Microsoft’s Record 570-Fix Patch Tuesday Targets Two Actively Exploited Zero-Days — BigGo Finance
Microsoft dropped its largest-ever security update this week, pushing out fixes for roughly 570 vulnerabilities across Windows, Office, SharePoint, and Active Directory Federation Services. The July 14 Patch Tuesday release lands just one month after the company addressed 200 flaws, a dramatic escalation that Microsoft attributes to AI-powered code analysis now scanning decades-old software for weaknesses.
Security teams should move first on two zero-day vulnerabilities that are already being actively exploited in the wild. CISA has added both to its Known Exploited Vulnerabilities catalog, signaling urgency for federal agencies and private-sector organizations alike. A third zero-day affecting BitLocker was publicly disclosed but has not yet been used in attacks, though Microsoft warns that laptops carried outside the office face elevated risk.
The sheer volume of this month’s release marks a turning point. Privilege escalation bugs accounted for 254 of the total, or roughly 44 percent, followed by 145 remote code execution flaws and 102 information disclosure issues. Fifty-nine vulnerabilities carry a Critical severity rating, and 48 can be exploited remotely without user interaction.
The Two Exploited Zero-Days
The first actively exploited flaw, tracked as CVE-2026-56155, lives inside Active Directory Federation Services. A weakness in access control allows a low-privilege local user to escalate to administrator, effectively handing an attacker the keys to the identity federation infrastructure. Microsoft’s Security Update Guide confirms exploitation has been detected, and CISA has placed the bug on its KEV list, which triggers mandatory patching timelines for US government systems.
The second, CVE-2026-56164, takes aim at Microsoft SharePoint Server. A missing authentication check on a critical function means an unauthenticated attacker can escalate privileges over the network. SharePoint Enterprise Server 2016, Server 2019, and Subscription Edition are all affected. Microsoft recommends enabling AMSI and setting Request Body Scan to Full as a stopgap, but stresses that the workaround is not a substitute for applying the patch. CISA has also flagged this vulnerability as under active exploitation in campaigns targeting organizations.
BitLocker Bypass: Physical Access Required
The third zero-day, CVE-2026-50661, is a security feature bypass in Windows BitLocker. An attacker with physical access to a device could potentially reach encrypted data. Microsoft says it has not observed exploitation in the wild and rates the likelihood of attack as low, but the physical-access prerequisite does not eliminate the threat for mobile workforces. The company advises prioritizing this update on laptops and tablets that regularly leave corporate premises.
AI Is Finding Bugs Faster Than Ever
The record-setting patch load did not come out of nowhere. Last week, Windows Executive Vice President Pavan Davuluri published a blog post preparing customers for larger Patch Tuesday releases going forward. “As AI helps defenders discover more issues, customers will see a higher volume of security updates included in each security release,” Davuluri wrote. He added that Microsoft is updating its Secure Development Lifecycle to account for AI-enabled attack techniques while keeping human experts in the loop for risk-based decisions.
Microsoft has deployed an internal vulnerability detection system called MDASH, which stands for multi-model agentic scanning harness. The tool uses multiple AI models to comb through codebases, some of which date back decades, surfacing flaws that manual review might have missed for years. Adobe and Cisco have also publicly flagged that their update cadence is accelerating for similar reasons, suggesting an industry-wide shift driven by automated code analysis.
Dell Compatibility Snag Delays Updates for Some
Not every machine will receive the July cumulative update on schedule. Dell confirmed that a compatibility conflict between an Intel driver and a new Windows USB-C Connection Manager, first spotted in a June preview update, is still causing reliability and performance problems on certain systems. Microsoft is holding back the Patch Tuesday release for affected PCs running Windows 11 versions 25H2 and 24H2. Windows Server editions are not impacted by the issue. Neither company has provided a timeline for resolution, leaving some Dell users in a holding pattern while the zero-day clock ticks.
What Security Teams Should Do Now
The immediate priority is patching CVE-2026-56155 on AD FS servers and CVE-2026-56164 on SharePoint Server. Both are under active attack and appear on CISA’s KEV catalog, which carries a binding operational directive for federal agencies. Organizations without AD FS or SharePoint in production should still triage the remaining 568 fixes, with special attention to the 59 Critical-rated vulnerabilities and the BitLocker bypass for any device that leaves the building.
Below is a summary of the three zero-day vulnerabilities addressed in the July 2026 Patch Tuesday release:
| CVE Identifier | Affected Component | Impact | Exploitation Status |
|---|---|---|---|
| CVE-2026-56155 | Active Directory Federation Services | Privilege Escalation | Actively Exploited |
| CVE-2026-56164 | SharePoint Server | Privilege Escalation | Actively Exploited |
| CVE-2026-50661 | Windows BitLocker | Security Feature Bypass | Publicly Disclosed, Not Exploited |
For organizations managing large fleets, the Dell compatibility issue adds complexity. Security teams should audit their Windows 11 inventory, identify Dell systems running version 25H2 or 24H2, and determine whether the USB-C Connection Manager driver conflict applies. If the July update is blocked, compensating controls such as network segmentation for SharePoint and AD FS, enabling AMSI, and restricting physical access to BitLocker-protected devices become even more critical until the patch can be applied.
The broader message from Redmond is clear: AI-driven vulnerability discovery is reshaping the patching landscape. Monthly update volumes that once hovered in the double or low triple digits are giving way to releases measured in the hundreds. For defenders, that means faster discovery of threats—but also a heavier operational burden each Patch Tuesday.