Skip to main content
CybersecurityVulnerability Management

Microsoft Unveils Record-Breaking 622 Vulnerabilities in Massive Patch Update

Laptop screen displays Windows update progress bar with blurred coding environment background.

"The bug apocalypse has finally descended upon us," Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, wrote in a blog post Tuesday.

Microsoft's Patch Tuesday: 622 vulnerabilities in one release

Microsoft disclosed 622 vulnerabilities in its latest monthly Patch Tuesday cycle — a single-month total the source calls "record-breaking." The vendor's own breakdown showed 416 defects in Windows, 82 in Office and 46 in Microsoft Edge. More than one in ten of the disclosed issues — 63 vulnerabilities in total — were rated critical.

Those figures follow a June release that the source notes set the previous one‑month record with 206 vulnerabilities, meaning this latest disclosure roughly triples that prior high. Dustin Childs added that "The CVE count year-to-date exceeds all other years’ totals." The full list of fixes is available through Microsoft’s Security Response Center, the company said.

Two actively exploited zero-days: CVE-2026-56155 and CVE-2026-56164

Microsoft disclosed two actively exploited zero-day vulnerabilities: CVE-2026-56155 and CVE-2026-56164. Both are described as privilege escalation defects — the first affects Active Directory Federation Services and the second affects Microsoft SharePoint Server. The presence of actively exploited flaws in this batch raises an immediate prioritization question for defenders and administrators responsible for those products.

MDASH and the AI-driven rise in vulnerability discovery

Microsoft warned customers and defenders that a flood of defects would be uncovered as it applies its multi-model agentic scanning harness (MDASH) to discover and address vulnerabilities "at greater speed and scale." The source frames the startling increase as a compounding effect tied to artificial intelligence playing a growing role in finding and helping to fix defects in software.

Satnam Narang, senior staff research engineer at Tenable, wrote that Microsoft is on pace to break the full-year record for CVEs, surpassing the previous record of 1,245 CVEs in 2020. "It’s probable that we will not only exceed 2,000 CVEs in a calendar year, but potentially over 3,000 CVEs this year or more," he said in an email. Narang cautioned that "The volume is striking, but it reflects how good these tools have become at finding bugs, not how many of those bugs actually pose a risk to organizations."

SAP also publishes critical fixes: CVE-2026-44747 and CVE-2026-27690

On the same advisory day, SAP released fixes addressing a fresh assortment of vulnerabilities, including critical defects CVE-2026-44747 in SAP NetWeaver Application Server and CVE-2026-27690 in SAP Approuter. The concurrent disclosures from multiple major vendors contributed to what Trend Micro’s Childs called "The mother of all releases. To call this record-breaking is an understatement."

What this means for technologists and security teams, procurement leaders, and defenders

  • Technologists and security teams: Expect a heavier triage and patching workload, especially for Windows, Office, Edge and the two named privilege-escalation zero-days that affect Active Directory Federation Services and SharePoint Server. Microsoft explicitly warned customers and defenders that applying MDASH will surface many more defects over time.
  • Procurement leaders and affected enterprises: The surge in disclosed CVEs — and Tenable's projection that annual totals could exceed historical highs — will influence vendor risk conversations and update cadence requirements for deployed Microsoft and SAP products.
  • Defenders and adversaries: The disclosure of two actively exploited zero-days underscores an immediate operational risk where unpatched privilege-escalation flaws exist; defenders must prioritize those fixes while also accounting for a far larger patch backlog driven by AI-enabled discovery.

Microsoft’s July cycle, as reported here, represents a notable inflection point in vulnerability disclosure volume: a single release that both expands the list of known defects and tests organizational capacity to prioritize real risk. The vendor points defenders to its Security Response Center for the complete inventory; independent researchers and vendors such as Trend Micro’s Zero Day Initiative and Tenable are already framing the spike as the result of improved discovery, not necessarily a rise in exploitability across the board.

Original CyberScoop story