Skip to main content

On 8 July 2026, Microsoft dropped the largest Patch Tuesday in the programme’s twenty-three-year history: 622 CVEs, triple the previous month’s count, with 416 of those in Windows alone. Two zero-days are confirmed under active exploitation. A third has been publicly disclosed. And the Kerberos RC4 rollback switch you may have been leaning on? It is gone.

If your team treats Patch Tuesday as someone else’s problem, this is the month that proves otherwise. Every line of code you deploy sits on top of this infrastructure. When the floor moves, your application moves with it.

TL;DR

  • Microsoft’s July 2026 Patch Tuesday sets a record with 622 CVEs — triple the previous month and the largest ever single release
  • Two zero-days are under active exploitation: CVE-2026-56164 (SharePoint unauthenticated privilege escalation) and CVE-2026-56155 (Active Directory Federation Services)
  • SharePoint Server 2016 and 2019 hit end-of-life on the same day — no Extended Security Updates available
  • The Kerberos RC4 rollback switch is permanently removed, potentially breaking legacy authentication
  • Microsoft’s AI-powered MDASH vulnerability scanner is accelerating CVE discovery, meaning patch volumes will keep climbing
  • Development teams must adopt risk-based triage (EPSS over CVSS) and integrate patch awareness into their CI/CD pipelines

The Numbers That Matter

Let us break down what 622 CVEs actually looks like:

Product Area CVE Count Key Threats
Windows 416 VMSwitch RCE (CVSS 9.9), five DHCP server RCEs, 21 NTFS/ReFS driver bugs
Microsoft Office 82 Excel RCE variants, macro-adjacent attack surfaces
Microsoft Edge 46 21 proprietary flaws beyond Chromium patches
SharePoint Server 17 Two actively exploited zero-days
Developer Tools 27 Injection and path traversal bypasses in .NET, ASP.NET Core, VS Code
SQL Server 8 Two RCEs rated CVSS 8.8
Exchange Server 5 Stored XSS in OWA rated CVSS 9.6

Ninety-five of the total are remote code execution bugs. That is not a rounding error — it is an entire quarter’s worth of critical patches compressed into a single release.

The Zero-Days You Cannot Ignore

CVE-2026-56164: SharePoint Unauthenticated Privilege Escalation

This is the one keeping incident responders up at night. An unauthenticated attacker can escalate privileges over the network with no credentials, no user interaction, and low attack complexity. Mandiant’s incident response team and Google’s FLARE unit discovered it — which tells you it was found inside an active breach, not a lab.

Making matters worse, SharePoint Server 2016 and 2019 reached end-of-life on the same day this patch dropped. There is no Extended Security Updates programme for SharePoint. If you are still running either version, you are now unpatched and unsupported with a known-exploited vulnerability in the wild.

CVE-2026-56155: Active Directory Federation Services

This local privilege escalation affects your authentication infrastructure directly. Microsoft’s own DART incident response unit found it, again suggesting discovery during active breach investigation. ADFS token-signing systems are trusted across entire enterprise estates — a compromised ADFS server can mint authentication tokens for any federated service.

CVE-2026-55040: SharePoint JWT Authentication Bypass

Discovered by Rapid7’s Stephen Fewer during Pwn2Own Berlin, this one chains with a separate RCE vulnerability that has not been patched yet — Microsoft has scheduled the second half of the fix for August. That means a known exploit chain exists with only partial mitigation available today.

The Kerberos RC4 Cliff Edge

Buried in this update is a change that could break your authentication infrastructure overnight. Microsoft has removed the RC4 DefaultDisablementPhase rollback switch that was introduced in January 2026. After applying this patch, RC4-based Kerberos authentication will only work for accounts explicitly configured to use it.

If your development or staging environments rely on legacy service accounts that still use RC4, they will stop authenticating. The recommended sequence:

  1. Audit RC4 usage across your estate before deploying the patch
  2. Rotate service account passwords to negotiate stronger encryption types
  3. Then deploy the July update

Get this order wrong and you will be debugging authentication failures at the worst possible moment.

Why the Numbers Keep Growing: MDASH

The record volume is not a coincidence. Microsoft’s MDASH (Multi-model Defence Automated Scanning and Hunting) system — an AI-powered vulnerability discovery platform — identified 16 vulnerabilities in May’s Patch Tuesday alone. Microsoft has not disclosed how many of July’s 622 came from MDASH, but the trajectory is clear.

This is the new reality: AI-accelerated vulnerability discovery means patch volumes will continue to climb. The tooling that finds bugs is scaling faster than the processes most teams have for applying fixes. If your patch management strategy was designed for 50–100 CVEs per month, it is already obsolete.

What Your Development Team Should Do Right Now

1. Triage by Exploitation Status, Not CVSS Score

With 622 CVEs, you cannot patch everything simultaneously. Prioritise by whether a vulnerability is under active exploitation (check CISA’s Known Exploited Vulnerabilities catalogue) and its EPSS (Exploit Prediction Scoring System) probability. A CVSS 7.0 bug being actively exploited is more urgent than a CVSS 9.8 that requires improbable preconditions.

2. Audit Your SharePoint and ADFS Exposure

If you have on-premises SharePoint or ADFS infrastructure, patch today. If you are running SharePoint 2016 or 2019, begin your migration plan — not next quarter, now. These products are officially unsupported with known-exploited vulnerabilities in the wild.

3. Integrate Patch Awareness into CI/CD

Your deployment pipeline should know what it is deploying onto. Container base images, runtime dependencies, and host-level libraries all inherit these vulnerabilities. Add automated scanning that flags builds targeting unpatched infrastructure.

4. Prepare for the RC4 Removal

Run Get-ADUser -Filter {msDS-SupportedEncryptionTypes -band 4} and Get-ADServiceAccount queries against your domain controllers to identify any accounts still negotiating RC4. Fix these before deploying the July update.

5. Revisit Your Patch SLA

CISA gave federal agencies until 17 July to address CVE-2026-56164 — that is a nine-day window for a critical zero-day. If your internal SLA for critical patches is measured in weeks, you are moving too slowly for the current threat landscape.

The Bigger Picture

This Patch Tuesday is a signal, not an anomaly. AI-powered vulnerability discovery, the growing complexity of the Microsoft ecosystem, and the industrialisation of exploit development are converging to create a world where patch volumes will only increase.

Development teams can no longer treat security patching as an ops concern that happens downstream. Your application’s security posture starts with the infrastructure it runs on, and that infrastructure just received 622 reasons to update.

At REPTILEHAUS, we help development teams build DevSecOps pipelines that integrate vulnerability scanning, automated patching workflows, and infrastructure-as-code practices that make patch days manageable rather than terrifying. If your team is struggling to keep up with the accelerating pace of security updates, get in touch — we have been through enough Patch Tuesdays to know what works.

📷 Photo by Taylor Vick on Unsplash