Microsoft Patches Record 622 Flaws, Including Two Zero-Days Under Active Attack
Microsoft released a record-breaking 622 security updates in July, including two actively exploited zero-day vulnerabilities in SharePoint Server and Active Directory Federation Services. The update finalizes the multi-year deprecation of Kerberos RC4 encryption, requiring administrators to audit and rotate service account passwords to prevent authentication failures. SharePoint Server 2016 and 2019 reached end-of-life simultaneously with the patch, leaving self-hosted instances without extended
Analysis
TL;DR
- Microsoft released a record-breaking 622 security updates in July, including two actively exploited zero-day vulnerabilities in SharePoint Server and Active Directory Federation Services.
- The update finalizes the multi-year deprecation of Kerberos RC4 encryption, requiring administrators to audit and rotate service account passwords to prevent authentication failures.
- SharePoint Server 2016 and 2019 reached end-of-life simultaneously with the patch, leaving self-hosted instances without extended support options.
- A significant portion of the vulnerabilities involve Remote Code Execution (RCE), with 95 RCE bugs identified across the release, particularly within Windows components.
- Severity ratings proved unreliable this cycle, with discrepancies between vendor scores and actual exploitability, such as a JWT bypass rated differently by Rapid7 and ZDI.
Why It Matters
This release highlights the critical importance of prioritizing vulnerability remediation based on active exploitation status rather than just CVSS severity scores, as demonstrated by the low-severity but actively attacked SharePoint flaw. For IT operations, the mandatory removal of the RC4 rollback switch poses a significant operational risk, necessitating immediate auditing to avoid widespread login disruptions. Additionally, the end-of-support for older SharePoint versions underscores the urgency for organizations to migrate to supported environments to maintain security compliance.
Technical Details
- Active Zero-Days: CVE-2026-56164 allows unauthenticated privilege escalation in on-premises SharePoint Server, while CVE-2026-56155 enables local privilege escalation in Active Directory Federation Services (AD FS). Both were discovered during active incident response.
- RC4 Deprecation: The update removes the
RC4DefaultDisablementPhaserollback switch. RC4 is now disabled by default for all accounts unless explicitly configured otherwise, requiring pre-patch auditing using specific event logs to identify legacy service accounts. - Volume and Scope: The patch includes 416 fixes for Windows, 82 for Office, 46 for Microsoft Edge, and 27 for Developer Tools. Notable high-severity issues include a VMSwitch RCE (CVE-2026-57092) rated 9.9 and multiple DHCP RCEs.
- SharePoint Specifics: In addition to the zero-day, CVE-2026-55040, a JWT authentication bypass disclosed by Rapid7, was patched. This bypass was part of a chain leading to unauthenticated RCE, with the RCE component itself scheduled for an August fix.
- BitLocker Bypass: CVE-2026-50661 addresses a physical-access BitLocker bypass, continuing a trend of similar vulnerabilities like bitskrieg and YellowKey from earlier in the year.
Industry Insight
Organizations must treat the RC4 deprecation as a high-priority operational task, executing a strict audit-rotate-patch sequence to prevent service outages. Security teams should prioritize patching SharePoint and AD FS immediately due to active exploitation, regardless of official severity ratings. Furthermore, enterprises running legacy SharePoint versions must accelerate migration plans given the simultaneous end-of-support, as these systems no longer receive security updates or extended support purchases.
Disclaimer: The above content is generated by AI and is for reference only.