“The real story is economic. AI has collapsed the cost of finding vulnerabilities, and this increase in volume is a new floor, not the ceiling … at least for a while,” said Trey Ford, chief strategy and trust officer at Bugcrowd, after Microsoft published updates for an unprecedented 570 CVEs on Patch Tuesday, July 14.
Microsoft pushed 570 CVEs on July 14
Microsoft’s July Patch Tuesday delivered a record volume of fixes: 570 distinct CVEs released in a single monthly update cycle. The package included 254 elevation-of-privilege (EoP) vulnerabilities, 145 remote code execution (RCE) bugs and 102 information-disclosure flaws. Fifty-nine of the patched issues were rated Critical on Microsoft’s scale; 48 of those Critical entries were RCE vulnerabilities.
The three zero-days: CVE-2026-56155, CVE-2026-56164, CVE-2026-50661
Among the large set of fixes were three zero-day vulnerabilities. Two of those zero-days have already been exploited in the wild. CVE-2026-56155 is an EoP bug in Active Directory Federation Services (ADFS) that can allow an authorized attacker to elevate privileges locally. Rapid7 principal software engineer Adam Barnett noted, “The advisory doesn’t explicitly describe the location of the attacker, but it’s likely that an attacker would need an existing toehold on the target system to chain together with the elevation of privilege opportunity on offer here.”
The second exploited zero-day, CVE-2026-56164, is another EoP vulnerability, this time in Microsoft SharePoint Server. Microsoft characterized attacks against CVE-2026-56164 as requiring no existing privileges and having “low complexity.” The US Cybersecurity and Infrastructure Security Agency (CISA) has urged organizations to harden their SharePoint systems in response to exploitation of this bug alongside two other vulnerabilities published earlier this year.
The third publicly disclosed zero-day is CVE-2026-50661, a Windows BitLocker security feature bypass that could permit attackers to access encrypted data. Microsoft’s advisory says exploitation would require an unauthorized attacker to have physical access to the target machine.
Agentic AI and automated discovery: the engine behind the surge
Microsoft has warned that its use of agentic AI to discover new flaws would increase the volume of security updates for customers, and security firms are seeing that outcome. Mayuresh Dani, security research manager at Qualys, said the pattern had been predicted: “This trend was predicted and we’re seeing the evidence of it happening now. As more advanced and frontier AI models become available, we can expect an upward trend to continue and then slow down.”
Qualys highlighted the technical drivers: AI automated fuzzing, large language model–assisted variant hunting, and static analysis at scale are finding bugs faster than organizations can remediate them. Trey Ford echoed the operational consequence: leadership should stop treating monthly patch volume as a surprise and instead budget for it as a fixed operating cost because intake “will not be going back down for a while.”
Qualys’ recommended operational changes and hardening steps
- Move from CVSS-only prioritization to using Exploit Prediction Scoring System (EPSS) and CISA KEV for triage.
- Adopt a tiered patching SLA; Qualys offered an example: KEV-listed CVEs or those with EPSS > 0.5 should be patched within 24–36 hours, with classification tuned to each organization’s risk profile.
- Introduce attack-surface reductions and mitigations, such as ensuring Active Directory Federation Service instances are not internet-connected, that on-premises SharePoint lacks public access, and that remote management tools are not reachable from anywhere.
- Improve patching practices by validating updates, monitoring installs and system stability on a selected group with automated rollback support, then pushing approved patches to all required systems.
What this means for technologists, policymakers, and affected enterprises
Technologists and security teams face a higher, sustained intake of vulnerability data and should prioritize operational changes that scale: adopt EPSS and CISA KEV-driven triage, implement automated validation and rollback, and harden exposed services like ADFS and SharePoint as Qualys recommends.
Policymakers and agencies such as CISA will continue to press organizations to harden critical services: CISA has already urged action on SharePoint systems following exploitation tied to this release cycle.
Affected enterprises and procurement leaders must treat patch management as a predictable cost and capability. As Trey Ford put it, “The organizations that win won't be the ones that patch fastest this month. They'll be the ones who built a process that scales when the next couple months continue to increase.”
The July deluge — 570 fixes in one month, multiple exploited zero-days, and hundreds more critical and high-severity bugs — is both a technical event and an operational pivot point. Vendors such as Google and Adobe are also altering cadence and volume (Google fixed over 460 Edge/Chromium flaws this month; Adobe has moved to twice-monthly patching), underscoring that this is an ecosystem-wide shift. The central question is no longer whether vulnerabilities will be found, but whether organizations can reorganize budgeting, triage and deployment pipelines quickly enough to keep pace.




