server and elevate their privileges on the system.
This is already being exploited in the wild. Affected versions include SharePoint Server 2016, 2019, and the Subscription Edition. Microsoft notes that AMSI (Antimalware Scan Interface) integration can detect the malicious POST requests — making proper endpoint protection configuration a meaningful defence-in-depth measure even before patching is complete.
SharePoint Server remains widely deployed across India’s banking, insurance, government, and manufacturing sectors as a document management and intranet backbone. If your organisation runs on-premises SharePoint — or if any of your clients do — this is a patch-now, no-exceptions situation.
| CVE | Product | CVSS | Type | Auth Required | Exploited | CISA KEV |
|---|---|---|---|---|---|---|
| CVE-2026-56155 | AD FS | 7.8 | EoP (token-key theft) | Local / Authenticated | Yes | Yes |
| CVE-2026-56164 | SharePoint Server | 5.3 | EoP (no-auth, network) | None | Yes | Yes |
| CVE-2026-50661 | Windows BitLocker | — | Security Bypass | Physical | No (disclosed) | No |
The Zero-Trust Lens: When Your Identity Provider Becomes the Attacker’s Foothold
CVE-2026-56155 is a textbook example of why identity infrastructure must be treated as the highest-value attack surface in any modern enterprise architecture. In a zero-trust model, identity is the new perimeter: it is the control plane that determines what users and devices can access, regardless of network location. When an attacker can forge AD FS tokens, they bypass every downstream access control — firewalls, conditional access policies, MFA prompts — because the identity assertion itself is now compromised.
This mirrors the pattern we saw with the Storm-2603 SharePoint RCE campaign earlier this month, where initial access to SharePoint was rapidly leveraged into broader domain compromise. The lesson is consistent: attackers follow the identity chain. Compromise the perimeter, then pivot to identity. Compromise identity, and the perimeter no longer matters.
For organisations that have deployed FortiGate-based network segmentation, CVE-2026-56155 is a reminder that perimeter controls must be paired with robust identity hygiene: tight ACLs on AD containers, privileged access workstations for AD FS administration, and continuous monitoring for anomalous token issuance patterns.
What You Should Do Right Now: Sanjay Seth’s Recommended Response
Having spent over three decades responding to enterprise security incidents — including several involving compromised identity infrastructure — here is the prioritised response framework I would apply to this Patch Tuesday:
- Apply the July 2026 Patch Tuesday updates immediately. Prioritise AD FS servers, SharePoint Servers, and any Windows Server running Hyper-V. Do not wait for your next maintenance window — active exploitation is underway. Schedule emergency change-control if needed.
- Audit your AD FS DKM container ACLs. After applying the patch, restart the AD FS service and check Windows Event Viewer for Event ID 1132. If it fires, an insecure ACL has been detected on your DKM container — engage your AD team immediately to remediate the ACL and rotate token-signing certificates.
- Rotate AD FS token-signing and token-encryption certificates. If you cannot determine whether your AD FS environment has been accessed by unauthorised principals since the vulnerability was introduced, assume compromise and rotate. This will force re-federation for all relying parties — plan accordingly.
- Enable AMSI on SharePoint Servers. CVE-2026-56164 can be partially mitigated through AMSI integration, which scans incoming POST requests for malicious payloads. This is not a substitute for patching but buys time and provides detection coverage.
- Review SharePoint access logs for anomalous POST patterns. Look for unusual or unexpected privileged operations originating from unauthenticated or low-privilege contexts in the days preceding your patch deployment.
- Validate your third-party identity integrations. Any application or cloud service that trusts your AD FS farm for authentication should be reviewed for unauthorised access during the window between vulnerability introduction and patching.
- Plan for monthly record-patch cycles. Microsoft’s AI-assisted discovery programme means 570-CVE months may become routine. Your patch management process needs to handle volume — consider risk-based triage tooling to accelerate prioritisation.
For SOC teams: write detection rules for Event ID 1132 on AD FS servers, and alert on any new token-signing certificates being added to your AD FS farm configuration. Tenable’s detailed Patch Tuesday analysis and the BleepingComputer writeup are solid references for your vulnerability management team.
Frequently Asked Questions
Am I vulnerable to CVE-2026-56155 if I use Azure AD (Entra ID) for identity instead of on-premises AD FS?
If your organisation has fully migrated to Microsoft Entra ID (cloud-only identity), you are not directly exposed to CVE-2026-56155, which affects the on-premises AD FS role. However, hybrid environments that use AD FS to bridge on-premises Active Directory with cloud services remain vulnerable and should patch urgently. If you are unsure whether your environment uses AD FS, check with your identity team — many organisations that believe they are “cloud-only” still run AD FS for legacy application federation.
CVE-2026-56164 is rated CVSS 5.3 (Moderate). Can we defer it to our next monthly window?
No. CVSS scores measure the intrinsic characteristics of a vulnerability, not the real-world threat level. CVE-2026-56164 has a deceptively low score because CVSS’s base scoring weights the impact component against the scope of a single compromised system. In practice, this flaw allows an unauthenticated attacker to elevate privileges over a network against one of the most widely-deployed collaboration platforms in enterprise. It is already being exploited, and CISA has placed it on the KEV list. Treat it as Critical for your response timeline.
We run SharePoint Online (Microsoft 365), not on-premises SharePoint. Are we affected by CVE-2026-56164?
Microsoft 365 / SharePoint Online is a cloud-hosted service and Microsoft has already applied the necessary updates on the backend — you have no on-premises servers to patch. CVE-2026-56164 specifically affects SharePoint Server 2016, 2019, and the Subscription Edition running on-premises infrastructure you manage. However, if you are running a hybrid SharePoint deployment, verify the on-premises components are patched.
What is the significance of CVE-2026-56155 being discovered by Microsoft’s DART team?
Microsoft DART (Detection and Response Team) is the unit that responds to customer breaches. Unlike a lab-based research finding, a DART-attributed vulnerability discovery typically means the team encountered this technique during an active incident response engagement. In other words, there is a high probability that at least one organisation has already been breached via this precise attack path. The public disclosure is Microsoft’s way of protecting the broader ecosystem after the fact. Treat it accordingly.
Microsoft’s July 2026 Patch Tuesday is not a routine monthly update — it is a landmark security event with real-world exploits already underway. The combination of a compromised identity infrastructure path and a no-authentication SharePoint privilege escalation represents exactly the kind of multi-vector exposure that turns a single unpatched server into a full organisational breach.
If your organisation needs help assessing your AD FS posture, SharePoint security configuration, or broader patch management programme — particularly in the context of a zero-trust architecture — I would be glad to help. With 30+ years of enterprise security experience across Indian and global organisations, P J Networks has the depth to assess your current exposure and build a hardened, resilient identity infrastructure. Reach out for a security assessment.