Microsoft has released patches for 570+ vulnerabilities on July 2026 Patch Tuesday, including two that are being leveraged by attackers (CVE-2026-56155 and CVE-2026-56164), and one that was previouly disclosed (CVE-2026-50661).

The release was once again followed by Nightmare Eclipse publishing a stripped down proof-of-concept exploit for an unpatched Windows elevation of privilege (EoP) vulnerability, which the researcher dubbed LegacyHive.

Vulnerabilities of note

CVE-2026-56155 is an EoP flaw affecting Active Directory Federation Services (ADFS), and has been spotted being exploited in the wild by Microsoft’s incident responders.

Fixes for it have been bundled into Windows and Windows servers updates, and Microsoft also announced it’s started hardening the Access Control List (ACL) on the AD FS Distributed Key Manager container.

“[This vulnerability] stems from insufficient access-control granularity and does require local access and low privileges to start, but AD FS is exactly the kind of identity infrastructure attackers love to pivot through once they’re in. It can also be paired with an RCE as we often see in ransomware. Test and deploy this patch quickly,” commented Dustin Childs, head of threat awareness at TrendAI’s Zero Day Initiative.

CVE-2026-56164 is an EoP flaw found in Microsoft SharePoint Server that has been reported by Google’s incident responders and an anonymous researcher. It’s remotely exploitable in low-complexity attacks, and attackers are already taking advantage of it.

While enabling the Antimalware Scan Interface (AMSI) feature on SharePoint servers is noted as a possible mitigation, implementing security updates is the better option, especially because they fix additional SharePoint remote code execution vulnerabilities (CVE-2026-50522 and CVE-2026-58644) and a critical security feature bypass flaw (CVE-2026-55040).

“Discovered by Rapid7 Senior Principal Security Researcher Stephen Fewer, and published (…) in coordination with Microsoft, [CVE-2026-55040] is the first in a pair of exploits which, when chained together, can lead to unauthenticated remote code execution against a vulnerable SharePoint server,” commented Adam Barnett, Principal Software Engineer at Rapid7.

The second vulnerability in the full RCE chain remains embargoed for now, and Microsoft is expected to publish patches for it in August 2026, he added.

In other developments, the US Cybersecurity and Infrastructure Security Agency (CISA) has urged organizations running SharePoint servers to apply additional hardening measures, in light of the fact that attackers are also exploiting two recently patched vulnerabilities (CVE-2026-32201 and CVE-2026-45659).

CVE-2026-50661 is a Windows BitLocker security feature bypass vulnerability that has been disclosed but not (yet) actively exploited.

“While not confirmed at this time, this CVE may be the patch for GreatXML, a BitLocker bypass exploit released by the Nightmare-Eclipse persona,” Crowdstrike noted.

Security patching in the age of AI-assisted vulnerability discovery

The flood of new vulnerabilities was expected and pre-announced, as Microsoft recently confirmed it’s been using AI to speed up internal discovery of software vulnerabilities.

The company also noted that other security researchers and attackers have been doing the same.

“If you’re not delivering critical quality updates with security fixes until a couple of weeks after they’ve been issued, that’s ample time for attackers using AI to find and exploit known security gaps,” Microsoft said.

“To address this, we’ve updated our recommendations for deploying Windows updates to less than three days as the deferral period for quality updates, setting deadlines for those updates to zero or one day, and the update grace period to a maximum of two days.”

Satnam Narang, senior staff research engineer at Tenable, also pointed out that the state of the Exploitability Index (how likely a vulnerability is to be exploited) must shift with the machine speed of discovery.

“For example, Microsoft originally tagged CVE-2026-45659, a SharePoint vulnerability, as exploitation less likely. However, the vulnerability was added to the CISA KEV on July 1,” he noted.

“Anthropic’s Red Team’s own findings for known vulnerabilities (n-days) revealed how fragile this system has become, with its Mythos Preview model being able to produce proof-of-concept exploits for 13 of 14 vulnerabilities that were rated ‘Exploitation Less Likely’ or ‘Exploitation Unlikely.’ What this means is that our way of looking at Patch Tuesday has changed, because the exploitability index is centered around humans, not AI tools, and as these tools continue to improve, defense needs to improve alongside it.”

Cybersecurity agencies of Five Eyes countries have recently advised organizations to integrate AI tools into their security operations so they can “detect vulnerabilities earlier, improve software quality, monitor unusual behaviour, and respond faster to incidents.”

They’ve also urged them to:

  • Reduce their attack surface by limiting access to them
  • Accelerated the patching process and prioritise security updates according to risk
  • Address legacy systems (i.e., decommission themm if possible)
  • Strengthen identity and access controls
  • Prepare for incidents before they happen.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!



Source link