Microsoft July 2026 Patch Tuesday: 2 Zero-Days Exploited

Microsoft's July 2026 Patch Tuesday Fixes 570+ Flaws, Two Zero-Days

CRITICAL
July 15, 2026
6m read
Patch ManagementVulnerabilityCyberattack

Related Entities

Organizations

Microsoft CISA MandiantGoogle

CVE Identifiers

CVE-2026-56155
HIGH
CVSS:7.8
CVE-2026-56164
MEDIUM
CVSS:5.3
CVE-2026-50661
MEDIUM
CVSS:6.1
CVE-2026-57092
CRITICAL
CVSS:9.9
CVE-2026-50522
CRITICAL
CVSS:9.8

Full Report

Executive Summary

Microsoft's July 2026 Patch Tuesday release is the largest in the company's history, addressing between 570 and 622 vulnerabilities across its product ecosystem. The update is critically important for defenders, as it includes patches for two zero-day vulnerabilities confirmed to be under active exploitation in the wild. The first, CVE-2026-56155, is a privilege escalation flaw in Active Directory Federation Services (AD FS). The second, CVE-2026-56164, is a privilege escalation vulnerability in Microsoft SharePoint Server. Both have been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, signifying a high and immediate risk. Organizations are strongly urged to prioritize the patching of these two vulnerabilities, followed by the numerous other critical flaws addressed in this historic update.


Vulnerability Details

The two actively exploited zero-days present significant risks to enterprise environments.

CVE-2026-56155: Active Directory Federation Services (AD FS) Elevation of Privilege

  • CVSS Score: 7.8 (High)
  • Description: This vulnerability allows a locally authenticated attacker with low privileges to escalate to administrator rights on an AD FS server. The flaw stems from insufficient access control checks. A successful exploit could lead to a full compromise of an organization's identity infrastructure, enabling attackers to issue malicious tokens, access connected applications, and facilitate widespread lateral movement and data theft.
  • Exploitation: Microsoft has confirmed active exploitation. The discovery by Mandiant and Google's FLARE team suggests it was found during incident response to sophisticated attacks.

CVE-2026-56164: Microsoft SharePoint Server Elevation of Privilege

  • CVSS Score: 5.3 (Medium)
  • Description: This vulnerability allows an unauthenticated attacker to elevate privileges over the network with no user interaction. The flaw is caused by a missing authentication check for a critical function. While its CVSS score is moderate, its active exploitation and low attack complexity make it a high-priority threat for organizations using on-premises SharePoint servers.
  • Mitigation: Microsoft advises that enabling the Antimalware Scan Interface (AMSI) integration with SharePoint and setting the Request Body Scan mode to "Full" can help mitigate exploitation attempts.

Other Notable Vulnerabilities

  • CVE-2026-50661: A publicly disclosed but not yet exploited security feature bypass in Windows BitLocker that requires physical access.
  • CVE-2026-50522: A critical (CVSS 9.8) remote code execution vulnerability in SharePoint Server due to deserialization flaws.
  • CVE-2026-57092: A critical (CVSS 9.9) RCE in Hyper-V VMSwitch, potentially allowing a guest VM to compromise the host.

Affected Systems

The patches cover a vast range of Microsoft products, including but not limited to:

  • Windows Operating Systems (Client and Server)
  • Microsoft Office and Office Components
  • Microsoft SharePoint Server
  • Active Directory Federation Services (AD FS)
  • Microsoft Exchange Server
  • Hyper-V
  • Azure
  • .NET and Visual Studio
  • Microsoft Edge (Chromium-based)

Exploitation Status

Microsoft has confirmed that both CVE-2026-56155 (AD FS) and CVE-2026-56164 (SharePoint) are being actively exploited in the wild. CISA has added both to its KEV catalog, with patching deadlines of July 28, 2026, for the AD FS flaw and a more urgent July 17, 2026, for the SharePoint flaw, underscoring the imminent threat.

Impact Assessment

A successful exploit of CVE-2026-56155 could be catastrophic for an organization. Compromise of AD FS is equivalent to handing over the "keys to the kingdom," allowing an attacker to impersonate any user and access any federated service, including cloud resources in Azure AD. This could facilitate ransomware deployment, widespread data exfiltration, and persistent, hard-to-detect access.

Exploitation of CVE-2026-56164 on an internet-facing SharePoint server provides an attacker with an initial foothold and elevated privileges within the corporate network. This access can be used to steal sensitive data stored on SharePoint or serve as a launchpad for further lateral movement and attacks on other internal systems.

Cyber Observables — Hunting Hints

The following patterns may help identify vulnerable or compromised systems:

Type
Log Source
Value
AD FS Tracing/Debug Logs
Description
Monitor for anomalous events, particularly Event ID 501, which can indicate unexpected process behavior.
Type
Log Source
Value
SharePoint ULS Logs
Description
Hunt for unexpected or malformed requests, especially those that result in errors or access denied messages followed by successful access.
Type
Network Traffic Pattern
Value
POST /_api/web/
Description
Analyze web server logs for SharePoint servers for unusual POST requests, especially from untrusted external IP addresses.
Type
Process Name
Value
w3wp.exe
Description
On SharePoint servers, monitor the w3wp.exe worker process for unusual child processes, network connections, or file modifications.

Detection Methods

Security teams should focus on both identifying vulnerable systems and detecting active exploitation.

  1. Vulnerability Scanning: Use vulnerability management tools to scan for missing patches related to the July 2026 update, prioritizing CVE-2026-56155 and CVE-2026-56164.
  2. Log Analysis: Ingest and analyze AD FS and SharePoint logs in a SIEM. For AD FS, look for unusual authentication patterns or privilege escalations. For SharePoint, monitor IIS logs for suspicious requests to API endpoints and check ULS logs for errors that might indicate exploitation attempts. D3FEND's Network Traffic Analysis (D3-NTA) is a key technique here.
  3. Endpoint Detection and Response (EDR): Deploy EDR agents on AD FS and SharePoint servers. Monitor for suspicious command-line activity, process spawning (powershell.exe, cmd.exe) from the w3wp.exe (SharePoint) or Microsoft.IdentityServer.ServiceHost.exe (AD FS) processes. Utilize Process Analysis (D3-PA) to baseline normal behavior.

Remediation Steps

  1. Prioritize and Patch: Immediately apply the July 2026 security updates, prioritizing internet-facing systems and Tier 0 assets like AD FS servers. The SharePoint zero-day (CVE-2026-56164) has the tightest CISA deadline and should be addressed first.
  2. Apply Workarounds: For SharePoint, if patching is delayed, enable the AMSI integration and set the Request Body Scan mode to "Full" as a temporary mitigation. This is a form of Application Configuration Hardening (D3-ACH).
  3. Verify Patch Installation: After deployment, use scanners to verify that the patches have been successfully applied and the vulnerabilities are remediated.
  4. Hunt for Compromise: Assume compromise and proactively hunt for signs of exploitation using the observables and detection methods outlined above. Pay close attention to any anomalous activity on AD FS and SharePoint servers dating back several weeks.

Timeline of Events

1
July 14, 2026
Microsoft releases its July 2026 Patch Tuesday update.
2
July 14, 2026
CISA adds CVE-2026-56155 and CVE-2026-56164 to its KEV catalog.
3
July 15, 2026
This article was published
4
July 17, 2026
CISA deadline for federal agencies to patch CVE-2026-56164.
5
July 28, 2026
CISA deadline for federal agencies to patch CVE-2026-56155.

MITRE ATT&CK Mitigations

Applying the security patches released by Microsoft is the primary and most effective mitigation against these vulnerabilities.

Audit

M1047enterprise

Implement comprehensive logging and auditing for AD FS and SharePoint servers to detect and investigate potential exploitation activity.

Restrict network access to AD FS and SharePoint management interfaces to only authorized administrative subnets to reduce the attack surface.

Apply recommended hardening configurations, such as enabling AMSI integration for SharePoint, to provide an additional layer of defense.

Timeline of Events

1
July 14, 2026

Microsoft releases its July 2026 Patch Tuesday update.

2
July 14, 2026

CISA adds CVE-2026-56155 and CVE-2026-56164 to its KEV catalog.

3
July 17, 2026

CISA deadline for federal agencies to patch CVE-2026-56164.

4
July 28, 2026

CISA deadline for federal agencies to patch CVE-2026-56155.

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)

Editorial Standards & Analyst Review

CyberNetSec.io uses automation to assist source monitoring, deduplication, observable extraction, and structured intelligence generation. Published analysis follows human-defined editorial standards and adds defensive context including MITRE ATT&CK, D3FEND, STIX, and Sigma where applicable. Read our editorial policy.

Tags

Patch TuesdayZero-DayAD FSSharePointRCEPrivilege EscalationKEV

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.