DEV Community

NetSecOpsIO
NetSecOpsIO

Posted on • Originally published at cyber.netsecops.io

Microsoft July 2026 Patch Tuesday Fixes Two Exploited Zero-Days

Originally published on CyberNetSec.

Executive Summary

Microsoft's July 2026 Patch Tuesday is the largest in the company's history, addressing a record number of between 570 and 622 vulnerabilities across its product portfolio. The massive volume is reportedly driven by advanced AI-powered scanning tools. The update's most critical components are patches for two zero-day vulnerabilities that were actively exploited in the wild prior to the release. The first, CVE-2026-56155, is a privilege escalation flaw in Active Directory Federation Services (AD FS). The second, CVE-2026-56164, is a privilege escalation vulnerability in Microsoft SharePoint Server. Both have been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, signifying a high and immediate risk to organizations. A third zero-day affecting Windows BitLocker, CVE-2026-50661, was also patched but has not been observed in active attacks.


Vulnerability Details

CVE-2026-56155: AD FS Privilege Escalation

This vulnerability in Active Directory Federation Services allows an authenticated attacker to gain administrator privileges on a compromised federation server. Discovered by Microsoft's own DART team during an incident response, its exploitation could enable an attacker to forge security tokens, compromise federated services (like cloud applications), and move laterally across the enterprise network. The flaw carries a CVSS score of 7.8.

CVE-2026-56164: SharePoint Server Privilege Escalation

This flaw in Microsoft SharePoint Server allows an unauthenticated attacker to escalate privileges due to a missing authentication check. The attack can be launched over the network with low complexity and no user interaction. Despite a moderate CVSS score of 5.3, its active exploitation and low barrier to entry make it a critical threat. A successful exploit could allow an attacker to take control of a SharePoint site, access sensitive data, and potentially pivot to other systems.

CVE-2026-50661: Windows BitLocker Security Feature Bypass

This vulnerability allows an attacker with physical access to a device to bypass BitLocker drive encryption and access encrypted data. While publicly disclosed, there is no evidence of active exploitation. This threat is most relevant for stolen or lost corporate laptops.

Affected Systems

The vulnerabilities impact a wide range of Microsoft products, including:

  • Windows Operating Systems: All supported client and server versions.
  • Microsoft SharePoint Server: 2016, 2019, and Subscription Edition.
  • Active Directory Federation Services (AD FS): On supported Windows Server versions.
  • Microsoft Office, Azure, and Microsoft Edge.

Exploitation Status

  • CVE-2026-56155 (AD FS): Confirmed active exploitation in the wild. Added to CISA KEV catalog.
  • CVE-2026-56164 (SharePoint): Confirmed active exploitation in the wild. Added to CISA KEV catalog.
  • CVE-2026-50661 (BitLocker): Publicly disclosed but no evidence of active exploitation.

The unprecedented number of fixes (nearly 60 critical, over 510 important) highlights the growing attack surface and the impact of AI in vulnerability discovery. The large number of elevation of privilege (254) and remote code execution (145) flaws indicates significant risk across the enterprise.


Cyber Observables — Hunting Hints

The following patterns may help identify vulnerable or compromised systems:

Type Value Description Context
log_source AD FS Auditing Logs Monitor for anomalous token requests or unexpected administrative actions on federation servers. SIEM, Domain Controller Logs
url_pattern /_layouts/15/ Scrutinize SharePoint ULS logs for unusual requests to application pages, especially those that should require authentication but are accessed anonymously. SharePoint Server ULS Logs, Web Server Logs
event_id 4624 (Logon) Look for successful logons to AD FS servers from unexpected internal IP addresses or with unusual account names, which could indicate lateral movement post-exploitation. Windows Security Event Logs
process_name w3wp.exe Monitor the w3wp.exe process associated with SharePoint application pools for anomalous child processes or network connections. EDR, Sysmon Logs

Detection Methods

Security teams should prioritize detection related to the actively exploited vulnerabilities.

  1. AD FS Monitoring: Implement robust logging for AD FS. Create SIEM alerts for multiple failed logon attempts followed by a success from the same source IP, or for administrative actions performed outside of normal business hours or by unusual accounts. This aligns with D3FEND User Behavior Analysis.
  2. SharePoint Log Analysis: Use PowerShell or log analysis tools to parse SharePoint ULS and IIS logs. Hunt for requests to sensitive endpoints that lack authentication tokens or originate from external IP addresses. Microsoft recommends enabling the Antimalware Scan Interface (AMSI) integration with the "Full Request Body Scan" mode, which can help detect malicious payloads targeting this flaw. This aligns with D3FEND Network Traffic Analysis.
  3. Vulnerability Scanning: Run authenticated scans against all Windows, SharePoint, and AD FS servers to identify systems missing the July 2026 updates.

Remediation Steps

  1. Prioritize Patching: Immediately apply the July 2026 security updates, prioritizing internet-facing systems, SharePoint servers, and AD FS servers. Due to their KEV status, CVE-2026-56155 and CVE-2026-56164 should be treated as an emergency.
  2. Verify Installation: Confirm that the updates have been successfully installed and that systems have been rebooted where required.
  3. SharePoint Mitigation: As a temporary measure or compensating control, enable AMSI integration for SharePoint Server with "Full Request Body Scan" mode. This provides an additional layer of inspection for incoming requests.
  4. AD FS Hardening: Review and enforce AD FS security best practices, including using a Hardware Security Module (HSM), restricting administrative access to federation servers, and implementing MFA for all user access. This aligns with D3FEND Application Configuration Hardening.

Top comments (0)