Tech News

Microsoft Unveils Its Biggest Patch Tuesday Ever with 570 Flaws and 3 Zero-Days

570 security flaws fixed in one go. Here is July 2026 Patch Tuesday: the largest ever released by Microsoft, with nearly three times as many vulnerabilities as the record set last month. Among them are 3 zero-days, including 2 already being exploited in attacks. Here’s what you need to know.

In June, it was already massive, with 200 vulnerabilities fixed by Microsoft updates. One month later, the total reaches 570 vulnerabilities, excluding those patched in Microsoft Edge and Microsoft cloud services. A slip-up? No. Microsoft warned us in advance.

Indeed, a few days ago, the American vendor revisited the use of MDASH, its multi-agent vulnerability discovery system, to analyze Windows code and uncover security flaws. Microsoft also stated that customers should expect a higher volume of security updates. Here is the proof. I also relayed this Microsoft warning in our article Microsoft Warns: AI Will Inflate Your Patch Tuesdays.

First, out of the 570 vulnerabilities patched by Microsoft, 57 are critical, or 10%. The vast majority are considered important flaws (89.5%). Among these vulnerabilities, 250 (43.8%) allow privilege escalation and 144 (25.2%) allow remote code execution. The stage is set.

Of the 57 critical vulnerabilities, 48 allow remote code execution. In fact, 31 are in Windows, 15 in the Microsoft Office suite, and 7 in SharePoint Server. Then there are those clusters of flaws around several products and services that deserve your attention:

In the end, the impact is heavy across Microsoft operating systems: Windows Server 2025 takes 388 vulnerabilities, while Windows 11 is affected by 383 security flaws, and Windows 10 is not far behind.

Three zero-days, including two already exploited

Let’s now look at the three zero-days patched by Microsoft in this Patch Tuesday. Let’s start with the ones already exploited in cyberattacks.

CVE-2026-56155, privilege escalation in AD FS (exploited)

CVE-2026-56155 affects Active Directory Federation Services, which corresponds to the AD FS role, and it allows attackers to obtain admin rights. Microsoft explains: "Insufficient granularity of access control in AD FS allows an authorized attacker to elevate privileges locally". It affects all Windows Server versions still supported by Microsoft.

No details have been shared about how this vulnerability was exploited in cyberattacks. Keep in mind that AD FS is the authentication pivot between on-premise and cloud in hybrid environments, and it has already been involved in attack scenarios, including phishing campaigns spoofing login pages.

CVE-2026-56164, privilege escalation in SharePoint Server (exploited)

The second exploited flaw targets on-premises SharePoint Server: SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server SE. It is a security flaw that allows privilege escalation on the vulnerable server.

Regarding this vulnerability, Microsoft states: "The attack vector is Network (AV:N) because this vulnerability is remotely exploitable and can be exploited over the Internet. The attack complexity is Low (AC:L) because an attacker does not need significant prior knowledge of the system and could successfully exploit this vulnerability multiple times with the payload against the vulnerable component."

This vulnerability is considered moderate. However, it is a remotely exploitable flaw with no authentication required and already used in attacks. And proof that it deserves close attention, CISA added CVE-2026-56164 to its KEV catalog on July 14, 2026, and promptly published a warning urging SharePoint server hardening. A scenario that will bring back bad memories to those who followed the wave of compromises affecting more than 400 SharePoint servers in 2025.

If you cannot patch immediately, Microsoft says that enabling AMSI on the server, combined with the request body inspection mode set to Full, helps mitigate the flaw.

CVE-2026-50661, BitLocker bypass (disclosed)

The third zero-day is a BitLocker bypass, publicly disclosed before the security fix was available, but exploitation has not been confirmed to date. Microsoft says an attacker with physical access to the target could access encrypted data.

The flaw is attributed to an anonymous researcher... But is that researcher really so anonymous? Does this scenario sound familiar? It does to us too. While no official link has been established, it is hard not to think of the ongoing BitLocker saga, after YellowKey and then GreatXML. The anonymous researcher could therefore be Nightmare Eclipse and the flaw the one nicknamed GreatXML (with YellowKey already fixed). The conditional is therefore required, but it is an assumption that seems serious to me.

Kerberos: RC4 is being phased out on your domain controllers

There is one point in this Patch Tuesday that has nothing to do with the CVE count, yet it deserves special attention. The July 2026 updates mark the final phase of the Kerberos hardening Microsoft launched against CVE-2026-20833. This is a vulnerability that allows service tickets encrypted with RC4 to be obtained and then used to crack the service account password offline (in an Active Directory context). In short: Kerberoasting.

The schedule planned by Microsoft has been known since the beginning of the year. It is documented in KB5073381 and unfolds in three steps:

  • January 2026: audit phase. Nine KDCSVC events (201 to 209) appear in the Domain Controllers System log, and the temporary registry value RC4DefaultDisablementPhase makes it possible to anticipate enforcement.
  • April 2026: DefaultDomainSupportedEncTypes switches by default to AES-SHA1 only (0x18) for accounts without an explicit msDS-SupportedEncryptionTypes attribute, with the option to manually revert to audit mode.
  • July 2026: game over, and we are here! Microsoft says that "installing Windows updates released from July 2026 onward will programmatically activate the enforcement phase", and that support for the RC4DefaultDisablementPhase key is removed.

What you need to understand is that the April 2026 update changed the KDC’s default behavior, while the July update only removes the ability to roll back. The behavior does not change for those who already patched in April.

The procedure to identify your dependencies on this change is detailed on the Detect and remediate RC4 usage in Kerberos page, which also provides two PowerShell scripts (List-AccountKeys.ps1 and Get-KerbEncryptionUsage.ps1) published in Microsoft’s Kerberos-Crypto GitHub repository.

Good luck applying the security updates!

author avatar
Florian Burnel Co-founder of IT-Connect
Systems and network engineer, co-founder of IT-Connect and Microsoft MVP "Cloud and Datacenter Management". I'd like to share my experience and discoveries through my articles. I'm a generalist with a particular interest in Microsoft solutions and scripting. Enjoy your reading.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.