Microsoft Just Shipped Its Biggest Patch Batch Ever — 570 Fixes. Two Were Already Under Attack, and CISA Gave Federal Agencies Days to Catch Up.
On July 14, 2026, Microsoft shipped the largest Patch Tuesday in the program’s 23-year history — 570 security fixes by the count BleepingComputer and Krebs on Security both use, with Microsoft’s own tally running higher still once Chromium, Edge, and Extended Security Update rollups are folded in. Buried in that batch were two vulnerabilities the Cybersecurity and Infrastructure Security Agency says attackers were already exploiting before Microsoft finished writing the fix.
The next day, CISA added both to its Known Exploited Vulnerabilities catalog and, under Binding Operational Directive 26-04, ordered every federal civilian executive-branch agency to patch a SharePoint flaw — CVE-2026-56164 — by July 17, and an Active Directory Federation Services flaw — CVE-2026-56155 — by July 28. The urgency is not theoretical. A different SharePoint zero-day, exploited in a 2025 campaign researchers named “ToolShell,” compromised more than 400 organizations — including the National Nuclear Security Administration.
A year later, the Shadowserver Foundation still counts roughly 10,000 SharePoint servers exposed to the open internet worldwide — more than 800 of them unpatched against SharePoint bugs Microsoft fixed earlier in 2026, before this month’s record batch even shipped.
- 570 — CVEs closed in Microsoft's July 2026 Patch Tuesday — the largest release in the program's 23-year history, and nearly triple June 2026's prior record of 206 by Microsoft's own higher count · Source: BleepingComputer, Krebs on Security
- July 17 — CISA's federal deadline to patch CVE-2026-56164, a missing-authentication SharePoint flaw already under active exploitation · Source: CISA KEV catalog, BleepingComputer
- July 28 — CISA's federal deadline for CVE-2026-56155, an Active Directory Federation Services flaw Trend Micro's Dustin Childs says can be 'paired with an RCE as we often see in ransomware' · Source: CISA, BleepingComputer
- 400+ — organizations breached in the 2025 'ToolShell' SharePoint campaign, including the National Nuclear Security Administration, DOE, DHS, and HHS — attributed to Chinese state-linked hacking groups · Source: CyberScoop, BleepingComputer
- ~10,000 — SharePoint servers still exposed to the internet worldwide, with 800+ already unpatched against earlier 2026 SharePoint bugs before this batch shipped · Source: Shadowserver Foundation
Microsoft’s July 2026 Patch Tuesday landed with 570 CVEs closed in a single release — a figure BleepingComputer and Krebs on Security both use to describe it as the largest cumulative update in Patch Tuesday’s 23-year history. Microsoft’s own count runs higher still, as high as the low 600s by some tallies, once Chromium, Microsoft Edge, and Extended Security Update packages are folded into the total — a methodology difference the company doesn’t fully reconcile in its own release notes. Either way, the batch is nearly triple June 2026’s previous record of 206 CVEs, and it included three zero-day vulnerabilities already being exploited in the wild before the fixes shipped.
Pavan Davuluri, Microsoft’s executive vice president for Windows and Devices, offered an explanation for why these batches keep growing, quoted in Krebs on Security’s coverage: “The pace of vulnerability discovery is changing with advances in AI making it possible to find more issues, faster, across more code.” The same AI tooling accelerating vulnerability discovery inside Microsoft is, by most security researchers’ accounts, also accelerating how fast attackers find and weaponize the vulnerabilities Microsoft hasn’t found yet.
Two of the 570 fixes carried a legal deadline attached, not just a recommendation. On July 14, CISA added CVE-2026-56164 and CVE-2026-56155 to its Known Exploited Vulnerabilities catalog and, under Binding Operational Directive 26-04, ordered every federal civilian executive-branch agency — every cabinet department, every independent agency covered by the directive — to remediate on a clock measured in days, not the weeks or months typical of a routine security bulletin.
CVE-2026-56164 (SharePoint): A missing-authentication flaw. Federal deadline: July 17, 2026 — three days after disclosure.
CVE-2026-56155 (Active Directory Federation Services): Federal deadline: July 28, 2026. Trend Micro’s Dustin Childs, of the Zero Day Initiative, noted it “can also be paired with an RCE as we often see in ransomware.”
CVE-2026-45659 (SharePoint, earlier): Added to the KEV catalog July 1, with a federal deadline of July 4, 2026 — the same SharePoint code family, patched two weeks before the record batch shipped.
Security updates for July 2026 are now available. Details are here:
No named CISA Director or spokesperson attached a personal quote to this specific KEV addition — the agency speaks through the catalog entries and its own hardening alert, which pressed agencies to go beyond the minimum patch and audit SharePoint deployments directly. The absence of a soundbite doesn’t soften the deadline: BOD compliance is not optional guidance for the agencies it covers.
CISA’s urgency traces directly to precedent. In July 2025, a different SharePoint zero-day was exploited in a campaign security researchers named “ToolShell,” compromising more than 400 organizations worldwide, per CyberScoop. Among the confirmed federal victims: the National Nuclear Security Administration, the semi-autonomous Department of Energy agency that oversees the U.S. nuclear weapons stockpile, along with other parts of DOE, DHS, and HHS.
Scope: More than 400 organizations compromised worldwide, per CyberScoop and BleepingComputer.
Confirmed federal victims: The National Nuclear Security Administration, the Department of Energy, the Department of Homeland Security, and the Department of Health and Human Services.
Attribution: Chinese state-linked threat actors tracked as Linen Typhoon, Violet Typhoon, and Storm-2603.
Vulnerability class: SharePoint — the same on-premises server software family targeted again by this July 2026 batch.
“Microsoft SharePoint attacks: 400+ victims, US agencies among them.”
CyberScoop, on the 2025 ToolShell campaign

The 2025 breach was supposed to be the wake-up call. A year later, the Shadowserver Foundation’s internet-wide scans still count roughly 10,000 SharePoint servers reachable from the open internet globally. More than 800 of those were already unpatched against SharePoint vulnerabilities Microsoft had fixed earlier in 2026 — before July’s record batch, and before CVE-2026-45659’s own four-day federal patch window closed on July 4.
Weekly CISA KEV update: CVE-2026-45659, a SharePoint remote code execution flaw, added to the Known Exploited Vulnerabilities catalog — federal agencies had until July 4 to patch.
That gap between a federal patch deadline and an actual internet-wide scan is the part CISA’s directives can’t close by themselves — a BOD binds federal civilian agencies, not the state governments, contractors, universities, and private companies that make up the bulk of those 10,000 exposed servers. The same SharePoint code family that hit the nuclear weapons agency in 2025 is, by Shadowserver’s count, still reachable at scale in 2026.
The same news cycle carried a smaller, unrelated story about how strained vendor-researcher disclosure relationships have become: a pseudonymous researcher going by “Nightmare-Eclipse” published a separate Windows zero-day, nicknamed “LegacyHive,” just hours after Patch Tuesday shipped — a move condemned by some in the security community as reckless disclosure and defended by others as a response to vendors sitting on reported bugs too long. It carries no federal-accountability angle of its own; it’s a corporate and researcher dispute, not a government-systems story, but it’s a data point in the same broader picture of a disclosure ecosystem under strain the same week CISA was racing federal agencies against a clock.
Microsoft shipped 570 fixes in a single release and still didn’t get ahead of attackers on two of them. CISA’s Binding Operational Directive 26-04 gives federal agencies a legal clock — three days for the SharePoint flaw, two weeks for the Active Directory bug — because the last time a SharePoint zero-day went unpatched, it reached the agency that oversees America’s nuclear weapons stockpile. A year and 400-plus breached organizations later, roughly 10,000 SharePoint servers are still sitting exposed on the open internet. The directive can order federal agencies to patch. It can’t reach everyone else running the same software.


