Microsoft's July 2026 Patch Tuesday release is the largest in the company's history, addressing between 570 and 622 vulnerabilities across its product ecosystem. The update is critically important for defenders, as it includes patches for two zero-day vulnerabilities confirmed to be under active exploitation in the wild. The first, CVE-2026-56155, is a privilege escalation flaw in Active Directory Federation Services (AD FS). The second, CVE-2026-56164, is a privilege escalation vulnerability in Microsoft SharePoint Server. Both have been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, signifying a high and immediate risk. Organizations are strongly urged to prioritize the patching of these two vulnerabilities, followed by the numerous other critical flaws addressed in this historic update.
The two actively exploited zero-days present significant risks to enterprise environments.
The patches cover a vast range of Microsoft products, including but not limited to:
Microsoft has confirmed that both CVE-2026-56155 (AD FS) and CVE-2026-56164 (SharePoint) are being actively exploited in the wild. CISA has added both to its KEV catalog, with patching deadlines of July 28, 2026, for the AD FS flaw and a more urgent July 17, 2026, for the SharePoint flaw, underscoring the imminent threat.
A successful exploit of CVE-2026-56155 could be catastrophic for an organization. Compromise of AD FS is equivalent to handing over the "keys to the kingdom," allowing an attacker to impersonate any user and access any federated service, including cloud resources in Azure AD. This could facilitate ransomware deployment, widespread data exfiltration, and persistent, hard-to-detect access.
Exploitation of CVE-2026-56164 on an internet-facing SharePoint server provides an attacker with an initial foothold and elevated privileges within the corporate network. This access can be used to steal sensitive data stored on SharePoint or serve as a launchpad for further lateral movement and attacks on other internal systems.
The following patterns may help identify vulnerable or compromised systems:
AD FS Tracing/Debug LogsSharePoint ULS LogsPOST /_api/web/w3wp.exew3wp.exe worker process for unusual child processes, network connections, or file modifications.Security teams should focus on both identifying vulnerable systems and detecting active exploitation.
CVE-2026-56155 and CVE-2026-56164.powershell.exe, cmd.exe) from the w3wp.exe (SharePoint) or Microsoft.IdentityServer.ServiceHost.exe (AD FS) processes. Utilize Process Analysis (D3-PA) to baseline normal behavior.CVE-2026-56164) has the tightest CISA deadline and should be addressed first.Applying the security patches released by Microsoft is the primary and most effective mitigation against these vulnerabilities.
Implement comprehensive logging and auditing for AD FS and SharePoint servers to detect and investigate potential exploitation activity.
Restrict network access to AD FS and SharePoint management interfaces to only authorized administrative subnets to reduce the attack surface.
Apply recommended hardening configurations, such as enabling AMSI integration for SharePoint, to provide an additional layer of defense.
Microsoft releases its July 2026 Patch Tuesday update.
CISA adds CVE-2026-56155 and CVE-2026-56164 to its KEV catalog.
CISA deadline for federal agencies to patch CVE-2026-56164.
CISA deadline for federal agencies to patch CVE-2026-56155.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
CyberNetSec.io uses automation to assist source monitoring, deduplication, observable extraction, and structured intelligence generation. Published analysis follows human-defined editorial standards and adds defensive context including MITRE ATT&CK, D3FEND, STIX, and Sigma where applicable. Read our editorial policy.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.