Skip to main content
Home/Blog/Microsoft Just Patched 622 Vulnerabilities in One Day. Two Were Already Used Against You.
Cybersecurity

Microsoft Just Patched 622 Vulnerabilities in One Day. Two Were Already Used Against You.

July 2026 Patch Tuesday broke every record. Here's what business leaders need to know about the two actively exploited zero-days targeting your identity infrastructure right now.

July 16, 2026·7 min read

Microsoft released its July 2026 Patch Tuesday update on July 15, and the number is hard to wrap your head around: 622 vulnerabilities patched in a single update. That's more than triple June's total — which itself set a record at the time.

But here's the number that should actually concern you: 2.

Two of those vulnerabilities are already being actively exploited by attackers right now. Both of them live inside your identity infrastructure — the part of your systems that decides who gets access to what.

If you run Microsoft technology in your business (and statistically, you do), this is not a "monitor and patch when convenient" situation. This is a now.

What Got Hit: Your Identity Foundation

The two actively exploited vulnerabilities are:

CVE-2026-56164 — SharePoint Server Elevation of Privilege. This one is particularly dangerous because it requires no credentials at all. An unauthenticated attacker — anyone who can reach your SharePoint server over the network — can use this flaw to gain elevated privileges. No password, no account, no user interaction required. Microsoft's own incident response team discovered it while working a real-world attack. SharePoint is your collaboration platform. Contracts, HR documents, project files, financial data — it's all there.

CVE-2026-56155 — Active Directory Federation Services Elevation of Privilege. ADFS is the plumbing behind single sign-on. It's the system that lets your employees log in once and access Microsoft 365, Salesforce, your cloud applications, and dozens of other tools. An attacker who can reach an ADFS server can exploit this flaw to escalate from a standard user account to full administrator access. Microsoft's Detection and Response Team (DART) found this one during active incident response — meaning they found it because it was being used in a real attack.

Both vulnerabilities have been added to CISA's Known Exploited Vulnerabilities catalog, which sets mandatory patch deadlines for federal agencies. Civilian organizations don't face that mandate — but the same attackers targeting federal systems also target businesses.

Why 622 Vulnerabilities Should Worry You Beyond the Patches

The volume here isn't just a headline. It signals something bigger.

Microsoft's June 2026 Patch Tuesday was itself a record at 206 CVEs. July tripled that. Security researchers have directly credited AI-driven vulnerability discovery tools for the surge — automated systems are finding flaws faster than the industry has ever seen before. What took a team of researchers months now takes hours.

This creates a structural problem for every organization:

The patch window is shrinking. Historically, organizations had days or weeks between a vulnerability disclosure and active exploitation. That window is compressing. Attackers are running the same AI tools, and they're working fast.

The patch backlog is growing. Your IT team can't absorb 622 patches in a month while running everything else. Neither can any team. Prioritization has become existential — and if your organization doesn't have a structured, risk-based approach to patching, you're flying blind.

End-of-support products become liability. SharePoint Server 2016 and 2019 both reached end-of-extended-support on July 14, 2026 — the day before this patch dropped. Organizations still running those versions received the patch, but going forward, they'll receive no more. They're running software that Microsoft no longer actively secures, and attackers know exactly which versions are out of support.

What This Means If You Run On-Premises Infrastructure

Cloud-only organizations have a different risk profile here. If your SharePoint is SharePoint Online (Microsoft 365), Microsoft patches it on your behalf. The actively exploited CVEs affect on-premises SharePoint Server specifically — the version organizations host themselves.

If you're running on-premises SharePoint or ADFS, these questions matter today:

Is your SharePoint Server patched? Not scheduled to be patched — actually patched. CVE-2026-56164 requires no authentication, which means the exposure starts the moment an attacker finds your server. Internet-facing instances are highest risk, but internal-only servers aren't immune if an attacker has already established a foothold elsewhere in your environment.

What version are you running? If you're on SharePoint 2016 or 2019, you need a migration plan. Not a someday plan — a dated, budgeted, prioritized plan. Every month you delay is a month of compounding vulnerability exposure on unsupported software.

Do you have visibility into your ADFS environment? Most organizations deploy ADFS and then forget about it. It just works — until it doesn't. If your ADFS servers aren't in your regular patch and monitoring rotation, they're a blind spot attackers are counting on.

The Broader Pattern

This Patch Tuesday isn't an anomaly. It's the new baseline.

AI is accelerating vulnerability research on both sides of the equation — defenders are finding more flaws faster, and attackers are weaponizing them faster. The result is a patching environment where reactive approaches fail. If your security posture is "patch when we get around to it," the math has changed.

Organizations that survive this environment share a common characteristic: they treat patching as a continuous business process, not an IT chore. They know what systems they're running, which are exposed, and they have a defined risk tolerance that drives prioritization.

Those that don't tend to learn the hard way — usually when a CISA KEV listing becomes a forensic report.

Three Questions for Your Team This Week

If you want to pressure-test your exposure right now, start here:

1. Are any of your SharePoint Server or ADFS instances internet-facing, or accessible from outside your primary network perimeter? 2. Are CVE-2026-56164 and CVE-2026-56155 in your patched status as of today — not just in the queue, but confirmed applied? 3. Do you have a documented process for triaging CISA KEV additions within 72 hours?

If the honest answer to any of those is "I'm not sure" — that's the gap. And right now, it's an actively exploited gap.

TrustPoint Cyber works with businesses to build the frameworks that turn patch management from a fire drill into a controlled, risk-based process. If your team is overwhelmed by the current environment, that's worth a conversation.

Get Protected

Ready to strengthen your security?

TrustPoint Cyber delivers Zero Trust architecture, incident response, managed security, and vCISO services — built for your business.