Record-breaking Patch Tuesday
Microsoft released patches for over 570 vulnerabilities on July 2026 Patch Tuesday, marking the largest single update in the company's history. Among these are two zero-days already being exploited in the wild (CVE-2026-56155 and CVE-2026-56164), and a publicly disclosed but unpatched BitLocker bypass (CVE-2026-50661). The update follows a familiar pattern: shortly after the security bulletin was published, security researcher Nightmare Eclipse released a stripped-down proof-of-concept exploit for an unpatched Windows elevation of privilege (EoP) vulnerability, dubbed LegacyHive.
Active exploitation and critical vulnerabilities
CVE-2026-56155 is an EoP flaw in Active Directory Federation Services (ADFS). Microsoft's incident response teams have observed active exploitation, and patches have been bundled into updates for Windows and Windows Server. To further harden the environment, Microsoft has also updated the Access Control List (ACL) on the AD FS Distributed Key Manager container. Dustin Childs from TrendAI's Zero Day Initiative noted that while the vulnerability requires local access and low privileges, ADFS is a prime target for attackers looking to pivot through identity infrastructure. "It can also be paired with an RCE as we often see in ransomware. Test and deploy this patch quickly," he said.
CVE-2026-56164 is an EoP flaw in Microsoft SharePoint Server, reported by Google's incident responders and an anonymous researcher. It is remotely exploitable in low-complexity attacks, and attackers are already leveraging it. While enabling the Antimalware Scan Interface (AMSI) on SharePoint servers can mitigate the flaw, Microsoft strongly recommends applying the full security update. The patch also addresses two additional SharePoint remote code execution vulnerabilities (CVE-2026-50522 and CVE-2026-58644) and a critical security feature bypass (CVE-2026-55040).
Adam Barnett from Rapid7 explained that CVE-2026-55040 is the first exploit in a two-part chain that can lead to unauthenticated remote code execution on vulnerable SharePoint servers. The second vulnerability remains under embargo until August 2026, when Microsoft is expected to release a patch. Meanwhile, CISA has urged organizations running SharePoint to apply additional hardening measures, as attackers are also exploiting two recently patched flaws (CVE-2026-32201 and CVE-2026-45659).
CVE-2026-50661 is a Windows BitLocker security feature bypass that has been disclosed but not yet actively exploited. CrowdStrike noted that this may be the patch for GreatXML, a BitLocker bypass exploit released by the Nightmare-Eclipse persona.
The AI acceleration effect
The explosive growth in the number of patches this month was not a surprise. Microsoft had pre-announced that it has been using artificial intelligence to dramatically speed up internal vulnerability discovery. The company also acknowledged that security researchers and attackers are doing the same. "If you're not delivering critical quality updates with security fixes until a couple of weeks after they've been issued, that's ample time for attackers using AI to find and exploit known security gaps," Microsoft said.
In response, Microsoft has updated its recommendations for deploying Windows quality updates: the deferral period should be less than three days, deadlines should be set to zero or one day, and the grace period should be no more than two days. This aggressive timeline reflects the new reality of machine-speed vulnerability discovery and exploitation.
Satnam Narang from Tenable pointed out that the Exploitability Index, which rates how likely a vulnerability is to be exploited, must evolve. For example, Microsoft originally rated CVE-2026-45659 (a SharePoint vulnerability) as "exploitation less likely," yet it was added to CISA's Known Exploited Vulnerabilities catalog on July 1. "Anthropic's Red Team's own findings for known vulnerabilities (n-days) revealed how fragile this system has become, with its Mythos Preview model being able to produce proof-of-concept exploits for 13 of 14 vulnerabilities that were rated 'Exploitation Less Likely' or 'Exploitation Unlikely.' What this means is that our way of looking at Patch Tuesday has changed, because the exploitability index is centered around humans, not AI tools," Narang said.
Industry response and best practices
The cybersecurity agencies of the Five Eyes countries have issued new guidance urging organizations to integrate AI tools into their security operations to detect vulnerabilities earlier, improve software quality, monitor unusual behavior, and respond faster to incidents. They also recommend five concrete steps: reduce the attack surface by limiting access, accelerate patching processes and prioritize updates by risk, address legacy systems (including decommissioning if possible), strengthen identity and access controls, and prepare for incidents before they happen.
These recommendations come at a time when the volume of patches is outstripping traditional manual triage capabilities. Organizations that have not yet automated their patch management processes will find it increasingly difficult to keep up. The shift to AI-assisted vulnerability discovery means that every unpatched system is essentially a ticking time bomb, with attackers using the same tools to find and exploit flaws faster than ever before.
SharePoint in the crosshairs
The multiple SharePoint vulnerabilities fixed this month highlight how these collaboration platforms remain a favorite target for attackers. The chaining of CVE-2026-55040 with an undisclosed second flaw for unauthenticated RCE is particularly concerning. Rapid7's research demonstrates the depth of exposure that enterprise environments face. In addition to the patches, administrators should review SharePoint service accounts, minimize exposure to the internet, and enforce strict access controls. CISA's heightened warnings about CVE-2026-32201 and CVE-2026-45659 suggest that attackers are actively scanning for unpatched servers.
The update also includes a late-breaking revision: Microsoft updated the advisory for CVE-2026-58644, one of the SharePoint RCE vulnerabilities fixed in June but only disclosed fully this Tuesday, to confirm that it is being exploited in the wild. This elevates the urgency for organizations still running unpatched versions of SharePoint.
Nightmare Eclipse and LegacyHive
Shortly after the July 2026 Patch Tuesday release, the security community saw the emergence of a new proof-of-concept exploit from the researcher known as Nightmare Eclipse. Dubbed LegacyHive, this exploit targets an unpatched Windows EoP vulnerability. While Microsoft did not include a patch for LegacyHive in the July update, the researcher's publication puts pressure on the company to address it in an upcoming out-of-band update or the August cycle. This cat-and-mouse game between researchers, Microsoft, and attackers is likely to intensify as AI tools make it easier to find and weaponize flaws.
The sheer number of CVEs fixed this month—over 570—reflects the cumulative effect of AI-assisted discovery. Prior to the adoption of AI, a typical Patch Tuesday contained one to two hundred vulnerabilities. The tripling of that number poses genuine operational challenges for IT teams. Microsoft's guidance to accelerate patching timelines is a direct response to this new normal.
The implications extend beyond patching cadence. Security teams must now prioritize vulnerabilities based on real-world exploitation data, not just static ratings. The CISA KEV list, combined with the exploitability index revisions, provides a starting point. However, as AI models continue to improve, the gap between patch release and exploit availability will shrink further. Organizations that fail to adapt their vulnerability management processes risk being caught in the crosshairs of automated attack chains.
Source: Help Net Security News