Microsoft is aware of exploitation in the wild for two of the vulnerabilities published today, both of which are listed on CISA KEV, as well as public disclosure for one other.
As usual, browser vulns are not included in the Patch Tuesday count.
Rapid7 noted last month that Microsoft no longer enumerates Chromium CVEs in the Security Update Guide. However, Microsoft has now taken the pursuit of minimalism much further, since today’s Security Update Guide no longer lists out even Microsoft vulnerabilities!
Instead, we now receive a summary table of vulnerability counts by product family, as well as a new slimline ‘Notable CVEs’ section. All of this only serves to illustrate the recent industry-wide trend of exploding vulnerability report counts, with an associated uptick in the publication of remediations as a trailing indicator.
Today sees the publication of CVE-2026-55040, a critical authentication bypass in Microsoft SharePoint. Discovered by Rapid7 Senior Principal Security Researcher Stephen Fewer, and published today in coordination with Microsoft, this vulnerability is the first in a pair of exploits which, when chained together, can lead to unauthenticated remote code execution against a vulnerable SharePoint server.
Patches are available for SharePoint Server Subscription Edition, 2019, and 2016. As the full Rapid7 blog post sets out, the second vulnerability in the full RCE chain remains embargoed for now, with Microsoft expected to publish patches for that second vulnerability as part of Patch Tuesday August 2026. Microsoft noted: “We would like to thank Rapid7 for responsibly reporting this issue through coordinated vulnerability disclosure.”
It’s a rare Patch Tuesday that doesn’t include multiple SharePoint fixes, and today is no exception. Microsoft is aware of existing in-the-wild exploitation of CVE-2026-56164, where successful exploitation allows an attacker to elevate privileges over a network, with no existing privileges required, and low attack complexity since “an attacker does not require significant prior knowledge of the system, and can achieve repeatable success”.
This is as good an example as any that a relatively low CVSS v3 base score (5.3) may be an imperfect signal concealing something much spicier, and Microsoft acknowledges that possibility by assigning a severity rating of Important. Microsoft certainly intended to list CVE-2026-56164 in the new Notable CVEs section of the Security Update Guide instead of erroneously listing CVE-2026-56155 twice, and it’s likely that this will be corrected shortly.
After years of relative stability, the Patch Tuesday process has experienced significant turbulence so far in 2026. As well as the AI-fuelled exponential growth of vulnerability reporting and discovery, Microsoft is grappling with the emergence of a series of vulnerabilities disclosed in such a way as to bring maximum discomfort for Redmond.
Pseudonymous researcher Nightmare Eclipse dropped another Defender elevation of privilege vulnerability in the hours following Patch Tuesday, June 2026, which Microsoft subsequently published and patched as CVE-2026-50656, along with a terse acknowledgement of the vulnerability’s celebrity nickname of RoguePlanet. Recently, Nightmare Eclipse has given conflicting estimates of what sort of surprises Microsoft can expect today, as well as claiming that the CVE-2026-50656 patches introduce a new avenue for a disk exhaustion attack. Today, a new proof of concept for a further vulnerability nicknamed LegacyHive has emerged from the same source, which appears to allow a non-privileged user to mount another user’s user hive.
Microsoft BitLocker receives patches today for a publicly known security feature bypass vulnerability. The advisory for CVE-2026-50661 explains that an unauthorised attacker with physical access to the target machine can bypass Windows BitLocker. While Microsoft doesn’t confirm either way, it’s very probable that this is a patch for the GreatXML vulnerability, which Nightmare Eclipse announced the day after June’s Patch Tuesday.
Active Directory administrators should note the emergence today of CVE-2026-56155, an exploited-in-the-wild elevation of privilege vulnerability in Active Directory Federation Services, which allows an authorised attacker to elevate privileges locally.
Eight other vulnerabilities are also published today in Active Directory Federation Services, all ranked as Important on Microsoft’s proprietary severity ranking scale. The advisory doesn’t explicitly describe the location of the attacker, but it’s likely that an attacker would need an existing toehold on the target system to chain together with the elevation of privilege opportunity on offer here.
Historically, Patch Tuesday hasn’t seen too many security patches for video games. However, Age of Empires II: Definitive Edition is a new entrant to the Microsoft CVE roster today. Veteran AoE2 players may well be familiar with dangerous opposition early game strategies such as the Persian Town Center nuisance or the Aztec monk rush, but anyone who opens a malicious game scenario file without applying the patch for CVE-2026-50663 might suffer a serious defeat. Successful exploitation allows an attacker to place malicious files in unexpected locations, potentially enabling code execution on the target system.
As Rapid7 noted last month, there are some significant Microsoft product lifecycle changes taking place in mid-July. SQL Server 2016 moves beyond regular extended support and into the pay-to-play Extended Security Updates (ESU) phase from July 15, 2026, and its older sibling SQL Server 2014 moves into the third and final year of ESU. Also on July 14, 2026, SharePoint Server 2016 and 2019 reach extended end date, and since there’s no ESU available, the only remaining option for fully-supported self-hosted SharePoint after today is SharePoint Subscription Edition. The July 2026 lifecycle casualties continue with Project Server 2016 and 2019, Dynamics GP 2016 and 2016 R2, InfoPath 2013, and SharePoint Designer 2013, which also all reach their Extended End Dates, ending their supported lifecycles. Visual Studio 2022 Version 17.12 Long-Term Servicing Channel (LTSC) reaches its release end date on July 14, leaving either the Visual Studio 2022 current channel or an upgrade to Visual Studio 2026 as supported options.
Want to see more stories from trusted news sources?Make Cyber Daily a preferred news source on Google.