Microsoft patches record 622 flaws including two zero-days under attack

Critical Microsoft Patch Tuesday fixes 622 flaws including two zero-days exploited in attacks affecting healthcare SharePoint and AD FS systems.

MRAdmin
By
2 Min Read

Microsoft shipped its largest Patch Tuesday on record, releasing fixes for 622 CVEs across its product ecosystem. The July 2026 update more than triples June’s previous high and includes patches for two zero-days already exploited in active attacks that could affect healthcare organizations running Microsoft infrastructure.

Both exploited bugs are elevation-of-privilege vulnerabilities in critical identity and collaboration systems widely used in healthcare. CVE-2026-56164 affects on-premises SharePoint Server, allowing an unauthenticated attacker to escalate privileges over the network without user interaction. Microsoft credited Mandiant’s incident response team and Google’s FLARE team, indicating the flaw was discovered during active attack investigations.

The second exploited zero-day, CVE-2026-56155, resides in Active Directory Federation Services (AD FS). It lets an already-authenticated attacker escalate privileges locally through weak access controls. AD FS is commonly used by healthcare systems for single sign-on across electronic health record platforms and other clinical applications.

Neither vulnerability has been added to CISA’s Known Exploited Vulnerabilities catalog yet, though Microsoft’s exploitability rating marks both as actively exploited. Healthcare organizations running self-hosted SharePoint or AD FS should prioritize patching immediately. The urgency is compounded by the end of extended support for SharePoint Server 2016 and 2019, with no Extended Security Updates program available for those versions.

Microsoft also addressed a third publicly disclosed zero-day, CVE-2026-50661, a BitLocker bypass requiring physical access. While less urgent for remote threats, it poses a risk for portable devices and laptops common in healthcare settings.

The record patch count reflects the accelerating pace of vulnerability discovery driven by AI-assisted security research. Healthcare IT teams should review the full advisory to ensure all critical systems are updated.

Share This Article