Microsoft's July Patch Tuesday Addresses Two Actively Exploited Zero-Days, Urging Immediate Action
Microsoft's July 2026 Patch Tuesday has delivered a substantial security update, addressing a record-breaking 570 vulnerabilities across its product ecosystem. The most pressing concern for organizations, however, revolves around two zero-day vulnerabilities, CVE-2026-56155 and CVE-2026-56164, which have been actively exploited by attackers. These critical flaws impact Active Directory Federation Services (AD FS) and Microsoft SharePoint Server, both widely used enterprise components.
This development is highly significant for any organization utilizing Microsoft technologies, particularly those relying on AD FS for identity and access management or SharePoint for collaboration and document management. An elevation of privilege vulnerability in AD FS (CVE-2026-56155) could grant attackers administrative control over affected systems, leading to unauthorized access to sensitive resources, disruption of critical services, and potential deployment of ransomware. Similarly, the SharePoint Server flaw (CVE-2026-56164) allows unauthorized attackers to elevate privileges over a network, posing a direct threat to data integrity and confidentiality.
The context for this surge in patched vulnerabilities and exploited zero-days lies in the accelerating pace of cyberattacks, often fueled by automation and AI. Microsoft itself has indicated that AI-driven vulnerability discovery systems are identifying more flaws across its codebase, leading to larger patch cycles. This trend compresses the window between vulnerability disclosure and exploitation, demanding faster response times from defenders. The Verizon 2026 Data Breach Investigations Report and Google's Mandiant M-Trends report both highlight software vulnerabilities as a leading cause of breaches, underscoring the critical need for robust vulnerability management.
In practice, this means IT and security teams must treat these specific zero-day updates with the utmost urgency. For CVE-2026-56155, organizations should prioritize patching AD FS instances and review who has local access, as a privilege escalation in AD FS can be a stepping stone for broader attacks. For CVE-2026-56164 affecting SharePoint, enabling the Antimalware Scan Interface (AMSI) and setting Request Body Scan mode to Full is recommended in addition to patching. Beyond immediate patching, practitioners should audit site-owner and elevated-permission grants in SharePoint to detect any prior compromise. This incident reinforces the necessity for continuous monitoring, robust access controls, and well-tested incident response plans, especially as the threat landscape evolves with AI-powered attack capabilities.
Read original source