Yesterday was not a normal Patch Tuesday. Microsoft released fixes for 570 to 622 vulnerabilities (depending on who's counting), more than tripling last month's already record-breaking 198. Fifty-nine of them are rated Critical. Two are being actively exploited right now. And within hours of the patches going live, a researcher dropped a working zero-day exploit that works on fully patched systems.
Source: BleepingComputer
If your IT team is staring at a wall of updates wondering where to start, I get it. Let me break down what actually matters for your business.
The two zero-days you need to patch today
CVE-2026-56164 is a SharePoint Server vulnerability that lets an unauthenticated attacker escalate privileges remotely. No credentials needed, no user interaction. Microsoft's own incident response team and Mandiant found it during active attack investigations, which means real organizations have already been hit. CISA added it to the Known Exploited Vulnerabilities catalog on July 14 and gave federal agencies until July 17 to patch. Your timeline should be similar.
CVE-2026-56155 hits Active Directory Federation Services (AD FS), the system that handles authentication for your entire Microsoft environment. It's an elevation of privilege flaw that lets an attacker with a foothold climb to domain admin. Also actively exploited. Also added to CISA's KEV.
Then there's CVE-2026-50661, a BitLocker bypass that's been publicly disclosed but not yet exploited, for now. If someone gets physical access to a device, they can sidestep disk encryption entirely.
The zero-day that patches won't fix
Hours after Patch Tuesday landed, a researcher known as Chaotic Eclipse dropped a proof-of-concept exploit called "LegacyHive" targeting the Windows User Profile Service. The exploit lets a standard user load another user's registry hive (including an admin's) and escalate privileges. And here's the kicker: it works on all supported Windows versions, including systems with the July 2026 patches installed.
There is no patch for this. Not today, probably not tomorrow. If an attacker gains even a low-level foothold on one of your employees' machines, they can use LegacyHive to go admin in minutes. For SMBs without endpoint detection and response tools, that single compromised workstation can lead to full domain takeover.
What to do this week
You can't patch 570 things at once. Here's the triage order:
- Patch SharePoint and AD FS first. The actively exploited zero-days (CVE-2026-56164 and CVE-2026-56155) are your top priority. If you run on-premises SharePoint, consider taking it offline from the internet until you've applied the update.
- Hit the CVSS 9.0+ list next. Windows VMSwitch VM escape (CVSS 9.9), Microsoft Copilot RCE (CVSS 9.6), Exchange Server spoofing (CVSS 9.6). These are the ones that cause real damage if exploited.
- Restrict local admin access. LegacyHive has no patch, so your best defense is limiting who can run what on endpoints. Least privilege is your friend here.
- Warn your team about fake GitHub repos. Arctic Wolf just uncovered 292 fake repositories pushing infostealers that target business credentials. If someone on your team downloads "free" tools from random GitHub profiles, now is the time to have that conversation.
If this feels overwhelming, you're not alone. The volume of patches is only going to grow. Microsoft has been open about AI-driven discovery tools finding more flaws faster. Having a clear patching strategy (or better yet, a managed partner who handles triage for you) is becoming less of a nice-to-have and more of a survival skill.
Let's talk about your patch management strategy
30-minute call, no sales pitch, just practical next steps.