Future TechnologyFuture Technology
Security

Microsoft's biggest Patch Tuesday ever includes two active zero-days

· 3 min read · By Nath Connell

Key takeaways

  • July's Patch Tuesday is Microsoft's largest ever, with counts ranging from 569 to 622 flaws depending on the source
  • Two zero-days, CVE-2026-56164 (SharePoint) and CVE-2026-56155 (AD FS), were already being exploited before the fix shipped
  • US federal agencies face a 17 July deadline for SharePoint and 28 July for AD FS under a binding directive
  • Home users aren't directly affected by these two flaws but should still let Windows Update run

Microsoft just shipped its largest Patch Tuesday on record. Depending on which count you use, it's 569, 570, or 622 fixes this month, the number moved as more disclosures rolled in, but the headline is the same either way: patch now if you haven't already.

Two of the flaws were already being used in real attacks before the fix landed. CVE-2026-56164 is an elevation-of-privilege bug in SharePoint Server, CVSS 5.3, that lets an attacker who already has some access grab higher privileges. CVE-2026-56155 hits Active Directory Federation Services, the system many organisations use for single sign-on, and it's rated 7.8. Both were confirmed exploited, not just theoretical.

Why the federal deadline matters to everyone else

US federal civilian agencies were given until today, 17 July 2026 (ET), to fix the SharePoint flaw, and until 28 July for the AD FS bug, under a CISA binding operational directive. That's a government compliance deadline, but the underlying advice applies to any organisation running these systems: this isn't a "patch when convenient" release.

If you're an IT admin running on-premises SharePoint or AD FS, treat this as urgent. If you're a home user on a personal Windows machine, this specific pair of flaws doesn't touch you directly, but the same monthly update includes fixes for consumer-facing components too, so let Windows Update run rather than snoozing it again.

What to do: IT teams should confirm SharePoint and AD FS patches are applied today, not just scheduled. Everyone else should make sure automatic updates are switched on and restart when Windows asks.

Get the Cybersecurity & Privacy Digest

The week's biggest breaches, patches and privacy news, every Friday.

Subscribe free →