Canadian Cyber Security Journal
SOCIAL:
Filed under: Featured, TechTalk

Microsoft July 2026 Patch Tuesday: 570 CVEs and Two Actively Exploited Zero-Days — What Canadian IT Teams Must Do Now

What Happened

Microsoft released its July 2026 Patch Tuesday updates on July 14, patching 570 vulnerabilities across Windows, Microsoft Office, SharePoint Server, Remote Desktop Services, Active Directory, and Windows Admin Center. The release is the largest Patch Tuesday in Microsoft’s history, more than doubling June’s previous record of 198 CVEs. Of the 570 flaws, 56 are rated Critical and 510 are rated Important.

Two zero-days are actively exploited in the wild:

CVE-2026-56155 — Active Directory Federation Services (ADFS) Privilege Escalation: An authorized attacker with network access can exploit insufficient access control granularity in ADFS to elevate privileges to administrative level. Microsoft confirmed active exploitation before the patch was released. Any organization using on-premises ADFS for single sign-on — including federal and provincial government agencies, financial institutions, and universities — faces direct risk.

CVE-2026-56164 — SharePoint Server Elevation of Privilege: An unauthenticated attacker with network access can exploit a missing authentication check to elevate privileges on SharePoint Server. Microsoft confirmed this is being actively exploited. The flaw is separate from the SharePoint deserialization RCE (CVE-2026-45659) that was on CISA’s KEV list in July. This represents a second active SharePoint attack vector organizations must address.

A third zero-day, CVE-2026-50661, is a BitLocker security feature bypass that was publicly disclosed before a patch was available. Microsoft rates exploitation as “less likely” because it requires physical access to the device, but the public disclosure means the attack technique is in the open.

Why This Matters for Canadian Organizations

The scale of this release alone demands attention. Canadian IT teams that practice risk-based patching will need to triage 570 CVEs with two actively exploited issues requiring urgent action and 56 Critical-rated flaws requiring prompt scheduling. The ADFS zero-day is especially significant for Canada’s public sector: ADFS remains a core SSO mechanism in federal government environments and many provincial agencies, and administrative compromise via ADFS gives an attacker broad access to every application integrated with it.

The SharePoint EoP zero-day compounds existing SharePoint risk. Organizations that patched CVE-2026-45659 in July but have not yet applied today’s update now face a second active attack path. For organizations subject to OSFI B-13 and those managing personal information under PIPEDA, active exploitation means the clock is running on potential breach notification obligations if the patch is delayed.

Canadian organizations using Windows Admin Center, Remote Desktop Services, or Office products should also review the full Critical list, as several Remote Desktop RCEs and Office vulnerabilities are rated Critical with network-based attack vectors.

What to Do

Apply the July 2026 Patch Tuesday updates as soon as your testing cycle permits, and treat CVE-2026-56155 and CVE-2026-56164 as emergency priority given active exploitation. Check Microsoft’s Security Update Guide for the specific KB numbers relevant to your Windows and SharePoint versions. For ADFS environments, audit administrative role assignments and review logs for unusual access patterns dating back to at least July 1. For organizations that cannot patch immediately, consider restricting network access to ADFS management interfaces and SharePoint server administration endpoints as a temporary control. Apply the BitLocker patch (CVE-2026-50661) during your regular cycle, but prioritize devices used in high-security or government contexts given the public disclosure.

Source: BleepingComputer

Enjoy this article? Don’t forget to share.