Jessica Entwistle
July 15 2026
Microsoft has released its largest ever Patch Tuesday update, issuing fixes for 622 vulnerabilities across Windows, Office, SharePoint, Active Directory and other products. The Register reports that the update includes two zero-day vulnerabilities already being exploited in the wild: CVE-2026-56155, an Active Directory Federation Services flaw allowing insufficient access control, and CVE-2026-56164, a SharePoint Server authentication bypass. Microsoft has attributed the significant increase in vulnerability disclosures to the use of artificial intelligence in security research, which has accelerated the discovery of flaws across its product estate. The company has indicated that organisations should expect continued high patch volumes as AI-assisted vulnerability research becomes more widespread.
The scale of this update presents a significant operational challenge for IT and security teams. Triaging over 600 vulnerabilities, understanding which apply to your environment, prioritising deployment based on risk and business impact, and coordinating testing and rollout across production systems is a substantial undertaking that cannot be completed in a single day or even a single week. The two actively exploited zero-days require immediate attention, but the broader patch load means that many organisations will need to make difficult decisions about sequencing, testing windows and acceptable risk while patches are staged. This update also highlights a broader trend: as AI accelerates vulnerability discovery, patch volumes are likely to remain high, which means that organisations need mature, scalable and well-resourced patch management processes to keep pace. The traditional approach of attempting to patch everything within a fixed window is becoming increasingly difficult to sustain, and organisations may need to adopt more risk-based and continuous patching models.
Organisations should focus first on the two actively exploited vulnerabilities, CVE-2026-56155 and CVE-2026-56164, particularly if they use Active Directory Federation Services or SharePoint Server in internet-facing or high-value environments. After addressing these, work through the remaining critical-rated vulnerabilities affecting systems that are exposed to the internet, accessible to untrusted users or that handle sensitive data. Ensure that patch deployment timelines are realistic, that testing is not skipped under pressure, and that there is a clear escalation path if issues arise during rollout. Consider whether your patch management process is designed to handle this scale of update, whether there is sufficient tooling and automation in place, and whether ownership and accountability for patching is clearly defined across IT operations, security and business stakeholders. For organisations that are struggling to keep pace, this may be a prompt to review whether current resourcing, processes and tooling are adequate for the current threat and vulnerability landscape.
Source: The Register