570
Total vulnerabilities in July 2026 Patch Tuesday — a record high
59
Critical-severity flaws, including 48 remote code execution vulnerabilities
9.8
CVSS score for CVE-2026-55944, unauthenticated RCE in Dynamics NAV
2
Zero-days actively exploited in attacks before Microsoft released patches

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Two Microsoft zero-days are actively exploited today with no available workaround: Microsoft Patch Tuesday July 2026 patches 570 vulnerabilities including CVE-2026-56155 in Active Directory Federation Services (CVSS 7.8) and CVE-2026-56164 in SharePoint Server (CVSS 5.3), both confirmed exploited before today's patches existed, with CISA's remediation deadline for the SharePoint flaw expiring today, July 17, 2026.

Microsoft Patch Tuesday July 2026 is a record-breaking release addressing 570 flaws across Windows, SharePoint, Active Directory, Exchange, Dynamics, and Office — the largest single-month security update in Microsoft's history. The July 8, 2026 release contains 59 critical-severity vulnerabilities including 48 remote code execution flaws, three zero-days, and CVE-2026-55944, a CVSS 9.8 unauthenticated remote code execution vulnerability in Microsoft Dynamics NAV and 365 Business Central that requires neither authentication nor user interaction.

The two actively exploited zero-days target different attack surfaces. CVE-2026-56155 in AD FS exploits insufficient access control to let a low-privileged local attacker escalate to administrator. CVE-2026-56164 in SharePoint Server exploits a missing authentication check for a critical API function, giving an unauthenticated network-accessible attacker elevated privileges against any reachable SharePoint Server 2016, 2019, or Subscription Edition deployment. Microsoft credited Jayson Frost and Genwei Jiang of Mandiant and Google Cloud's FLARE OTF team with discovering CVE-2026-56164 — attribution that signals the flaw was found during active incident investigation, not routine research.

Organizations running on-premises SharePoint or AD FS that have not applied July 2026 Patch Tuesday updates are running systems with known active exploitation in the wild. CISA's federal deadline for SharePoint is today. Interim mitigation exists: enabling AMSI on SharePoint Server and setting Request Body Scan to Full mode blocks exploit payloads while patching proceeds, but does not remove the vulnerability.

How Do CVE-2026-56155 and CVE-2026-56164 Work?

CVE-2026-56155 is an elevation of privilege flaw in Active Directory Federation Services (AD FS) — the Windows Server role that provides federated identity and single sign-on for hybrid Azure AD environments and SAML-based applications. Insufficient granularity of access control in the AD FS service allows an authorized but low-privileged local attacker to escalate to administrator without user interaction and with low attack complexity. Microsoft's Detection and Response Team (DART) credited the discovery, which indicates the flaw was identified while investigating active attacks rather than during internal security review.

CVE-2026-56164 in SharePoint Server exploits a missing authentication check for a critical API function accessible over the network. An unauthenticated attacker who can reach the SharePoint Server's HTTPS endpoint sends a specially crafted POST request to a specific API path and receives elevated permissions without supplying valid credentials. This makes the flaw meaningfully more dangerous than CVE-2026-56155: no local access, no authentication, and no user interaction is required — only network reachability to the server.

Microsoft's recommended mitigation for CVE-2026-56164 is enabling the Antimalware Scan Interface (AMSI) integration in SharePoint and setting the Request Body Scan mode to Full. AMSI scans incoming POST request bodies and can detect and block the malicious payload patterns used to trigger the vulnerability. This is an interim control, not a patch substitute. Organizations that enable AMSI now and patch within 48 hours are in a defensible position; organizations that do neither face active exploitation.

Microsoft's AI-powered vulnerability discovery system, which the company announced earlier in 2026, contributed to the record-breaking CVE count this cycle. The 570-flaw total reflects expanded automated scanning applied to Windows internals and third-party components integrated into Microsoft products — a long-term security benefit that creates short-term patch burden.

Who Is at Risk from Microsoft Patch Tuesday July 2026 Zero-Days?

Any organization running on-premises Microsoft SharePoint Server 2016, 2019, or Subscription Edition is directly exposed to CVE-2026-56164. Organizations using SharePoint Online through Microsoft 365 are not affected — this is an on-premises-only vulnerability. Deployments with SharePoint Server accessible from the internet face external attack without authentication. Internal-only deployments face exploitation by any attacker who has already reached the internal network.

Any organization using Active Directory Federation Services as its identity federation layer is exposed to CVE-2026-56155. AD FS is deployed by organizations running hybrid Azure AD configurations, supporting SAML-based SSO, or federating identity across multiple Active Directory forests. A compromised AD FS server enables an attacker to issue arbitrary security tokens, bypassing authentication controls across every application that trusts the federation service — typically email, VPNs, cloud services, and enterprise applications.

Federal agencies under Binding Operational Directive 26-04 face a mandatory July 17, 2026 remediation deadline for CVE-2026-56164 (today) and July 28, 2026 for CVE-2026-56155. Agencies that cannot apply patches before the deadline must discontinue use of the affected product. This is not advisory guidance — noncompliance with BOD 26-04 deadlines is reportable to CISA.

Private organizations face no regulatory deadline but should treat the combination of on-premises SharePoint and AD FS as a high-priority exposure. An attacker who exploits CVE-2026-56164 to gain elevated SharePoint permissions can pivot to AD FS, creating a path from unauthenticated network access to enterprise-wide SSO token forgery. For context on prior SharePoint patch urgency, the July 4 deadline for CVE-2026-45659 followed the same escalation pattern.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

The Full Scope: 59 Critical Flaws and 48 Remote Code Execution Vulnerabilities

The 570 vulnerabilities in Microsoft Patch Tuesday July 2026 represent a four to six times increase over a typical monthly release. Microsoft's breakdown shows 59 critical-severity vulnerabilities, 254 elevation of privilege flaws, 145 remote code execution vulnerabilities, 102 information disclosure flaws, 35 denial-of-service vulnerabilities, and 17 security feature bypasses. The three zero-days account for a small fraction of the total but carry the highest urgency because exploitation is confirmed before patches were available.

CVE-2026-55944 demands immediate attention alongside the two zero-days. This CVSS 9.8 deserialization flaw in Microsoft Dynamics NAV and 365 Business Central allows an unauthenticated remote attacker to execute arbitrary code with no user interaction. Organizations running on-premises Dynamics NAV or Business Central should treat this as a third critical patch-now priority alongside the zero-days. No authentication, no user interaction, and no network position requirement — any reachable Dynamics instance is a target.

Five DHCP vulnerabilities rated Critical (CVSS 8.4 to 9.8) also appear in this release, affecting both Windows DHCP Server and Windows DHCP Client. The client-side flaws are particularly significant: a malicious DHCP server on the same network segment can exploit any unpatched Windows machine that requests an IP address lease. This is relevant to corporate guest networks, hotel networks, and any environment where the network layer is not fully trusted.

CVE-2026-50661, the publicly disclosed BitLocker security feature bypass, requires physical access to the target machine and is therefore lower priority for most organizations but critical for any with a large laptop fleet or remote-work device program where physical theft is a realistic scenario. Review the July 14 threat brief for the broader adversary environment driving this patch cycle.

This is not your typical Patch Tuesday. The volume alone changes triage calculus. Organizations used to prioritizing 10 to 20 CVEs per cycle now face 570 — of which 59 are Critical and 2 are actively exploited zero-days with a federal deadline today.

Dark Reading analysis, Microsoft July 2026 Patch Tuesday

Detection Indicators for CVE-2026-56155 and CVE-2026-56164

Neither CVE-2026-56155 nor CVE-2026-56164 has a published proof-of-concept exploit as of today, but both are confirmed exploited in the wild, which means tooling exists in threat actor hands. Detection relies on behavioral telemetry rather than signature-based IOC matching.

For CVE-2026-56164 on SharePoint Server, monitor IIS logs on the w3wp.exe worker process for POST requests to SharePoint API paths (/_api/web, /_api/contextinfo) that return HTTP 200 responses for requests without valid authentication headers. Baseline normal authenticated traffic volumes first, then alert on any unauthenticated POST that returns a non-401 or non-403 response. Also watch for file writes to SharePoint layout directories (C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\TEMPLATE\LAYOUTS\ and the \16\ equivalent) from IIS worker processes — the standard webshell deployment indicator after privilege escalation.

For CVE-2026-56155 on AD FS, monitor Windows Security Event ID 4672 (Special Privileges assigned to new logon) on the AD FS server for unexpected privilege assignments, and AD FS operational logs for Event IDs 1200 and 1201 (token issuance) at unusual volumes or for unexpected relying party applications. DART's involvement in discovering this vulnerability suggests the exploitation pattern involves local privilege escalation followed by token manipulation.

For the broader Patch Tuesday scope, Windows Defender and Microsoft Sentinel customers should verify threat intelligence updates are current as of July 8, 2026. Microsoft ships signature updates alongside patches for CVEs where behavioral detection is feasible.

Subscribe to unlock Indicators of Compromise

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Sigma Detection Rules for Microsoft Patch Tuesday July 2026 Zero-Days

No CVE-specific Sigma rule exists yet for CVE-2026-56155 or CVE-2026-56164, which were publicly disclosed on July 8, 2026. New CVE-specific rules typically take 48 to 72 hours after public disclosure to appear in SigmaHQ's emerging-threats ruleset.

The two rules below target post-exploitation behavior on SharePoint Server systems consistent with CVE-2026-56164 abuse. The first rule detects file writes to SharePoint layout directories from unexpected parent processes — the standard webshell deployment pattern after a privilege escalation exploit succeeds. The second rule detects suspicious commands spawned by w3wp.exe, the IIS worker process that hosts SharePoint, including encoded PowerShell invocations used to establish persistent access or lateral movement.

Both rules require Windows Sysmon or an EDR with equivalent file_event and process_creation telemetry. Use sigma-cli to convert the YAML to Splunk SPL, Microsoft Sentinel KQL, or Elastic query syntax. Deploy on all hosts running SharePoint Server 2016, 2019, and Subscription Edition. Alert noise is low in a normal SharePoint environment — any match warrants immediate triage.

Subscribe to unlock Sigma Detection Rules

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

How to Close This Gap Before the Weekend

The remediation path for the two actively exploited zero-days is clear: apply the July 2026 Patch Tuesday cumulative update. No standalone hotfix or partial patch exists for CVE-2026-56155 or CVE-2026-56164 — the full cumulative update is required. The specific KB numbers are KB5101650 for Windows 11 (24H2 and 23H2), KB5099539 for Windows 10 and Windows Server 2025/2022/2019, available through Windows Update, WSUS, and the Microsoft Update Catalog.

For organizations that cannot patch immediately, the SharePoint interim mitigation is available today without downtime. Enable AMSI integration and set Request Body Scan to Full in SharePoint Central Administration. This blocks the specific POST payload pattern used to exploit CVE-2026-56164. Confirm AMSI is active by checking SharePoint Unified Logging Service (ULS) logs for AMSI-related entries after enabling.

No interim mitigation exists for CVE-2026-56155 in AD FS. Organizations that cannot patch AD FS servers immediately should isolate them from direct external access, enforce network-level restrictions on who can reach the AD FS service endpoints, and increase logging verbosity on the AD FS operational event channel.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Why Microsoft Patch Tuesday July 2026 Zero-Days Matter for Your Organization

Microsoft Patch Tuesday July 2026 is not a routine update cycle. The record 570-flaw count, two actively exploited zero-days, a CVSS 9.8 unauthenticated RCE, and five critical DHCP vulnerabilities arriving in a single month create a compounding risk environment for any Microsoft-dependent organization.

The two zero-days represent the highest-risk combination in this release. CVE-2026-56164's unauthenticated network attack surface for SharePoint means external attackers need nothing but a reachable server. CVE-2026-56155's AD FS privilege escalation means an attacker who gains any foothold can immediately escalate to domain-level SSO control. Together, they create a path from anonymous internet access to enterprise-wide authentication compromise in two steps: reach SharePoint, then escalate to AD FS administrator.

The CISA KEV designation for both CVEs confirms active exploitation is real, not theoretical. Microsoft's DART team discovered CVE-2026-56155 during incident response, which means attackers were already using this technique before any defender had a patch to deploy. Organizations that have delayed applying July 2026 Patch Tuesday since July 8 have been running unpatched against confirmed in-the-wild exploitation for nine days.

Closing these gaps before Monday reduces your organization's exposure substantially. Apply the July 2026 cumulative update to every Windows Server instance today, enable AMSI on SharePoint as interim mitigation, and monitor AD FS privilege logs through the weekend. The attack surface for this cycle is unusually broad — and the window between patch availability and active exploitation is already closed.

The bottom line

Microsoft Patch Tuesday July 2026 patches two actively exploited zero-days in Active Directory Federation Services (CVE-2026-56155, CVSS 7.8) and SharePoint Server (CVE-2026-56164, CVSS 5.3) alongside a record 570 total flaws. CISA's federal remediation deadline for SharePoint expires today. Three actions before the weekend: apply the July 2026 cumulative update (KB5101650 or KB5099539), enable AMSI on all SharePoint Server deployments as interim mitigation, and patch Dynamics NAV to address the CVSS 9.8 unauthenticated RCE in CVE-2026-55944.

This analysis is generic — the platform version scores threats like this against your own stack.

Frequently asked questions

What zero-days are in Microsoft Patch Tuesday July 2026?

Three zero-days: CVE-2026-56155 (Active Directory Federation Services elevation of privilege, CVSS 7.8, actively exploited), CVE-2026-56164 (SharePoint Server elevation of privilege, CVSS 5.3, actively exploited), and CVE-2026-50661 (Windows BitLocker security feature bypass, publicly disclosed but not yet confirmed exploited in attacks). Both actively exploited CVEs are on CISA's KEV catalog with federal deadlines of July 17 for SharePoint and July 28 for AD FS.

Is CVE-2026-56155 actively exploited?

Yes. Microsoft's Detection and Response Team (DART) credited the discovery of CVE-2026-56155, indicating the team found the flaw during active incident investigation rather than internal research. CISA added it to the Known Exploited Vulnerabilities catalog and set a July 28, 2026 federal remediation deadline. No public proof-of-concept exploit exists as of today, but threat actor tooling is confirmed in use.

How do I enable AMSI on SharePoint Server?

Run Enable-SPFeature -Identity 'AMSI' -Url <your-site-collection-URL> in SharePoint Management Shell, then go to SharePoint Central Administration, navigate to Security, and set Request Body Scan mode to Full. Confirm AMSI is active by reviewing SharePoint Unified Logging Service (ULS) logs for AMSI-related entries. This mitigation blocks the specific malicious POST payload pattern used to exploit CVE-2026-56164 but does not patch the underlying vulnerability.

What is CVE-2026-56164 in SharePoint Server?

CVE-2026-56164 is an elevation of privilege vulnerability in Microsoft SharePoint Server 2016, 2019, and Subscription Edition caused by missing authentication for a critical API function. An unauthenticated attacker who can reach the SharePoint Server over the network sends a specially crafted POST request and receives elevated permissions without valid credentials. It carries a CVSS score of 5.3 but poses a higher practical risk due to the zero-authentication requirement and confirmed active exploitation.

How many vulnerabilities are in the July 2026 Patch Tuesday?

Microsoft Patch Tuesday July 2026 patches 570 vulnerabilities, excluding Microsoft Edge and Chromium-based browser fixes counted separately. This is the largest single-month security release in Microsoft's history. The breakdown includes 59 critical-severity flaws, 145 remote code execution vulnerabilities, 254 elevation of privilege flaws, and 102 information disclosure issues. Microsoft's AI-powered vulnerability discovery system contributed to the elevated count.

What is the CISA deadline for July 2026 Patch Tuesday vulnerabilities?

CISA set two deadlines under Binding Operational Directive 26-04: July 17, 2026 (today) for CVE-2026-56164 in SharePoint Server, and July 28, 2026 for CVE-2026-56155 in Active Directory Federation Services. Federal agencies that cannot apply patches by the deadline must discontinue use of the affected product. Private organizations face no regulatory deadline but should treat both as immediate priorities given confirmed active exploitation.

Is CVE-2026-55944 in Dynamics NAV dangerous?

CVE-2026-55944 is rated CVSS 9.8 Critical and allows unauthenticated remote code execution in Microsoft Dynamics NAV and 365 Business Central via a deserialization flaw. No authentication or user interaction is required. Any on-premises Dynamics NAV or Business Central deployment reachable by an attacker is vulnerable. Apply the July 2026 cumulative update immediately. Cloud-hosted Business Central instances managed by Microsoft are not affected.

What is the patch for the AD FS elevation of privilege vulnerability in 2026?

The patch for CVE-2026-56155 is included in the July 2026 cumulative update: KB5101650 for Windows 11 (24H2 and 23H2) and KB5099539 for Windows 10 and Windows Server 2025/2022/2019. Install via Windows Update, WSUS, or the Microsoft Update Catalog. No standalone hotfix or partial patch exists — the full cumulative update is required. No interim mitigation is available for CVE-2026-56155.

Sources & references

  1. BleepingComputer: Microsoft July 2026 Patch Tuesday fixes massive 570 flaws, 3 zero-days
  2. Tenable: Microsoft's July 2026 Patch Tuesday Addresses 569 CVEs — CVE-2026-56155, CVE-2026-56164
  3. CISA Known Exploited Vulnerabilities Catalog
  4. CISA: Adds Four Known Exploited Vulnerabilities to Catalog (July 14, 2026)

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.