Two of the zero-days Microsoft patched on July 14 are being exploited right now. Here is the one-liner to check whether either is sitting in your stack, and then the more interesting question underneath it: why the pile they were hiding in got so big, and why the same week made your coding agent part of the attack surface.
Three things to run in this post, one per section. Start with the patches.
Patch triage: find the two that are actually on fire
Microsoft shipped the largest Patch Tuesday in the program's history on the 14th. Count only what shipped that day and it is about 570 CVEs (59 critical); count the broader July release and it is 622 (62); Tenable landed at 569. Pick your methodology, every one set a record. That volume is a triage problem, not an emergency list: two of those CVEs are worth your night, and the rest are worth your week.
The two under active exploitation before a fix existed:
- CVE-2026-56155 -- Active Directory Federation Services privilege escalation, credited to Microsoft's Detection and Response Team.
- CVE-2026-56164 -- SharePoint Server escalation, no auth on a critical function, exploited unauthenticated over the network. Rated Moderate (CVSS 5.3), which undersells it.
Cross-reference against the CISA KEV catalog, which is your priority override regardless of CVSS. This pulls the live feed and returns the entries plus the federal due date if they are listed:
curl -s https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json \
| jq '.vulnerabilities[]
| select(.cveID | test("CVE-2026-56155|CVE-2026-56164"))
| {cveID, vendorProject, product, dateAdded, dueDate, knownRansomwareCampaignUse}'
If a row comes back, it is a confirmed-exploited priority override. Patch it, then check whether you were hit before the patch landed.
Two more notes for the on-prem crowd. CVE-2026-56164 does not stand alone: the same release separately fixed CVE-2026-55040, the first half of a different SharePoint chain that Rapid7's Stephen Fewer says reaches unauthenticated RCE once the second, still-embargoed half ships (Microsoft's patch expected in August). Patch the farms now and go looking. And the third zero-day, CVE-2026-50661, is a BitLocker bypass -- publicly disclosed, but it needs physical access and Microsoft rates exploitation unlikely, so it is a slower clock.
Why is the pile this big? Microsoft says so directly. In a July 9 post, EVP Pavan Davuluri told customers to expect more updates per release as the company leans on AI-assisted discovery; VP Tom Gallagher said the same in May. Nobody claimed all 570 came from a machine, but the trend is Microsoft's own. Their operational response is the tell: they cut the recommended deferral window for quality updates to under three days, framing it as AI-era speed. Bugs get found and exploited faster, patches get analyzed faster. Microsoft is not claiming attackers run its exact pipeline, only that attackers are adopting AI too. The machine that finds bugs faster runs for both teams.
The coding agent is the other attack surface
On July 8, Wiz published GhostApproval and the AI Now Institute published Friendly Fire. Same day. Together they break the trust boundary every agentic coding tool is betting on.
GhostApproval is a symlink attack, which is a 1990s Unix problem wearing new clothes. The agent reads a file, reasons out loud that it is a symlink pointing at a sensitive path, and writes to it anyway. The approval dialog names only the harmless-looking file; the agent writes to the resolved target. The human is in the loop, and the loop is showing them the wrong thing. Amazon rated its version a high-severity pre-auth write (CVE-2026-12958). Cursor shipped CVE-2026-50549 in v3.0. Google fixed Antigravity. Augment and Windsurf were still open at publication. Current Claude Code builds resolve symlinks.
Friendly Fire is the one that changes procurement. Boyan Milanov and Heidy Khlaaf targeted the workflow everyone wants to automate: point the agent at an untrusted third-party repo and ask it to review and patch. The exploit needs no hooks, no skills, no plugins, no MCP server, no malicious config file. It does require the agent running in an autonomy mode -- Claude Code in auto-mode or Codex in auto-review, the setting that hands command approval to the agent instead of you. Then it is a prompt injection sitting in ordinary repo content, a README pointing at a plausible security script, and the agent runs it because it was asked to do security testing. The authors are blunt: a model update alone cannot fix this, because the models still cannot reliably separate the code they are reading from the instructions they are meant to follow.
So the practical question is not "is my agent patched." It is "what is my agent allowed to do, and can I see what it does." Start with egress. This is a first look at what your coding-agent processes are actually connecting to:
# macOS / Linux: current network connections held by coding-agent processes
sudo lsof -i -nP | grep -iE 'claude|cursor|copilot|codeium|windsurf|augment|antigravity'
It is a snapshot, not monitoring, and that gap is the point of the next section.
Claude Code: the egress lesson, live
China's government-run National Vulnerability Database flagged Claude Code versions 2.1.91 through 2.1.196 as a "backdoor" transmitting location and identity without consent, and told developers to uninstall. Anthropic denied an espionage backdoor and called the disputed functionality an anti-abuse experiment; a Claude Code engineer said an anti-distillation steganography mechanism was removed in 2.1.198 on July 1. I cannot adjudicate that and neither can you. What the record establishes is narrow: anti-distillation logic existed and was removed. It does not settle whether it was a backdoor or transmitted what China alleged.
Here is the part that survives the dispute, and it is aimed straight back at the lsof output above. Run that command and ask yourself honestly whether you can explain every connection. Most shops cannot. A privileged agent whose egress you do not observe and whose telemetry you cannot enumerate is a trust boundary you are extending blind, regardless of anyone's intent. The fix is not picking a side in a geopolitical fight. It is treating any agent with this much reach the way you would treat any other privileged process: observable egress, documented telemetry, least privilege that constrains what it can spend.
The boring attack surface: known bugs and bad config
While everyone watched the machines, a coalition of Western agencies told you what is actually being exploited. On July 13, NSA led advisory AA26-194A with CISA, the FBI, DC3, the other Five Eyes countries, and European partners: Russian state actors hitting critical infrastructure through public-facing network gear. Not zero-days. Known, already-patched CVEs and elementary config failures -- default SNMP community strings, weak passwords, exposed management interfaces, Cisco Smart Install left on.
The advisory reads like a checklist you can run against your own edge. Authorized scanning only, your own devices:
# Weak/default SNMP community strings (advisory calls these out explicitly)
nmap -sU -p161 --script snmp-info <your-device-ip>
# Cisco Smart Install listening on 4786 -- should almost never be exposed
nmap -p4786 <your-device-ip>
Pair it with the campaign CISA and the FBI have kept live since spring: actors tied to Russian intelligence phishing people out of Signal and WhatsApp accounts. Nobody cracked Signal. They get the target to hand over a verification code or link an attacker device, and walk around the crypto by owning the account. The documented version of the whole Russian playbook needs no AI at all: unpatched known bugs, bad config, and a convincing lie.
The pattern
Line them up. A record patch release from a pipeline Microsoft increasingly runs on AI. An agent that wrote to a symlink it had just identified as dangerous. A dev tool carrying disputed code its users could not evaluate in advance. A critical-infrastructure router exposed by a known bug or a default nobody changed. A Signal account lost to a convincing lie. Different altitudes, one failure: trust extended past the point the surrounding controls can defend.
Patch the two exploited zero-days today -- not up for debate. But faster patching is a treadmill, not a strategy. You cannot out-run a discovery engine that runs for the attacker too, a model update alone will not teach an agent to reliably tell code from instructions, and no patch fixes a default credential the vendor left you to change. Those need the other move: least privilege that bites, credentials the agent cannot quietly spend, network paths you can see, an admin interface that was never on the internet. Patching keeps you alive. It does not fix the trust model.
Run the three blocks above. If the KEV query returns a row, that is tonight. If the lsof output has a connection you cannot explain, that is the exposure the Claude Code fight is really about. And if the nmap checks light up on your own edge, the Russians did not need a zero-day to find you either.
Top comments (0)