Microsoft
Image: ‪Salah Darwish / Unsplash

Microsoft smashes Patch Tuesday record for second successive month

Microsoft on Tuesday released fixes for more than 600 security vulnerabilities, making July the largest Patch Tuesday in the program's history and more than triple the size of the previous record set last month.

Vulnerability counts have been surging this year, and July’s mammoth release of 622 CVEs is larger than the three previous months combined.

In a break from normal procedure, Microsoft's Security Update Guide no longer lists the individual CVEs of these vulnerabilities, replacing the previously itemised batch with a summary table showing a count of bugs by product family alongside a “Notable CVEs” section. Individual advisories for each CVE remain available separately. Microsoft last year stopped listing Chromium fixes in the guide as browser-vulnerability volumes exploded.

“All of this only serves to illustrate the recent industry-wide trend of exploding vulnerability report counts,” wrote Rapid7’s Adam Barnett, “with an associated uptick in the publication of remediations as a trailing indicator.

The release day marks the start of a regular cycle for cybersecurity defenders. Once a patch is out, attackers pick it apart in an attempt to reverse-engineer the holes it plugs and then race to break into machines that haven't updated yet — a phenomenon often described as “Exploit Wednesday.” A less detailed advisory risks making that triage harder, as defenders and third-party trackers must now piece together the full picture from underlying advisory feeds themselves.

Microsoft and analysts have suggested AI-assisted tools are behind the trend of rapidly rising volumes of vulnerabilities being discovered, although Microsoft did not specifically say how many of this month’s CVEs were found by such tools.

In May, the company revealed it had been using a new internal AI system called MDASH to hunt for security flaws in its own software. At the time, Tom Gallagher, vice president of engineering at Microsoft’s Security Response Center, said the company expects releases to continue trending larger.

Britain's National Cyber Security Centre (NCSC) issued a similar caution in April, warning organizations to brace for a wave of urgent updates. But while that wave appears to have arrived, a corresponding surge in cyberattacks has not yet been observed.

Jerry Gamblin, an engineer at Cisco, noted in an analysis earlier this month that while the curve for the volume of vulnerabilities “has gone vertical,” the curve for exploited vulnerabilities has not.

He found that of the more than 35,000 CVEs published by all vendors in the first half of this year, only 85 — 0.24% — had made an appearance in the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog, though Gamblin noted the figure will rise as exploitation is confirmed.

Two bugs already under attack

Microsoft said two of this month’s flaws are currently being exploited in the wild. The first, CVE-2026-56164, is an elevation-of-privilege flaw in on-premises SharePoint Server that allows an unauthenticated attacker to escalate privileges over the network. Microsoft rates it “Important,” with a CVSS score of 5.3.

The second, CVE-2026-56155, is an elevation-of-privilege flaw in Active Directory Federation Services that allows an authenticated attacker to escalate privileges locally. Microsoft credited its incident-response unit, DART, with discovering both. Neither was on CISA's KEV catalog as of Wednesday morning, though Microsoft marks both as exploited.

A third SharePoint fix drew separate attention. CVE-2026-55040, a security feature bypass discovered by Rapid7 researcher Stephen Fewer and disclosed in coordination with Microsoft, is the first half of an exploit chain that Rapid7 said leads to unauthenticated remote code execution against a vulnerable server.

The second vulnerability in the chain remains embargoed, with Microsoft expected to patch it in August. Rapid7 rates the bypass 5.3, while Trend Micro’s Zero Day Initiative rates it 9.1.

The release also patches CVE-2026-50661, a publicly disclosed BitLocker security feature bypass that allows a physical attacker to circumvent drive encryption. Rapid7 said the advisory is consistent with a vulnerability announced under the name GreatXML the day after June's Patch Tuesday by Nightmare Eclipse — the pseudonymous researcher locked in a months-long standoff with Microsoft — though Microsoft does not confirm this.

Nightmare Eclipse, who has been posting working exploit code for unpatched Windows flaws to GitHub since April, had threatened a fresh exploit release to coincide with this Patch Tuesday, although in the days before the researcher partially walked back that threat.

Instead, a new proof-of-concept, nicknamed LegacyHive, emerged on Tuesday from the same source, which appears to allow a non-privileged user to mount another user's registry hive.

Microsoft patched a separate Defender elevation-of-privilege vulnerability — CVE-2026-50656, known as RoguePlanet — in an out-of-band update on July 8 after Nightmare Eclipse posted proof-of-concept code following June's release. Nightmare Eclipse has since claimed the patch introduces a disk-exhaustion vector.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
Recorded Future
No previous article
No new articles
Alexander Martin

Alexander Martin

is the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and a fellow at the European Cyber Conflict Research Initiative, now Virtual Routes. He can be reached securely using Signal on: AlexanderMartin.79