Big blast of fixes — what landed
Microsoft just dropped what feels like a security firehose: a single update that covers 622 unique vulnerabilities. Yes, six-hundred-and-twenty-two. If you heard the term Patch Tuesday whispering like a freight train, that’s why. Two of the bugs are already being used by attackers, and a few more deserve quick attention. In short: this isn’t your usual light July patch‑day.
High-level headlines, in plain English:
- Two actively exploited elevation-of-privilege bugs hit core identity and collaboration systems: SharePoint Server and Active Directory Federation Services (AD FS).
- A BitLocker bypass was publicly disclosed but requires physical access — patch, but it’s not as urgent as remote bugs.
- A JWT auth bypass in SharePoint was revealed by a third party; it was chained to an unpatched remote code execution (RCE) that’s scheduled to be fixed next month, so July’s fix breaks the chain.
- Microsoft removed the RC4 rollback switch for Kerberos, which can cause authentication failures unless you audit and rotate service accounts first.
Patch priorities — do these first
Don’t be dazzled by CVSS scores this time. Two mid-range privilege bugs are already weaponized, and that makes them top of the list regardless of their numeric rating.
- CVE-2026-56164: A SharePoint Server elevation-of-privilege flaw that attackers are using in the wild. If you host SharePoint on-prem, get this patched ASAP. Extra tip: enabling AMSI in Full Mode on servers helps blunt the attack while you test and deploy.
- CVE-2026-56155: An AD FS elevation-of-privilege issue allowing an authenticated actor to gain higher rights on the host. AD FS signs tokens for many systems, so a local privilege issue there can quickly become a big problem. Patch quickly.
Quick action plan:
- Patch SharePoint and AD FS hosts first — don’t wait for extra confirmation.
- Enable recommended server hardening (AMSI Full Mode where applicable) as a stopgap.
- Monitor for unusual activity around identity servers and document stores while you deploy.
Other important bits:
- CVE-2026-50661 — BitLocker bypass: disclosed publicly and needs physical access. Patch when convenient but don’t let it block immediate fixes for exploited remote issues.
- SharePoint JWT bypass: a third-party researcher demonstrated a JWT auth bypass and chained it to an RCE that isn’t patched yet. July’s update fixes the bypass piece, making the chain unusable until the RCE is patched next month.
The lesson: exploitability matters more than a fancy score. Prioritize based on what attackers are actually using.
Kerberos RC4 cleanup and operational gotchas
Microsoft finished its RC4-to-AES Kerberos migration by removing the rollback switch admins used as a safety valve. After this update, RC4 will only work for accounts you explicitly configure to allow it. If you have any service accounts still relying on RC4 tickets, expect authentication to fail once the patch lands.
Steps to avoid an emergency 2 a.m. wake-up call:
- Run the RC4 audit events first to find accounts asking for RC4 tickets.
- Rotate passwords on flagged service accounts so Windows can generate AES keys for them — rotation fixes accounts missing AES keys.
- Fix any legacy clients or pinned configurations that insist on RC4 before you apply the update.
If you skip the audit step, the update probably won’t get you breached — it will just break stuff at the worst possible moment.
Why the giant patch pile happened (and what it means)
Microsoft says AI-driven discovery is finding far more issues than old-school scanning did. That’s why a July release that normally would be light got enormous. More bugs found means more patches shipped — and attackers can diff patches to build exploits faster than ever.
Two practical takeaways:
- Triaging by CVSS score is becoming less useful. Use exploit indicators (Microsoft’s exploited flag, public exploit sightings, and known-exploited lists) to reorder your patch queue.
- Move faster: the window between patch publication and active exploitation is shrinking. Test smart, but don’t dawdle.
Final thought: this month’s pileup is noisy but actionable. Prioritize the two exploited bugs, run the RC4 audit, rotate affected service account credentials, and be ready for more discoveries — the numbers are only going up.