Microsoft's 622-CVE Patch Tuesday | Orca Security
2026 State of AI Security Report is live. Real findings from 1,200+ production environments.
Get the Report
2026 State of AI Security Report is live. Real findings from 1,200+ production environments.
View more results
Microsoft’s July 2026 Patch Tuesday is the largest in the company’s history, addressing 622 CVEs across Windows, Office, Azure, SharePoint, Exchange, and more. Buried inside that record volume is the fix that should jump to the top of every cloud security team’s list: CVE-2026-56164, an unauthenticated, actively exploited zero-day in SharePoint Server. If you run SharePoint anywhere in your cloud estate, this is the one to act on today.
The sheer scale of this release is notable in its own right. The record volume is partly attributed to Microsoft’s AI-powered vulnerability discovery system (MDASH), which surfaced a significant number of bugs across the Windows codebase. Of the 622 fixes, roughly 56 to 62 are rated Critical, about 510 are Important, and 3 are Moderate, spanning 254 Elevation of Privilege, up to 166 Remote Code Execution, up to 109 Information Disclosure, 35 Denial of Service, 17 Security Feature Bypass, and 16 Spoofing vulnerabilities. Two of these are confirmed exploited in the wild, and one more was publicly disclosed before a patch existed. But volume is not the story. Prioritization is, and in the cloud that means knowing which of these hundreds of CVEs actually sits on an exposed, reachable asset in your environment.
About CVE-2026-56164
CVE-2026-56164 (SharePoint Server, CVSS 5.3, Actively Exploited)
Do not let the modest 5.3 CVSS score fool you. This is an unauthenticated, network-based privilege escalation vulnerability in SharePoint Server that requires no user interaction and is being exploited right now. It was discovered by Mandiant/Google FLARE incident responders during real-world attacks, which is why it warrants far more urgency than its base score suggests. This is a textbook example of why CVSS alone is a poor prioritization signal: a "medium" score on a pre-auth, zero-click, actively-weaponized flaw is a critical exposure in practice.
SharePoint Server 2016, 2019, and Subscription Edition are all affected. The timing makes it worse: SharePoint Server 2016 and 2019 reached end-of-extended-support on July 14, 2026, the very day this patch shipped, so organizations still on those versions are patching a product that is otherwise out of support. Microsoft recommends enabling AMSI integration with Full Request Body Scan mode as an interim mitigation.
Why this matters for cloud teams specifically: SharePoint Server increasingly runs in IaaS (Azure VMs, EC2, GCE) as part of lift-and-shift migrations and hybrid deployments, often with internet-facing front ends and broad identity permissions attached to the underlying compute. A pre-auth privilege escalation on an internet-exposed SharePoint instance is exactly the kind of foothold that turns into lateral movement across a cloud tenant. The combination of "internet-exposed + unpatched + actively exploited + over-permissioned instance role" is what elevates this from a patch line item to an incident waiting to happen.
Affected Systems
All Windows environments are impacted, with 416 of the 622 fixes touching Windows components (kernel, GDI+, Media, DirectX Graphics, networking). For cloud teams, the priority set is narrower but sharper: internet-exposed SharePoint Server (2016, 2019, Subscription Edition) running in IaaS, AD FS hosts federating identity into your cloud, Hyper-V hosts backing virtualized workloads, DHCP infrastructure, Exchange with OWA, and Dynamics NAV/365 Business Central.
Risk Impact
CVE-2026-56155 (AD FS, CVSS 7.8, Actively Exploited): A local privilege escalation flaw in Active Directory Federation Services that lets an attacker with local access escalate to administrator. Microsoft’s Detection and Response Team (DART) found it during active incident response, confirming exploitation in the wild. Because AD FS underpins federated identity into cloud services, compromise here has outsized blast radius across SaaS and cloud tenants. Any organization running AD FS should patch immediately.
CVE-2026-50661 (BitLocker, CVSS 6.1, Publicly Disclosed Before Patch): A security feature bypass in Windows BitLocker requiring physical access, disclosed publicly before a fix was available. Microsoft assesses exploitation as less likely, but it belongs on the radar for endpoint and physical-security owners.
Beyond the zero-days, several critical CVEs map directly onto cloud infrastructure: CVE-2026-57092 (Hyper-V VMSwitch, CVSS 9.9) is the highest-severity flaw in this release, a use-after-free enabling guest-to-host escape, a serious multi-tenancy and isolation concern anywhere Hyper-V backs virtualized or hosted workloads. CVE-2026-50518 and CVE-2026-56159 (DHCP Server, CVSS 9.8) are buffer overflows exploitable via malicious DHCP packets,...