Skip to main content

Microsoft Disrupts Active Attacks with 622-Patch Release

Rows of computer servers and equipment in a brightly-lit IT room, with a SharePoint Server setup centered amidst cables and…

"Microsoft shipped its largest Patch Tuesday on record today, and two of the fixes close holes that attackers are already exploiting," The Hacker News reported.

CVE-2026-56164: an unauthenticated SharePoint Server elevation-of-privilege already exploited

One of the two zero-days Microsoft flagged as exploited, CVE-2026-56164, affects on-premises SharePoint Server and lets an unauthenticated attacker escalate privileges over the network. Microsoft credited incident responders at Mandiant and Google's FLARE team for the discovery; The Hacker News notes the teams found the issue inside active attacks. Administrators running self-hosted SharePoint are the clearest and most urgent audience: the advisory calls this "the one to grab first."

Compounding the urgency, SharePoint Server 2016 and 2019 reach the end of extended support today. Those versions have no paid ESU program, Microsoft said, so there is no supported paid fallback for shops still on those releases. Microsoft's advisory also says enabling AMSI in Full Mode on the server blunts the attack. The Hacker News reminds readers that SharePoint has been an attacker magnet since the ToolShell chain in 2025.

CVE-2026-56155: AD FS elevation-of-privilege in active use

The second live attack is CVE-2026-56155 in Active Directory Federation Services (AD FS). Microsoft flagged it as exploited and credited its own DART incident-response unit. The bug lets an already-authenticated attacker elevate privileges locally through weak access controls. The Hacker News stresses why this "local" label matters: AD FS is the host that signs tokens for the rest of the estate's trusts, so a local escalation on that box has outsized impact. Microsoft has not disclosed what privileges the bug grants or how attackers used it.

Neither of these two exploited CVEs is yet listed on CISA's Known Exploited Vulnerabilities catalog as of this writing, though Microsoft’s exploitability rating already marks both as exploited. The Hacker News cautions: do not wait for a KEV listing to treat an exploited flag as official.

CVE-2026-50661 BitLocker bypass and CVE-2026-55040 SharePoint JWT bypass

A third zero-day, CVE-2026-50661, is a BitLocker bypass that was publicly disclosed but reportedly is not under attack. It requires physical access to the device, meaning it is not a remote emergency; The Hacker News says to patch it but not to jump it ahead of the exploited remote flaws. The article places this continuation in context with earlier BitLocker bypasses this year, naming bitskrieg and YellowKey.

SharePoint drew another notable fix: Rapid7 Labs disclosed CVE-2026-55040, a JWT authentication bypass they built for Pwn2Own Berlin. Rapid7 rates it 5.3 and says Microsoft assigned it medium severity; ZDI reads Microsoft’s release as Critical at 9.1. Rapid7 chained that bypass to a separate remote code execution (RCE) bug to reach unauthenticated RCE against a vulnerable server — but the RCE half is not patched yet. Microsoft is slated to fix the remaining RCE in August, meaning July's patches break the bypass but do not complete the chain.

Kerberos RC4 hardening: the update that can silently break logins

The July rollout finishes Microsoft’s multi-year Kerberos RC4 hardening by removing the RC4DefaultDisablementPhase rollback switch administrators have used since January. After this update, RC4 will work only for accounts explicitly configured to allow it. The Hacker News warns that if any service account still requests RC4 Kerberos tickets, authentication can fail the moment the update lands.

The recommended order is audit first, using the RC4 audit events Microsoft added in January; then rotate passwords on flagged service accounts so Windows generates AES keys (rotation only fixes accounts missing AES keys); then apply the patch. Anything pinned to RC4 by configuration, or a legacy client that speaks only RC4, needs its own fix before the update arrives — this change is likely to break logins, not to cause breaches.

What this means for technologists, affected enterprises, and adversaries

  • Technologists and security teams: prioritize the two exploited CVEs in SharePoint and AD FS, enable AMSI Full Mode on SharePoint servers where advised, and run the RC4 audits then rotate flagged service-account passwords before applying the Kerberos change.
  • Affected enterprises and procurement leaders: evaluate exposure if running SharePoint Server 2016 or 2019, which reach end of extended support today with no paid ESU fallback, and plan for the operational work of RC4 remediation for service accounts and legacy clients.
  • Adversaries and threat actors: The Hacker News notes automation that finds bugs can be used in reverse — once a patch ships, attackers can diff it against the previous build and more quickly produce exploits, shrinking the protective window after a patch release.

Why this month matters in aggregate: Microsoft’s Security Update Guide lists 622 unique CVEs for July, more than triple June’s previous high, with Windows alone accounting for 416. ZDI independently counted 621 CVEs and flagged 95 remote code execution bugs. Microsoft said on July 9 that AI-assisted tooling, including MDASH, would increase the volume of discovered issues; MDASH found 16 bugs in May’s Patch Tuesday, though Microsoft has not reported how many of July’s fixes came from that pipeline. The Hacker News draws the operational lesson bluntly: with hundreds of fixes and two active exploited privilege bugs that are not top-severity outliers, triage must follow exploit indicators (KEV, EPSS, Microsoft’s exploited flag) rather than raw CVSS scores.

Original story: https://thehackernews.com/2026/07/microsoft-patches-record-622-flaws.html