What happened
Microsoft released its July 2026 Patch Tuesday update, fixing a record-breaking 622 vulnerabilities (CVEs), making it the largest Patch Tuesday release in the company’s history. The surge follows comments made in May by Microsoft Vice President of Engineering Tom Gallagher, who warned that AI-assisted vulnerability discovery would significantly increase the number of flaws requiring fixes.
Among the vulnerabilities addressed are three zero-day flaws, including two that are already being actively exploited. These include CVE-2026-56155, an elevation of privilege vulnerability affecting Active Directory Federation Services, and CVE-2026-56164, another elevation of privilege flaw impacting SharePoint Server. The third zero-day, CVE-2026-50661, affects Windows BitLocker and could allow attackers with physical access to bypass device encryption.
The update also includes more than 60 critical vulnerabilities across Windows, Microsoft Office, Edge, SharePoint Server, Exchange Server, Microsoft Defender, Copilot, and other Microsoft products.
Who is affected
Organizations running Microsoft products are impacted, particularly those using Windows, Active Directory Federation Services, SharePoint Server, Exchange Server, Microsoft Office, Microsoft Defender, and Copilot.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has already added the two actively exploited zero-days to its Known Exploited Vulnerabilities catalog, requiring federal agencies to remediate them within days. Private-sector organizations should also prioritize these vulnerabilities due to the elevated risk of active exploitation.
Why CISOs should care
The record number of vulnerabilities highlights a growing operational challenge rather than simply a larger patch workload. Security experts, including Josh Taylor of Fortra, Jack Bicer of Action1, Satnam Narang of Tenable, and Mayuresh Dani of Qualys Threat Research Unit, emphasized that effective prioritization is becoming more important than patch volume itself.
Several of the highest-risk vulnerabilities include remote code execution flaws, privilege escalation bugs, and a virtual machine escape vulnerability. Experts also noted that AI is accelerating exploit development, reducing the time defenders have to respond. As a result, relying solely on CVSS scores is no longer sufficient. Organizations should combine exploit intelligence, asset criticality, and business context when determining patch priorities.
3 practical actions
- Prioritize actively exploited zero-day vulnerabilities and internet-facing systems before addressing lower-risk patches.
- Use multiple risk indicators, including CISA’s Known Exploited Vulnerabilities catalog and exploit prediction models, instead of relying only on CVSS scores.
- Strengthen asset inventory and centralized patch management processes to accelerate testing, deployment, and verification of critical security updates.

