Microsoft fixes 622 flaws in July, two already under active attack

Microsoft's July 2026 Patch Tuesday is a heavy one, and two of the bugs are already being used in real attacks. The company shipped fixes for 622 vulnerabilities, 57 of them rated critical, and flagged two that attackers are exploiting right now: a flaw in Active Directory Federation Services (ADFS) tracked as CVE-2026-56155 and a Microsoft SharePoint Server flaw tracked as CVE-2026-56164. Hours after the patches landed, CISA added both to its Known Exploited Vulnerabilities catalog, giving federal agencies a hard deadline to fix them.

The two zero-days under attack

ADFS is the component many enterprises use to hand out single sign-on tokens, so a weakness there can let an attacker reach applications and data they should never be able to touch. Microsoft describes CVE-2026-56155 as an insufficient granularity of access control issue, meaning the service can grant more access than intended.

The SharePoint bug is the more alarming of the pair. CVE-2026-56164 is a missing authentication flaw in on-premises SharePoint Server, and CISA issued separate hardening guidance warning that attackers are chaining it with two earlier flaws, CVE-2026-32201 and CVE-2026-45659, to run code remotely on unpatched servers. Once in, the intruders steal the server's Internet Information Services (IIS) machine keys, the secret values SharePoint uses to sign and encrypt data, which lets them forge trusted requests and keep access even after a patch is applied. We covered an earlier wave of SharePoint attacks in CISA's late-June warning and a separate login-bypass flaw disclosed earlier this month.

What is affected

The SharePoint exploitation hits all supported on-premises editions (Subscription Edition, 2019, and 2016). The wider July release spans Windows, Office, Azure, SQL Server, and more. Cisco Talos, which tracks each month's release, counted 57 critical-rated fixes among the 622 in its monthly breakdown. For comparison, June's Patch Tuesday carried 206 fixes, so this month's volume is unusually high.

What you should do

Prioritise the two exploited bugs. Patch ADFS and SharePoint first, then work through the rest by exposure. For SharePoint specifically, CISA urges defenders to confirm that Antimalware Scan Interface (AMSI) integration is enabled in Full Mode and to rotate the IIS machine keys after patching, because a stolen key survives the update. Organisations that run on-premises SharePoint should assume attempted compromise and hunt for the malware and web shells CISA describes.

This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.

Read the full analysis on IntelFusions