Skip to main content
CybersecurityVulnerability Management

Microsoft Patch Tuesday Blitz Targets 622 Vulnerabilities

Software developers and security analysts work on computers in a brightly-lit tech facility with rows of workstations and…

“Redmond just rolled out patches for 622 CVEs specific to its products,” the report noted — more than three times last month’s record and a Patch Tuesday release that “is once again one for the record books.”

Microsoft's unprecedented Patch Tuesday: 622 CVEs and 428 Edge Chromium fixes

Microsoft addressed 622 CVEs in a single Patch Tuesday, a volume that eclipses the previous month’s all-time high of 206. The company’s release also ran alongside “428 non-Microsoft Chromium CVEs affecting Edge that aren’t included in that 622 count,” the reporting said; “Fifty-eight of those are critical, two are under active exploit, and one has already been publicly disclosed.” Microsoft did not disclose how much, if any, artificial intelligence contributed to the discovery and triage of this spike in vulnerabilities.

Actively exploited and publicly disclosed vulnerabilities

Two Microsoft bugs were specifically called out as under active exploitation. CVE-2026-56155 is an Active Directory Federation Services elevation of privilege issue caused by “insufficient granularity of access control on ADFS.” An attacker with local access could gain administrator privileges; Microsoft’s assessment assigns the flaw a CVSS score of 7.8. CVE-2026-56164 affects Microsoft SharePoint and stems from a missing authentication for a critical function, which could allow an unauthorized attacker on a network to elevate SharePoint permissions; that bug carries a CVSS score of 5.3. Separately, CVE-2026-50661 is a publicly reported issue that could let someone with local access physically bypass BitLocker protections.

High-severity threats in Copilot, Exchange, and Office

Among the critical entries Microsoft disclosed is CVE-2026-48561, a CVSS 9.6 remote code execution vulnerability in Copilot. The bug involves Copilot failing to properly neutralize input, allowing an attacker with low-privileged Hyper-V guest access to execute code; exploitation can occur without user awareness, for example by hosting a malicious website that triggers embedded Copilot features when a page loads. Microsoft Exchange is affected by CVE-2026-55008, another CVSS 9.6 flaw where failure to neutralize input allows cross-site scripting from a crafted email, enabling arbitrary JavaScript execution. The company also patched 16 remote code execution vulnerabilities in Microsoft Office and related applications—issues like heap-based buffer overflows and use-after-free bugs scored around CVSS 7.8.

Adobe, Broadcom, and SAP: multiple vendors with high-severity fixes

Adobe released 64 unique CVEs across seven bulletins covering Commerce, Experience Manager, Creative Cloud Desktop, Illustrator, Content Credentials SDK, ColdFusion, and Animate. Every Adobe bulletin included at least a couple of critical CVEs. The highest-severity Adobe entry is CVE-2026-48318, a CVSS 9.9 ColdFusion path traversal that can allow arbitrary code execution; the report notes this CVE “does not yet appear in online CVE directories.” Commerce received CVE-2026-48356 (CVSS 9.6), a privilege escalation tied to failure to restrict dangerous file uploads. Adobe Experience Manager includes two CVSS 9.6 arbitrary-code-execution issues: CVE-2026-48259 (a server-side request forgery) and CVE-2026-48359 (an improper restriction of XML external entity references).

Broadcom patched seven CVEs in its Avi Load Balancer, rated between CVSS 7.1 and 9.8 and covering authentication bypass, remote code execution, privilege escalation, and directory traversal. SAP published 16 security updates and one GitHub advisory; nine updates score 8.1 or higher. Notable SAP entries include CVE-2026-44747 (CVSS 9.9), a memory corruption flaw in SAP NetWeaver Application Server ABAP that could let an authenticated attacker gain unauthorized access to system data; CVE-2026-27690 (CVSS 9.1), an issue allowing an unauthenticated attacker to smuggle an HTTP request through SAP Approuter and cause system unavailability; and CVE-2026-44761 (CVSS 9.1), the retention of a sample OAuth2 client in SAP Commerce Cloud that, if known, could allow unauthorized access.

How technologists, affected enterprises, and end users should respond

  • Technologists and security teams: Prioritize patches for the two actively exploited Microsoft issues (CVE-2026-56155 and CVE-2026-56164), the Copilot RCE (CVE-2026-48561), Exchange XSS (CVE-2026-55008), and the Office RCE cluster; also account for the 428 Chromium CVEs impacting Edge that are tracked separately.
  • Affected enterprises and procurement leaders: Plan for a multi-vendor patch window that goes beyond Microsoft—Adobe, Broadcom, and SAP all shipped high-severity fixes (including Adobe ColdFusion CVE-2026-48318 and SAP CVE-2026-44747)—and balance rapid deployment against change-control and availability constraints.
  • End users and defenders of endpoint hardware: Be aware of the publicly reported BitLocker bypass (CVE-2026-50661) which requires local access; organizations should consider local-access mitigations while updates are applied.

The back-to-back records set in the past two months suggest this will not be a quiet summer for patch managers. The source closed with a wry admonition: “Let’s hope August is a bit quieter, though, given the fact the past two months have set consecutive records for the number of vulnerabilities Microsoft patched; we have our doubts. Godspeed, sysadmins and security teams.”

Original story at The Register