Microsoft July 2026 Patch Tuesday Zero-Day Hits SharePoint

The Microsoft July 2026 Patch Tuesday zero-day count is the largest disclosure on record — trackers put the total at 570 to 622 CVEs depending on methodology — and two of the fixed flaws were already being exploited before the patch shipped: one in Active Directory Federation Services, one in SharePoint Server. A separate, publicly disclosed BitLocker bypass brings the count to four distinct BitLocker bypass techniques in five weeks.
What Happened
The Microsoft July 2026 Patch Tuesday zero-day release, published July 14, 2026, is Microsoft’s largest CVE batch to date. CVE-2026-56155 (CVSS 7.8) is an elevation-of-privilege flaw in Active Directory Federation Services: insufficiently granular access control lets an attacker who already has local access escalate to administrator. CVE-2026-56164 is an elevation-of-privilege flaw in SharePoint Server, described as remotely exploitable with low attack complexity, affecting SharePoint Server 2016, 2019, Enterprise Server 2016, and Subscription Edition. Both were confirmed exploited in the wild ahead of the release — CISA added both to its Known Exploited Vulnerabilities catalog the same day.
The same release discloses CVE-2026-50661, a BitLocker Device Encryption security-feature bypass. Microsoft rates active exploitation “Less Likely” and scores it CVSS 6.1, but it requires only physical access to the device — no network vector, no credentials. It is the fourth distinct BitLocker bypass technique DIESEC has tracked since early June, following a pre-boot proof-of-concept, the YellowKey bypass (CVE-2026-50507, June’s Patch Tuesday), and GreatXML (June 23).
Why It Matters
SharePoint has now had two separate exploited zero-days in five weeks — this one and CVE-2026-45659 from July 6, a different CVE in the same product. AD FS and SharePoint sit at the center of enterprise trust chains: identity federation and document collaboration are exactly the platforms that give an attacker broad lateral reach once compromised, which is why they keep reappearing as exploited zero-days rather than one-off bugs. For German Mittelstand organizations under NIS2, a fourth BitLocker bypass in five weeks also means TPM-only “encryption at rest” claims for physically accessible laptops keep needing re-verification against Article 21(2)(h) and ISO 27001 control A.8.24 — a compliance answer that was correct in June may no longer be correct in July.
What You Should Do Now
- Apply the July 2026 cumulative update to all Windows Server domain controllers running AD FS and to all SharePoint Server farms immediately — both exploited zero-days require this specific release, not a future one.
- Check whether your SharePoint farm is on 2016, 2019, Enterprise 2016, or Subscription Edition; SharePoint Online is not affected by CVE-2026-56164, but confirm your farm type before assuming you’re clear.
- For endpoints where BitLocker is your stated control for “data at rest” compliance, re-verify whether protection depends on TPM-only mode; if so, treat physical-access scenarios (lost/stolen devices, insider access) as an open gap until CVE-2026-50661 is patched fleet-wide.
- Monitor AD FS event logs for privilege-escalation indicators and review any recent local-admin grants on federation servers — CVE-2026-56155 requires prior local access, so lateral movement leading up to exploitation should be visible in existing logs if you’re looking.
DIESEC Perspective: We keep seeing the same pattern across 2026 Patch Tuesdays — the headline CVE count gets the attention, but the two or three flaws already being exploited before the patch existed are the ones that actually determine whether this is a routine update cycle or an incident. Treat the exploited-zero-day list as the priority queue, not the full CVE count.
Not sure whether your SharePoint farm or AD FS configuration has this gap? Contact DIESEC for a rapid identity and collaboration infrastructure exposure review.
Sources: BleepingComputer | The Hacker News
Published: 2026-07-16 | Category: Vulnerabilities & Patches | ~4 min read

