PatchTriageWhat to patch first
Patch Intelligence Brief

Microsoft Patch Tuesday — July 2026

Microsoft shipped 627 fixes this month, 62 rated critical. 2 are already under active attack and should be patched today; 1 publicly disclosed zero-day should be closed this week. Everything else fits the normal monthly cycle.

Compiled 2026-07-15 18:44 UTC Basis MSRC 2026-Jul · CISA KEV Corroboration krebsonsecurity.com · thezdi.com · isc.sans.edu · bleepingcomputer.com · HCL BigFix
627
Microsoft-authored CVEs
62
rated Critical
2
actively exploited
1
disclosed zero-day

Patch today

Confirmed in CISA KEV and flagged as exploited by Microsoft. Treat as active incidents, not routine patching.

CVE-2026-56155 Exploited CVSS 7.8 Active Directory Federation Services Elevation of Privilege

in CISA KEV (added 2026-07-14); MSRC Exploited. Owner routes to the Identity / AD team.

Owner: Identity / AD
CVE-2026-56164 Exploited CVSS 5.3 Microsoft SharePoint Server Elevation of Privilege

in CISA KEV (added 2026-07-14); MSRC Exploited; network / no-auth / no-interaction; ⬆ HCL: flagged dangerous. Owner routes to the SharePoint owners team.

Owner: SharePoint owners

Close this week

Publicly disclosed but not yet observed in the wild — a zero-day on a countdown. Schedule ahead of the normal cycle.

CVE-2026-50661 Zero-day CVSS 6.1 Windows BitLocker Security Feature Bypass

publicly disclosed (zero-day); ⬆ HCL: flagged dangerous. Owner routes to the Endpoints / Windows client team.

Owner: Endpoints / Windows client

Who owns what

This month's priority items grouped by the team that patches them.

Other / general Windows22
57100 · 38968 · 55010 · 9547 · 58608 · 50382 · +16
Office / productivity16
8926 · 55045 · 50314 · 50467 · 55018 · 55022 · +10
Cloud / M365 apps7
45499 · 55944 · 48561 · 41106 · 55011 · 55012 · +1
Network / infra servers7
50518 · 56159 · 56188 · 54999 · 48564 · 50370 · +1
SharePoint owners4
56164 · 50522 · 58644 · 55040
Identity / AD3
56155 · 54121 · 49164
Endpoints / Windows client3
50661 · 54982 · 54995
Virtualization / Hyper-V3
57092 · 50680 · 54127
Exchange / mail2
55008 · 54998
Database / SQL2
54117 · 54118
Remote access / RDP1
50474

Priority ranking

Ordered by a composite priority that weights active exploitation and disclosure above raw CVSS. Showing the sharp end; the full ranked set of 1,164 CVEs is in the index.

CVEStatusCVSSImpactOwner
CVE-2026-56155Exploited7.8Elevation of PrivilegeIdentity / AD
CVE-2026-56164Exploited5.3Elevation of PrivilegeSharePoint owners
CVE-2026-50661Zero-day6.1Security Feature BypassEndpoints / Windows client
CVE-2026-45499Critical9.9Elevation of PrivilegeCloud / M365 apps
CVE-2026-57100Critical9.9Elevation of PrivilegeOther / general Windows
CVE-2026-57092Critical9.9Elevation of PrivilegeVirtualization / Hyper-V
CVE-2026-38968Critical9.8Other / general Windows
CVE-2026-50522Critical9.8Remote Code ExecutionSharePoint owners
CVE-2026-58644Critical9.8Remote Code ExecutionSharePoint owners
CVE-2026-50518Critical9.8Remote Code ExecutionNetwork / infra servers
CVE-2026-55010Critical9.8Remote Code ExecutionOther / general Windows
CVE-2026-55944Critical9.8Remote Code ExecutionCloud / M365 apps
CVE-2026-56159Critical9.8Remote Code ExecutionNetwork / infra servers
CVE-2026-56188Critical9.8Remote Code ExecutionNetwork / infra servers
CVE-2026-48561Critical9.6Remote Code ExecutionCloud / M365 apps

Plus further Critical-severity items this cycle — browse and filter them all in the index.

Browse the full index of all 1,164 vulnerabilities →

Deep dives

The items on the sharp end, with attack profile and cross-source context.

Active Directory Federation Services Elevation of Privilege

Severity
Important · CVSS 7.8 · Elevation of Privilege
Profile
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Why now
in CISA KEV (added 2026-07-14); MSRC Exploited
“Um so our zero day is in the active directory federated services uh module.”From HCL webinar

Microsoft SharePoint Server Elevation of Privilege

Severity
Moderate · CVSS 5.3 · Elevation of Privilege
Profile
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:F/RL:O/RC:C
Why now
in CISA KEV (added 2026-07-14); MSRC Exploited; network / no-auth / no-interaction; ⬆ HCL: flagged dangerous
“Uh, as well as share as well as SharePoint and, uh, the Microsoft message queuing system.”From HCL webinar

Windows BitLocker Security Feature Bypass

Severity
Important · CVSS 6.1 · Security Feature Bypass
Profile
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Why now
publicly disclosed (zero-day); ⬆ HCL: flagged dangerous
“You want to talk about your evil maid, Jason, and BitLocker?”From automox-podcast

Sources & method

Authoritative counts and exploitation flags come from Microsoft's MSRC Security Update Guide and CISA's Known Exploited Vulnerabilities catalog. Independent reporting and analyst commentary corroborate and add context but do not set priority.

Ranking is a composite score that weights active exploitation and public disclosure above raw CVSS, adjusted for network-reachable / no-authentication attack profiles and field-analyst judgment — which is why a low-CVSS vulnerability under active attack can outrank an unexploited 9.8.

  • BackboneMicrosoft MSRC (2026-Jul) · CISA KEV catalog
  • Reportingkrebsonsecurity.com · thezdi.com · isc.sans.edu · bleepingcomputer.com
  • AnalystHCL BigFix webinar · automox-podcast