AI / Tech · Cybersecurity · Federal Systems · July 2026

Microsoft Just Shipped Its Biggest Patch Batch Ever — 570 Fixes. Two Were Already Under Attack, and CISA Gave Federal Agencies Days to Catch Up.

On July 14, 2026, Microsoft shipped the largest Patch Tuesday in the program’s 23-year history — 570 security fixes by the count BleepingComputer and Krebs on Security both use, with Microsoft’s own tally running higher still once Chromium, Edge, and Extended Security Update rollups are folded in. Buried in that batch were two vulnerabilities the Cybersecurity and Infrastructure Security Agency says attackers were already exploiting before Microsoft finished writing the fix.

The next day, CISA added both to its Known Exploited Vulnerabilities catalog and, under Binding Operational Directive 26-04, ordered every federal civilian executive-branch agency to patch a SharePoint flaw — CVE-2026-56164 — by July 17, and an Active Directory Federation Services flaw — CVE-2026-56155 — by July 28. The urgency is not theoretical. A different SharePoint zero-day, exploited in a 2025 campaign researchers named “ToolShell,” compromised more than 400 organizations — including the National Nuclear Security Administration.

A year later, the Shadowserver Foundation still counts roughly 10,000 SharePoint servers exposed to the open internet worldwide — more than 800 of them unpatched against SharePoint bugs Microsoft fixed earlier in 2026, before this month’s record batch even shipped.

  • 570 CVEs closed in Microsoft's July 2026 Patch Tuesday — the largest release in the program's 23-year history, and nearly triple June 2026's prior record of 206 by Microsoft's own higher count · Source: BleepingComputer, Krebs on Security
  • July 17 CISA's federal deadline to patch CVE-2026-56164, a missing-authentication SharePoint flaw already under active exploitation · Source: CISA KEV catalog, BleepingComputer
  • July 28 CISA's federal deadline for CVE-2026-56155, an Active Directory Federation Services flaw Trend Micro's Dustin Childs says can be 'paired with an RCE as we often see in ransomware' · Source: CISA, BleepingComputer
  • 400+ organizations breached in the 2025 'ToolShell' SharePoint campaign, including the National Nuclear Security Administration, DOE, DHS, and HHS — attributed to Chinese state-linked hacking groups · Source: CyberScoop, BleepingComputer
  • ~10,000 SharePoint servers still exposed to the internet worldwide, with 800+ already unpatched against earlier 2026 SharePoint bugs before this batch shipped · Source: Shadowserver Foundation
§ 01 / A Record-Breaking Patch Batch

Microsoft’s July 2026 Patch Tuesday landed with 570 CVEs closed in a single release — a figure BleepingComputer and Krebs on Security both use to describe it as the largest cumulative update in Patch Tuesday’s 23-year history. Microsoft’s own count runs higher still, as high as the low 600s by some tallies, once Chromium, Microsoft Edge, and Extended Security Update packages are folded into the total — a methodology difference the company doesn’t fully reconcile in its own release notes. Either way, the batch is nearly triple June 2026’s previous record of 206 CVEs, and it included three zero-day vulnerabilities already being exploited in the wild before the fixes shipped.

Pavan Davuluri, Microsoft’s executive vice president for Windows and Devices, offered an explanation for why these batches keep growing, quoted in Krebs on Security’s coverage: “The pace of vulnerability discovery is changing with advances in AI making it possible to find more issues, faster, across more code.” The same AI tooling accelerating vulnerability discovery inside Microsoft is, by most security researchers’ accounts, also accelerating how fast attackers find and weaponize the vulnerabilities Microsoft hasn’t found yet.

§ 02 / The Emergency Directive

Two of the 570 fixes carried a legal deadline attached, not just a recommendation. On July 14, CISA added CVE-2026-56164 and CVE-2026-56155 to its Known Exploited Vulnerabilities catalog and, under Binding Operational Directive 26-04, ordered every federal civilian executive-branch agency — every cabinet department, every independent agency covered by the directive — to remediate on a clock measured in days, not the weeks or months typical of a routine security bulletin.

The Federal Patch Clock — Three CVEs, Three Days to Two Weeks

CVE-2026-56164 (SharePoint): A missing-authentication flaw. Federal deadline: July 17, 2026 — three days after disclosure.

CVE-2026-56155 (Active Directory Federation Services): Federal deadline: July 28, 2026. Trend Micro’s Dustin Childs, of the Zero Day Initiative, noted it “can also be paired with an RCE as we often see in ransomware.”

CVE-2026-45659 (SharePoint, earlier): Added to the KEV catalog July 1, with a federal deadline of July 4, 2026 — the same SharePoint code family, patched two weeks before the record batch shipped.

X
Microsoft Security Response Center
@msftsecresponse · July 2026

Security updates for July 2026 are now available. Details are here:

No named CISA Director or spokesperson attached a personal quote to this specific KEV addition — the agency speaks through the catalog entries and its own hardening alert, which pressed agencies to go beyond the minimum patch and audit SharePoint deployments directly. The absence of a soundbite doesn’t soften the deadline: BOD compliance is not optional guidance for the agencies it covers.

§ 03 / Same Bug Family, Same Targets Before

CISA’s urgency traces directly to precedent. In July 2025, a different SharePoint zero-day was exploited in a campaign security researchers named “ToolShell,” compromising more than 400 organizations worldwide, per CyberScoop. Among the confirmed federal victims: the National Nuclear Security Administration, the semi-autonomous Department of Energy agency that oversees the U.S. nuclear weapons stockpile, along with other parts of DOE, DHS, and HHS.

ToolShell, 2025 — Who Got Hit and Who Did It

Scope: More than 400 organizations compromised worldwide, per CyberScoop and BleepingComputer.

Confirmed federal victims: The National Nuclear Security Administration, the Department of Energy, the Department of Homeland Security, and the Department of Health and Human Services.

Attribution: Chinese state-linked threat actors tracked as Linen Typhoon, Violet Typhoon, and Storm-2603.

Vulnerability class: SharePoint — the same on-premises server software family targeted again by this July 2026 batch.

Microsoft SharePoint attacks: 400+ victims, US agencies among them.

CyberScoop, on the 2025 ToolShell campaign
§ 04 / Still Wide Open

The 2025 breach was supposed to be the wake-up call. A year later, the Shadowserver Foundation’s internet-wide scans still count roughly 10,000 SharePoint servers reachable from the open internet globally. More than 800 of those were already unpatched against SharePoint vulnerabilities Microsoft had fixed earlier in 2026 — before July’s record batch, and before CVE-2026-45659’s own four-day federal patch window closed on July 4.

X
HackerStorm (Weekly CISA KEV Update)
@hackerstorm · July 6, 2026· paraphrase

Weekly CISA KEV update: CVE-2026-45659, a SharePoint remote code execution flaw, added to the Known Exploited Vulnerabilities catalog — federal agencies had until July 4 to patch.

That gap between a federal patch deadline and an actual internet-wide scan is the part CISA’s directives can’t close by themselves — a BOD binds federal civilian agencies, not the state governments, contractors, universities, and private companies that make up the bulk of those 10,000 exposed servers. The same SharePoint code family that hit the nuclear weapons agency in 2025 is, by Shadowserver’s count, still reachable at scale in 2026.

§ 05 / A Researcher Feud, on the Side

The same news cycle carried a smaller, unrelated story about how strained vendor-researcher disclosure relationships have become: a pseudonymous researcher going by “Nightmare-Eclipse” published a separate Windows zero-day, nicknamed “LegacyHive,” just hours after Patch Tuesday shipped — a move condemned by some in the security community as reckless disclosure and defended by others as a response to vendors sitting on reported bugs too long. It carries no federal-accountability angle of its own; it’s a corporate and researcher dispute, not a government-systems story, but it’s a data point in the same broader picture of a disclosure ecosystem under strain the same week CISA was racing federal agencies against a clock.

Big Patch Tuesday, 'Nightmare Eclipse' drops Windows 0-day, Claude Fable restricted at Microsoft
Bottom Line

Microsoft shipped 570 fixes in a single release and still didn’t get ahead of attackers on two of them. CISA’s Binding Operational Directive 26-04 gives federal agencies a legal clock — three days for the SharePoint flaw, two weeks for the Active Directory bug — because the last time a SharePoint zero-day went unpatched, it reached the agency that oversees America’s nuclear weapons stockpile. A year and 400-plus breached organizations later, roughly 10,000 SharePoint servers are still sitting exposed on the open internet. The directive can order federal agencies to patch. It can’t reach everyone else running the same software.

Sources & Methodology · 11 Sources
03
BleepingComputer — Microsoft July 2026 Patch Tuesday fixes massive 570 flaws, 3 zero-days·The primary count and methodology for the record-breaking patch batch, including the three actively-exploited zero-days
07
CyberScoop — Microsoft SharePoint attacks, 400+ victims, US agencies named·Scope and threat-actor attribution for the 2025 ToolShell campaign — Linen Typhoon, Violet Typhoon, and Storm-2603
08
CISA — Adds four vulnerabilities to the Known Exploited Vulnerabilities Catalog·The July 14, 2026 KEV catalog additions and remediation deadlines under Binding Operational Directive 26-04
10
Microsoft Security Response Center on X·Official July 2026 security update release announcement
Methodology notes: Microsoft’s July 2026 patch count is reported differently depending on methodology — 570 is the figure BleepingComputer and Krebs on Security use for CVEs closed in the core release; Microsoft’s own tally runs higher, into the 600s, once Chromium, Edge, and Extended Security Update rollups are included. Both CISA.gov alert pages cited above returned automated-fetch errors on recheck but are corroborated as live, accurately described alerts by NVD’s CVE records and by BleepingComputer’s and Krebs’ independent reporting on the same deadlines. Dustin Childs’ and Pavan Davuluri’s quotes are drawn from BleepingComputer’s and Krebs’ Patch Tuesday coverage, respectively, rather than a standalone statement from either. No named CISA Director or spokesperson issued an on-record quote for this specific KEV addition; CISA is cited institutionally via its published alerts. This is a non-partisan technology and cybersecurity story on the site’s AI/tech beat: no party affiliation applies to any official or agency named here, and per the beat’s convention, no Truth Social content is included.