Microsoft's July 2026 Patch Tuesday is the largest monthly update since the record-breaking June 2026 release, patching 570 vulnerabilities across Windows, SharePoint, Active Directory Federation Services (AD FS), Remote Desktop Services, and more. Three vulnerabilities carry zero-day status — two actively exploited in the wild and one publicly disclosed before a patch was available. Organizations running on-premises Windows Servers should treat this cycle as high-priority, with patches for two Critical-rated RCE bugs in SharePoint and Windows Print Spooler leading the urgent remediation list.
What the Vulnerabilities Are
Actively Exploited Zero-Days
CVE-2026-56164 — Microsoft SharePoint Server Elevation of Privilege (Moderate / Exploited in Wild)
Attackers with an authenticated session on an on-premises SharePoint server can escalate privileges. Despite a “Moderate” label, Microsoft has confirmed active in-the-wild exploitation. Historically, SharePoint EoP bugs like this are chained with RCE vulnerabilities for full server takeover — a pattern seen in prior campaigns by ransomware operators and nation-state actors. Any on-premises SharePoint farm should be treated as a top-priority patch target for this CVE regardless of the severity label.
CVE-2026-56155 — Active Directory Federation Services Elevation of Privilege (Important / Exploited in Wild)
ADFS is the identity federation and SSO component underpinning hybrid Azure AD/on-premises authentication. Active exploitation has been confirmed. Successful exploitation allows an attacker to escalate privileges and pivot across the identity infrastructure — enabling lateral movement using the golden SAML technique and potential domain-wide compromise.
Publicly Disclosed (No Confirmed Exploitation Yet)
CVE-2026-50661 — Windows BitLocker Security Feature Bypass (Important / Publicly Disclosed)
A public PoC exists before the patch. The attack requires physical access or a foothold on the device. This mirrors the “YellowKey” BitLocker bypass pattern from earlier in 2026 where flaws in BitLocker's recovery environment allowed disk encryption bypass on lost or stolen devices.
Critical-Rated Remote Code Execution
CVE-2026-58644 — Microsoft SharePoint Server RCE (Critical)
A new, separate SharePoint RCE bug patched this month — distinct from CVE-2026-45659 (the deserialization RCE added to CISA KEV in early July). SharePoint RCE flaws have been among the most reliably exploited server vulnerabilities over the past three years, with ransomware operators and APT groups maintaining active exploit kits against unpatched SharePoint farms. Critical rating, requires patch deployment within 48 hours per Microsoft's recommendation.
CVE-2026-58608 — Windows Print Spooler RCE (Critical)
Another Print Spooler bug — the component whose PrintNightmare family of flaws have been exploited reliably since 2021. Critical-rated, and Print Spooler runs on virtually every Windows Server. If Print Spooler cannot be disabled on a server, apply this patch immediately.
Additional High-Priority Patches
Several Important-rated RCE and EoP bugs affect components commonly targeted in lateral movement and post-exploitation:
| CVE ID | Component | Impact |
|---|---|---|
| CVE-2026-58626 | Windows Remote Desktop Services | RCE |
| CVE-2026-58631 | Windows Admin Center | RCE |
| CVE-2026-58594 | Remote Desktop Client | RCE |
| CVE-2026-58640 | Windows NTFS | RCE |
| CVE-2026-58629 | DirectX Graphics Kernel | EoP |
| CVE-2026-58634 / 58633 | Desktop Window Manager | EoP |
| CVE-2026-58632 | Windows Win32K | EoP |
| CVE-2026-58627 | Windows DHCP Server | DoS |
Why It Matters
- Two actively exploited zero-days require immediate patching — CVE-2026-56164 and CVE-2026-56155 are being used in real attacks right now. Every unpatched day is an open window.
- Critical SharePoint RCE (CVE-2026-58644) is a ransomware campaign waiting to happen. If your SharePoint hasn't been patched for either this month's Critical RCE or last month's actively exploited deserialization bug, you have two unpatched Critical SharePoint RCEs running concurrently.
- Print Spooler keeps showing up — Windows Print Spooler RCEs have been patched repeatedly since 2021, and attackers keep finding new variants. If you haven't disabled Print Spooler on servers that don't need it, now is the time.
- 570 CVEs in one month is above every pre-2026 monthly average. The high volume means organizations that lack systematic patch management are falling further behind.
- AD FS exploitation has broad blast radius: a compromised AD FS instance can be used to forge tokens (golden SAML) and pivot across Microsoft 365, Azure AD, and any federated application.
Am I Affected?
You are at risk if you run:
- On-premises SharePoint Server — Subscription Edition, 2019, or 2016 (CVE-2026-56164, CVE-2026-58644)
- Active Directory Federation Services — on any on-premises Windows Server (CVE-2026-56155)
- Windows Print Spooler — running on any Windows Server or workstation (CVE-2026-58608)
- Windows Remote Desktop Services — exposed to internal or external networks (CVE-2026-58626)
- Windows 10/11 or Windows Server — any current version for the full scope of kernel, DWM, Win32K EoP bugs
SharePoint Online (Microsoft 365) is not affected by CVE-2026-56164 or CVE-2026-58644 — Microsoft handles patching on the hosted side. AD FS hosted entirely in Azure AD / Entra ID (Entra External ID) is similarly not affected by CVE-2026-56155.
What to Do About It: Step-by-Step
Priority 1 — Zero-days first (do today):
- Open Windows Update (Settings → Windows Update → Check for updates) on all SharePoint Servers and AD FS servers. Install the July 2026 cumulative update immediately.
- For WSUS/SCCM-managed environments: approve and force-push the July 2026 security update to
SharePoint ServerandWindows Servertargets now; do not wait for the normal deployment window. - Verify the cumulative update installed successfully by checking
winveror reviewing Windows Update history. Reboot if required.
Priority 2 — Critical RCE (within 24–48 hours):
- Apply the July 2026 Security Update to all on-premises SharePoint farms to remediate CVE-2026-58644.
- On servers where Print Spooler is not required, disable it immediately rather than waiting:
If Print Spooler is required (file/print servers), patch and monitor.Stop-Service -Name Spooler -Force Set-Service -Name Spooler -StartupType Disabled
Priority 3 — RDS and Admin Center (this week):
- Patch Windows Remote Desktop Services (CVE-2026-58626) on all RDS servers and Remote Desktop gateways.
- If Windows Admin Center is deployed, patch or restrict access to management-only network segments.
Verification:
- After patching, re-run Windows Update to confirm the July 2026 Cumulative Update shows as “Installed” with no pending restarts.
- For AD FS: confirm the AD FS service starts cleanly after the update and that federation with downstream relying parties is working as expected.
Quick-Win Checklist
- Applied July 2026 Cumulative Update to all on-premises SharePoint Servers (CVE-2026-56164 + CVE-2026-58644)
- Applied July 2026 Security Update to all AD FS servers (CVE-2026-56155)
- Disabled Print Spooler on Windows Servers that don't require printing, OR patched (CVE-2026-58608)
- Applied RDS security update to all Remote Desktop Services servers (CVE-2026-58626)
- Confirmed all servers rebooted post-update where required
- Checked event logs for suspicious SharePoint/AD FS activity in the hours since Patch Tuesday announcement (active zero-day exploitation means attackers may have already moved)
- Reviewed whether additional high-priority CVEs in this batch (NTFS RCE, Win32K EoP, Admin Center RCE) affect your environment
Sources
- CyberSecurityNews — Massive Microsoft Patch Tuesday Update: 570 Vulnerabilities Fixed, Including 3 Zero-Days (July 14, 2026)
- BleepingComputer — Microsoft July 2026 Patch Tuesday fixes massive 570 flaws, 3 zero-days (July 14, 2026)
- Microsoft Security Update Guide — CVE-2026-56164
- Microsoft Security Update Guide — CVE-2026-58644
- Microsoft Security Update Guide — CVE-2026-58608