Microsoft released a record-breaking Patch Tuesday with 622 CVEs, including two actively exploited zero-days: CVE-2026-56164 in SharePoint Server and CVE-2026-56155 in Active Directory Federation Services. The update also includes a SharePoint authentication bypass, BitLocker fixes, and major Kerberos RC4 hardening that could break legacy logins if environments are not audited first. #CVE-2026-56164 #CVE-2026-56155 #SharePointServer #ActiveDirectoryFederationServices #BitLocker #Kerberos
Keypoints
- Microsoft patched 622 CVEs in its largest Patch Tuesday release on record.
- CVE-2026-56164 in SharePoint Server and CVE-2026-56155 in AD FS are already being exploited.
- SharePoint Server 2016 and 2019 also reached end of extended support today.
- Rapid7 disclosed CVE-2026-55040, a SharePoint JWT authentication bypass that helps chain to RCE.
- Microsoft removed the RC4 rollback switch, so admins must audit and rotate service accounts before patching.
Read More: https://thehackernews.com/2026/07/microsoft-patches-record-622-flaws.html