Close Menu
    What's Hot

    Trump Scraps 20 Percent Strait of Hormuz Toll for Gulf Investment Deals

    M.P. Evans Group PLC (MPEVF) Discusses Responsible Production and Pricing Dynamics in Palm Oil Industry Transcript

    France 0 – 2 Spain

    Facebook X (Twitter) Instagram
    Trending
    • Trump Scraps 20 Percent Strait of Hormuz Toll for Gulf Investment Deals
    • M.P. Evans Group PLC (MPEVF) Discusses Responsible Production and Pricing Dynamics in Palm Oil Industry Transcript
    • France 0 – 2 Spain
    • Helping AI models to meet the real world | MIT News
    • Microsoft Patches Record 622 Flaws, Including Two Zero-Days Under Active Attack
    • No More Trips to Walgreens? State Department Teases…
    • French and Spanish parties – Live Updates
    • Iran Escalates Its Attacks on Bahrain and Kuwait
    interluknewsinterluknews
    • Home
    • Business
      • Corporate News
      • Industry Insights
      • Startups & Entrepreneurship
      • Technology & Innovation
    • Economy
      • Economic Policy
      • Financial Analysis
      • Inflation & Interest Rates
      • Trade & Markets
    • Global
      • Conflicts & Security
      • Diplomacy
      • Global Trends
      • International Affairs
    • Lifestyle
      • Fashion
      • Food & Dining
      • Personal Development
      • Travel
    • Opinion
      • Columns
      • Editorials
      • Expert Opinions
      • Reader Voices
    • More
      • Politics
        • Elections
        • Government & Policy
        • International Relations
        • Political Analysis
      • Sports
        • Cricket
        • Football / Soccer
        • International Sports
        • Local Sports
      • Technology
        • Artificial Intelligence
        • Cybersecurity
        • Gadgets & Reviews
        • Tech News
      • South Africa News
    Facebook X (Twitter) Instagram
    interluknewsinterluknews
    Cybersecurity

    Microsoft Patches Record 622 Flaws, Including Two Zero-Days Under Active Attack

    adminBy adminJuly 14, 2026No Comments6 Mins Read
    Share Facebook Twitter Pinterest Copy Link Telegram LinkedIn Tumblr Email
    Microsoft Patches Record 622 Flaws, Including Two Zero-Days Under Active Attack
    Share
    Facebook Twitter LinkedIn Pinterest Email

    Microsoft Patches Record 622 Flaws, Including Two Zero-Days Under Active Attack

    Microsoft shipped its largest Patch Tuesday on record today, and two of the fixes close holes that attackers are already exploiting. The release covers 622 of Microsoft’s own CVEs by its Security Update Guide count, more than triple June’s previous high of around 200.

    Those two live bugs are the ones to grab first. Microsoft credits incident responders for both. Both are elevation-of-privilege flaws in identity and collaboration infrastructure: CVE-2026-56164 in on-premises SharePoint Server and CVE-2026-56155 in Active Directory Federation Services.

    Neither is one of the splashy remote code execution criticals. They are privilege bugs in two systems that matter more than their scores suggest: the company document store, and the box that signs its logins.

    The two zero-days to patch first

    CVE-2026-56164, a SharePoint Server flaw Microsoft says is being exploited in attacks, lets an unauthenticated attacker escalate privileges over the network. No credentials, no user interaction, remote. Microsoft credited it to Mandiant’s incident responders and Google’s FLARE team, which points to discovery inside active attacks, though Microsoft has not said how it was exploited or by whom.

    If you run self-hosted SharePoint, this is the one to grab first, and there is a second clock on it: today is also the day SharePoint Server 2016 and 2019 reach the end of extended support. Unlike Windows Server or SQL Server, neither has a paid ESU program to fall back on.

    Cybersecurity

    Beyond patching, Microsoft’s advisory notes that enabling AMSI in Full Mode on the server blunts the attack. SharePoint has been an attacker magnet since the ToolShell chain tore through unpatched servers in 2025, and it has not stopped being one.

    CVE-2026-56155, an Active Directory Federation Services flaw Microsoft also flags as exploited, lets an already-authenticated attacker elevate privileges locally through weak access controls. Microsoft’s own DART incident-response unit gets the credit.

    AD FS is the box that signs the tokens for the rest of the estate trusts, which is why a flaw labeled “local” on that host is worth more attention than the label suggests. Microsoft has not said what privileges it grants, or how attackers used it.

    Worth knowing for anyone tracking remediation deadlines: neither CVE is on CISA’s Known Exploited Vulnerabilities catalog as of this writing. Microsoft’s own exploitability rating already marks both as exploited. Do not wait for a KEV listing to make it official.

    Microsoft also rates the SharePoint bug fairly low on severity, which is a good reminder that the severity label is not the thing to sort by this month.

    A third bug, and a SharePoint chain landing in August

    The third zero-day was publicly disclosed but is not under attack: CVE-2026-50661, another BitLocker bypass. It needs physical access to the device, so it is not a remote emergency. Patch it, but it does not jump the queue. It continues a run of BitLocker bypasses stretching back through bitskrieg and YellowKey earlier this year.

    SharePoint drew a second notable fix. Rapid7 Labs disclosed CVE-2026-55040, a JWT authentication bypass they built for their Pwn2Own Berlin entry. The score depends on who you ask: Rapid7 puts it at 5.3 and says Microsoft assigned it medium severity, while ZDI reads the release as Critical at 9.1.

    What it does is not in dispute. Rapid7 chained it to a separate remote code execution bug to reach unauthenticated RCE against a vulnerable server, and the RCE half is not patched yet; Microsoft is slated to fix it in August.

    That makes July bypass the fix that breaks the chain. A four-point spread on one bug also tells you what a severity number is worth this month.

    The RC4 cleanup that can break logins

    This update also finishes Microsoft’s multi-year Kerberos RC4 hardening. The July rollout removes the RC4DefaultDisablementPhase rollback switch, the escape hatch admins have leaned on since Microsoft began the crackdown in January.

    After this, RC4 works only for accounts explicitly configured to allow it. If any service account in your environment still requests RC4 Kerberos tickets, it can fail authentication the moment the update lands.

    The order matters: audit first, using the RC4 audit events Microsoft added in January, then rotate the passwords on flagged service accounts, so Windows generates AES keys for them, then patch. Rotation only fixes accounts missing AES keys.

    Anything pinned to RC4 by configuration, or a legacy client that speaks nothing else, needs its own fix before the update lands. This one does not get you breached; it breaks things, but it will page you at 2am if you skip the audit.

    Why a quiet month set a record

    July is historically one of the lightest months on Microsoft’s calendar, which makes a release this size stand out. Windows alone accounts for 416 of the 622, and ZDI counts 95 remote code execution bugs across the release.

    Here is where the rest sits, and what is worth pulling out of each pile:

    Product family CVEs Worth pulling out
    Windows 416 Both the AD FS zero-day (CVE-2026-56155) and the disclosed BitLocker bypass (CVE-2026-50661) live here. Top score of the release is a VMSwitch RCE, CVE-2026-57092 at 9.9. Also five DHCP RCEs, and 21 NTFS and ReFS driver bugs that ZDI reads as one shared root cause.
    Office 82 Counted once. Microsoft lists the same 82 again under a separate Office 2016 track, which is why some outlets report 164.
    Microsoft Edge 46 ZDI counts 21 as Microsoft’s own rather than Chromium re-listings.
    Developer Tools 27 Security feature bypasses across Visual Studio, VS Code, and GitHub Copilot, mostly injection and path traversal.
    SharePoint Server 17 The exploited zero-day (CVE-2026-56164) and Rapid7’s chain bypass (CVE-2026-55040), plus a Critical RCE pair including CVE-2026-50522 at 9.8.
    Azure 11 Nothing flagged as urgent.
    SQL Server 8 An RCE pair, CVE-2026-54117 and CVE-2026-54118, both 8.8.
    Defender 5 Two Critical RCEs.
    Exchange Server 5 A stored XSS in Outlook Web Access, CVE-2026-55008, at 9.6. Microsoft files it under spoofing, which undersells it.
    Other 5 Nothing flagged as urgent.

    Counts are from Microsoft’s Security Update Guide, which totals 622 unique CVEs this month. ZDI, counting independently, landed on 621, and its July review is the source for the per-family callouts.

    Cybersecurity

    Microsoft called this one five days early. In a July 9 post, it told customers to expect a “higher volume of security updates included in each security release” as AI helps it uncover more issues. That work includes MDASH, its multi-model agentic scanning system, which found 16 of the bugs in May’s Patch Tuesday by itself. Microsoft has not said how many of July’s 622 came out of that pipeline.

    The same automation cuts both ways. Once a patch ships, attackers can diff it against the last build, find the bug it closes, and build a working exploit before most shops have finished testing. That eats the old “wait a week” cushion and shrinks the gap to Exploit Wednesday.

    It also guts CVSS-based triage. When a release carries 600-plus CVEs and a large share are rated High or Critical, “critical” stops sorting anything. This month’s two exploited bugs make the point: neither is a headline 9.8, both are mid-tier privilege flaws, and both are already in use.

    Sort by what is being exploited, using KEV, EPSS, and Microsoft’s exploited flag, not by score, and patch faster than you used to. The number on the box is only going up.

    active attack Flaws including Microsoft Patches record ZeroDays
    Follow on Google News Follow on Flipboard
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
    Previous ArticleNo More Trips to Walgreens? State Department Teases…
    Next Article Helping AI models to meet the real world | MIT News
    admin
    • Website

    Related Posts

    Microsoft Patches a Record 570 Security Flaws – Krebs on Security

    July 14, 2026

    England must trial extra seamer ahead of World Cup after India expose 50-over flaws, says Stuart Broad | Cricket News

    July 14, 2026

    SAP Patches CVSS 9.9 NetWeaver ABAP Flaw That Could Expose or Modify Data

    July 14, 2026
    Leave A Reply Cancel Reply

    Demo
    Latest Posts

    Trump Scraps 20 Percent Strait of Hormuz Toll for Gulf Investment Deals

    M.P. Evans Group PLC (MPEVF) Discusses Responsible Production and Pricing Dynamics in Palm Oil Industry Transcript

    France 0 – 2 Spain

    Helping AI models to meet the real world | MIT News

    Latest Posts

    Subscribe to News

    Get the latest sports news from NewsSite about world, sports and politics.

    Advertisement
    Demo

    We are a digital news platform delivering timely, accurate, and insightful coverage of politics, global affairs, business, economy, sports, and more. Our mission is to keep readers informed with reliable news, clear analysis, and stories that truly matter.
    We're social. Connect with us:

    Facebook X (Twitter) Instagram Pinterest YouTube

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Type above and press Enter to search. Press Esc to cancel.

    Powered by
    ...
    ►
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    ►
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    ►
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    ►
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    ►
    Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
    None
    Powered by