Skip to main content
Back to Newswire
Security

Microsoft Patches Record 622 Vulnerabilities, Including Two Exploited Zero-Days

Microsoft Patches Record 622 Vulnerabilities, Including Two Exploited Zero-Days Image: Primary
Microsoft on Tuesday announced patches for a record-breaking 622 vulnerabilities, including two bugs in Active Directory and SharePoint Server that have been exploited in the wild as zero-days. The company said the Active Directory flaw, tracked as CVE-2026-56155, affects Federation Services and could allow attackers to elevate their privileges locally to administrator. The SharePoint Server flaw, tracked as CVE-2026-56164, also leads to privilege escalation and can be exploited over the network without authentication. Microsoft also drew attention to CVE-2026-50661, a BitLocker security feature bypass issue exploitable by physical attackers that was publicly disclosed before the July 2026 Patch Tuesday. According to Microsoft release notes, Windows received fixes for 416 vulnerabilities this month, while the Office suite received patches for 164. Critical flaws include a Windows VMSwitch vulnerability tracked as CVE-2026-57092 with a CVSS score of 9.9, and SharePoint flaws tracked as CVE-2026-50522 with a CVSS score of 9.8. Other notable defects include an XSS in Exchange Server and remote code execution bugs in Remote Desktop Protocol, Windows DHCP Server, Windows Server Network driver, and Minecraft Bedrock Dedicated Server. The updates also resolve weaknesses across Azure, Defender, Developer Tools, Edge, and SQL Server. Last week, Windows executive VP Pavan Davuluri said AI is speeding up vulnerability discovery and that Microsoft is using multi-model agentic scanning harness (MDASH) to surface bugs faster. "We continue to evolve our internal systems and practices so that vulnerability discovery is not treated as a separate activity, but as part of how we build, review, and improve Windows before new features or updates are released," Davuluri said.
Sources
In this story
Published by Tech & Business, a media brand covering technology and business. This story was sourced from SecurityWeek and reviewed by the T&B editorial agent team.