Microsoft’s July security updates addressed a record 622 vulnerabilities across its software ecosystem, marking one of the most significant Patch Tuesday releases in the company’s history. This figure more than tripled June’s tally, which had set a record of its own. The update included three zero-day vulnerabilities, two of which are currently being actively exploited in the wild.
Active Exploitation and Zero-Day Risks
According to the Cybersecurity and Infrastructure Security Agency (CISA), two of the three zero-day vulnerabilities patched in July require immediate attention from federal agencies and enterprise administrators.

- CVE-2026-56155: This vulnerability lets an attacker raise their privileges through Active Directory Federation Services, the system that signs a network’s logins. It is currently under active exploitation.
- CVE-2026-56164: This flaw allows an attacker to raise their privileges through on-premises SharePoint. Microsoft confirmed this is also being actively exploited.
- BitLocker bypass: A third zero-day vulnerability was disclosed but, unlike the others, requires physical access, making it less urgent.
These vulnerabilities highlight a shift in attacker behavior, where mid-tier severity scores no longer correlate with lower risk. CISA has added both exploited bugs to its known-exploited list and told federal agencies to patch within days.
The Role of AI in Vulnerability Detection
Microsoft has explicitly linked the high volume of security disclosures to the integration of artificial intelligence in its development and testing pipelines. In a formal blog communication, Windows chief Pavan Davuluri warned customers to expect “a higher volume of security updates” as AI helps find more bugs, faster.
By utilizing tools like Microsoft’s own scanner, MDASH, and Anthropic’s Mythos model, the industry is uncovering vulnerabilities. The monthly count has risen from 79 in March to 206 in June to 622 now. While this proactive approach increases the number of patches released each month, it also creates a logistical challenge for IT departments. Security teams must now triage a significantly higher volume of updates, often with limited staff, which can lead to delays in deployment.
Patch Management Challenges
The increased cadence of security updates has forced a change in standard patching protocols. Historically, organizations often waited a week or more to test updates before deployment. However, the rise of AI-assisted exploitation—where attackers use automated tools to reverse-engineer patches within hours—has rendered this “wait-and-see” approach obsolete.

Security researchers have observed that once a patch is released, attackers analyze the binary differences between the patched and unpatched versions to identify the underlying flaw. This allows threat actors to develop functional exploits rapidly. Consequently, experts recommend that organizations prioritize patches based on exploitability—specifically those listed on the CISA Known Exploited Vulnerabilities (KEV) Catalog—rather than relying solely on severity scores.
Key Takeaways for IT Administrators
- Prioritize Exploited Bugs: Focus on vulnerabilities currently listed in the CISA KEV catalog, as these represent the highest immediate risk.
- Automate Where Possible: Given the rising number of monthly patches, manual deployment is no longer sustainable for large-scale environments.
- Monitor for Rollout Issues: Before a company-wide deployment, verify if specific hardware configurations—such as those involving specific Intel-based Dell devices—are experiencing stability issues, such as sudden shutdowns, overheating, and battery drain.
- Shift Testing Timelines: Shorten the testing window for high-criticality patches to keep pace with the speed of modern exploit development.
Worth a look