# Microsoft's Largest Patch Tuesday Addresses Over 600 Vulnerabilities, Including Active Zero-Day Exploits

*Published July 17, 2026*
*Source: [https://thehackernews.com/2026/07/microsoft-patches-record-622-flaws.html](https://thehackernews.com/2026/07/microsoft-patches-record-622-flaws.html)*

## Executive Summary

Microsoft has released its largest-ever Patch Tuesday update, fixing 622 vulnerabilities, including two zero-day exploits actively targeted by attackers. The update emphasizes the need for prioritizing patches based on exploitability rather than severity scores.

## Article

Microsoft has released its most extensive Patch Tuesday update to date, addressing 622 vulnerabilities, including two zero-day exploits actively targeted by attackers. This update surpasses previous records and includes critical fixes for elevation-of-privilege flaws in key systems like SharePoint Server and Active Directory Federation Services. These flaws, identified as CVE-2026-56164 and CVE-2026-56155, pose significant risks despite not being flashy remote code execution vulnerabilities. CVE-2026-56164 allows unauthenticated attackers to escalate privileges remotely on SharePoint Server, a crucial document storage system. The flaw was discovered by Mandiant and Google's FLARE team in active attacks, emphasizing the urgency of patching, especially as certain SharePoint Server versions reach the end of support. Additionally, enabling AMSI in Full Mode can mitigate some attack vectors.

CVE-2026-56155 affects Active Directory Federation Services, where authenticated users can elevate privileges locally due to weak access controls. This flaw, detected by Microsoft's DART team, is critical as it impacts the system responsible for signing tokens across trusted networks. Despite its local label, the risk it carries makes it a priority for immediate remediation. Neither of these vulnerabilities has yet appeared in CISA's Known Exploited Vulnerabilities catalog, but Microsoft's exploitability ratings confirm their active exploitation.

Beyond these zero-days, Microsoft also addressed other issues, such as a BitLocker bypass vulnerability, CVE-2026-50661, which requires physical device access and is not currently exploited. Furthermore, a JWT authentication bypass in SharePoint, CVE-2026-55040, was disclosed by Rapid7 and could be chained with other vulnerabilities to execute unauthenticated remote code execution. This update also concludes Microsoft's efforts to harden Kerberos RC4, which will now only function for accounts explicitly configured to accept it, requiring administrators to audit and update their configurations accordingly.

The vast number of vulnerabilities underscores the need for organizations to prioritize patches based on exploitability rather than severity scores alone. With advancements in AI helping Microsoft identify more flaws, the need for swift and informed patch management has never been more critical.
