Microsoft’s July 2026 Patch Tuesday release addresses 622 Microsoft CVEs across 154 security updates, making it the company’s largest Patch Tuesday release to date.
The release includes three zero-day vulnerabilities, two with exploitation detected and one that was publicly known before a fix became available. It also includes several Critical remote code execution vulnerabilities affecting Windows DNS Server, DHCP Server, Remote Desktop Services, SharePoint Server, SQL Server, and Microsoft Office.
IT teams should prioritize the actively exploited vulnerabilities first, followed by internet-facing systems, identity infrastructure, collaboration platforms, and business-critical servers. With hundreds of updates to manage, verifying successful deployment will be just as important as approving the patches themselves.
Microsoft Patch Breakdown
Microsoft’s July 2026 security release covers 622 Microsoft CVEs across 154 security updates. The updates span Windows, Microsoft Office, Microsoft Edge, SharePoint Server, SQL Server, Azure, Exchange Server, Microsoft Defender, Visual Studio, and other Microsoft products.
The release also includes 428 republished Chromium CVEs affecting Microsoft Edge.
July 2026 Release | Total |
Microsoft CVEs addressed | 622 |
Security updates | 154 |
Zero-day vulnerabilities | 3 |
Zero-days with exploitation detected | 2 |
Publicly known zero-days | 1 |
Republished Chromium CVEs | 428 |
CVEs by Product Family
Product Family | CVEs |
Windows | 416 |
Microsoft Office | 82 |
Microsoft Edge | 46 |
Developer Tools | 27 |
SharePoint Server | 17 |
Azure | 11 |
SQL Server | 8 |
Microsoft Defender | 5 |
Exchange Server | 5 |
Other Microsoft Products | 5 |
Total | 622 |
Windows accounts for most of the vulnerabilities addressed this month, but the release extends well beyond endpoint operating systems. IT teams also need to account for updates affecting identity, collaboration, database, networking, browser, and developer environments.
Zero-Day Vulnerabilities to Prioritize
Microsoft addressed three zero-day vulnerabilities in July. Two are being actively exploited, while one was publicly known before a security update became available.
CVE | Affected Product | Impact | Status | Priority |
CVE-2026-56155 | Active Directory Federation Services | Elevation of Privilege | Exploitation detected | Immediate |
CVE-2026-56164 | Microsoft SharePoint Server | Elevation of Privilege | Exploitation detected | Immediate |
CVE-2026-50661 | Windows BitLocker | Security Feature Bypass | Publicly known | High |
CVE-2026-56155: Active Directory Federation Services Elevation of Privilege
Microsoft has detected active exploitation of this vulnerability affecting Active Directory Federation Services. A successful attack could allow an authenticated attacker to gain elevated privileges within an affected environment.
Organizations using AD FS should treat this as an immediate identity-security priority. Patch affected systems as soon as possible and review authentication activity, changes to administrative privileges, and other signs of suspicious access.
CVE-2026-56164: Microsoft SharePoint Server Elevation of Privilege
This actively exploited vulnerability affects Microsoft SharePoint Server and could allow an attacker to gain elevated privileges.
Organizations running on-premises SharePoint Server should prioritize this update immediately, especially when servers are accessible from the internet or support sensitive business workflows. IT teams should also verify that the update was installed successfully across all affected SharePoint systems.
CVE-2026-50661: Windows BitLocker Security Feature Bypass
This BitLocker vulnerability was publicly known before Microsoft released a fix. Microsoft has not reported active exploitation, but public disclosure can increase the likelihood that attackers will begin targeting affected systems.
IT teams should prioritize laptops, shared devices, mobile endpoints, and systems at greater risk of theft or unauthorized physical access. Deploying the update promptly can help reduce exposure to attempts to bypass BitLocker protections.
Critical Vulnerabilities Affecting Enterprise Systems
Beyond the three zero-days, Microsoft addressed several Critical remote code execution vulnerabilities affecting core enterprise services. The most urgent issues include flaws in Windows DNS Server, DHCP Server, SharePoint Server, SQL Server, Remote Desktop Services, and Microsoft Office.
CVE | Product | Impact | CVSS |
CVE-2026-58248 | Windows DNS Server | Remote Code Execution | 10.0 |
CVE-2026-58249 | Windows DNS Server | Remote Code Execution | 10.0 |
CVE-2026-58245 | Windows DHCP Server | Remote Code Execution | 9.8 |
CVE-2026-58261 | Microsoft Office | Remote Code Execution | 9.8 |
CVE-2026-58263 | Microsoft Office | Remote Code Execution | 9.8 |
CVE-2026-58253 | SharePoint Server | Remote Code Execution | 9.8 |
CVE-2026-58257 | SQL Server | Remote Code Execution | 9.8 |
CVE-2026-58272 | Windows Remote Desktop Services | Remote Code Execution | 9.8 |
Windows DNS and DHCP Server Vulnerabilities
The Windows DNS Server and DHCP Server vulnerabilities should be treated as high priorities because both services play a central role in network operations. Successful exploitation could affect systems responsible for name resolution, IP address assignment, and broader network availability.
IT teams should prioritize domain controllers and servers running DNS or DHCP roles, particularly those supporting critical sites or communicating across less-trusted network boundaries.
SharePoint Server and SQL Server Vulnerabilities
The SharePoint Server and SQL Server vulnerabilities could expose sensitive data and disrupt important business applications.
Internet-facing SharePoint servers should receive accelerated attention. SQL Server updates may require coordination with database and application owners, but testing should not create unnecessary delays for high-value or exposed systems.
Windows Remote Desktop Services Vulnerability
Remote Desktop Services can provide attackers with a direct path into high-value systems when broadly accessible or exposed to the internet.
Organizations should prioritize affected servers, review where Remote Desktop Services is enabled, and restrict access while updates are deployed. Systems accessible from partner networks or large internal user populations may also require faster remediation.
Microsoft Office Vulnerabilities
The two Critical Microsoft Office vulnerabilities affect a broad endpoint population and may be relevant to users who regularly open files from external sources.
IT teams should deploy these updates promptly across managed endpoints, especially for employees who handle email attachments, shared documents, or files from customers and partners.
How to Prioritize July 2026 Patches
With 622 Microsoft CVEs in this month’s release, IT teams should prioritize updates based on exploitation status, system exposure, severity, and business impact rather than treating every patch as equally urgent.
Patch Within 24 to 72 Hours
Prioritize the vulnerabilities and systems with the greatest immediate risk:
CVE-2026-56155 affecting Active Directory Federation Services
CVE-2026-56164 affecting Microsoft SharePoint Server
Internet-facing SharePoint environments
Identity infrastructure
Exposed Remote Desktop Services
DNS and DHCP servers supporting critical operations
The two actively exploited zero-days should be prioritized in the deployment queue. Organizations using AD FS or on-premises SharePoint Server should patch affected systems as soon as operationally possible and confirm that installation completed successfully.
Patch Within 72 Hours
Next, focus on Critical remote code execution vulnerabilities affecting high-value enterprise infrastructure, including:
Windows DNS Server
Windows DHCP Server
SharePoint Server
SQL Server
Windows Remote Desktop Services
Systems with CVSS scores of 9.8 or 10.0 should receive accelerated attention, especially when they are internet-facing, broadly accessible, or essential to authentication, networking, collaboration, or business applications.
Patch Within 1 to 2 Weeks
This tier should include:
CVE-2026-50661 affecting Windows BitLocker
Critical Microsoft Office vulnerabilities
Remaining Critical updates on systems without direct external exposure
High-severity vulnerabilities affecting standard managed endpoints
Public disclosure makes the BitLocker vulnerability more urgent than a typical non-exploited flaw, particularly for laptops, mobile devices, and shared systems.
Regular Patch Cycle
Lower-severity vulnerabilities with no public disclosure, confirmed exploitation, or significant external exposure can move through the normal testing and deployment process.
Even lower-priority updates should not be ignored. IT teams should continue tracking failed installations, offline devices, and endpoints that fall outside standard maintenance windows.
The most effective prioritization combines Microsoft’s exploitability information with CVSS severity, exposure, system role, and business impact. Internet-facing services, identity systems, domain controllers, collaboration platforms, and remote access infrastructure should remain at the front of the queue.
Notable Third-Party Updates
Microsoft also republished 428 Chromium CVEs affecting Microsoft Edge. These are non-Microsoft vulnerabilities and should be tracked separately from the 622 Microsoft CVEs addressed in the July release.
Because Edge is widely deployed across Windows environments, browser updates should be included in the same compliance review as operating system and Office patches. IT teams should confirm that managed devices are running current Edge versions and identify endpoints that may have missed automatic updates because they were offline or outside normal management workflows.
Browser vulnerabilities can still create meaningful risk, especially when users access untrusted websites, open web-based applications, or work with externally hosted content. Keeping Edge updated helps reduce exposure alongside the broader Microsoft patch rollout.
How Splashtop AEM Helps IT Teams Deploy Patches
A Patch Tuesday release this large can be difficult to manage with manual workflows alone. Splashtop AEM helps IT teams identify missing updates, deploy patches faster, and verify remediation across managed endpoints from a centralized console.
With Splashtop AEM, IT teams can:
View CVE and endpoint insights to identify systems affected by newly disclosed vulnerabilities.
Deploy Windows and supported third-party software updates in real time.
Automate patching through policies, schedules, and maintenance windows.
Use ring-based deployments to test updates with a smaller device group before expanding rollout.
Monitor patch status, failures, and compliance across managed endpoints.
Run scripts and remediation actions when an update fails or additional action is required.
Use hardware and software inventory data to locate affected devices more quickly.
For teams still relying on manual patching, Splashtop AEM reduces repetitive work and makes deployment more consistent. Organizations using Microsoft Intune can add faster patching, clearer visibility, and more direct remediation workflows to enhance Intune. Teams already using an RMM can strengthen patch automation and combine endpoint management with remote troubleshooting when issues occur.
Try Splashtop AEM Free
Reduce patching delays, improve visibility into missing updates, and respond faster to critical vulnerabilities with Splashtop AEM.
Start a free trial and see how centralized patching, automation, CVE insights, and real-time compliance reporting can simplify your Patch Tuesday workflow.





