Microsoft Patches Record 622 Flaws, Including Two Zero-Days Under Active Attack

Microsoft Patches Record 622 Flaws, Including Two Zero-Days Under Active Attack
Microsoft released a record-breaking Patch Tuesday with 622 CVEs, including two actively exploited zero-days: CVE-2026-56164 in SharePoint Server and CVE-2026-56155 in Active Directory Federation Services. The update also includes a SharePoint authentication bypass, BitLocker fixes, and major Kerberos RC4 hardening that could break legacy logins if environments are not audited first. #CVE-2026-56164 #CVE-2026-56155 #SharePointServer #ActiveDirectoryFederationServices #BitLocker #Kerberos

Keypoints

  • Microsoft patched 622 CVEs in its largest Patch Tuesday release on record.
  • CVE-2026-56164 in SharePoint Server and CVE-2026-56155 in AD FS are already being exploited.
  • SharePoint Server 2016 and 2019 also reached end of extended support today.
  • Rapid7 disclosed CVE-2026-55040, a SharePoint JWT authentication bypass that helps chain to RCE.
  • Microsoft removed the RC4 rollback switch, so admins must audit and rotate service accounts before patching.

Read More: https://thehackernews.com/2026/07/microsoft-patches-record-622-flaws.html