Microsoft released its July 2026 security updates covering 622 CVEs across Windows, Office, Edge, Azure, Exchange Server, SharePoint Server, SQL Server, Defender, and developer tools, with Windows accounting for 416 of the fixes. The company highlighted CVE-2026-56155 vulnerabilities affecting Active Directory Federation Services and Microsoft SharePoint Server as having detected exploitation, and said CVE-2026-50661, a Windows BitLocker security feature bypass flaw, was publicly known at release. Microsoft also republished 428 non-Microsoft Chromium CVEs as part of the update cycle.
The release includes several high-impact enterprise issues that defenders are likely to prioritize, including critical unauthenticated remote code execution in SharePoint (CVE-2026-50522, CVE-2026-58644), Remote Desktop Client (CVE-2026-54990, CVSS 9.8), and the Windows FTP Service (CVE-2026-49172, CVSS 9.8), alongside network-reachable flaws in SQL Server, Exchange Server, Windows TCP/IP, RMCAST, SSTP, Print Spooler, ASP.NET Core, .NET, Configuration Manager, and Windows Admin Center. The breadth of affected server and workstation products means organizations running exposed Microsoft services, especially SharePoint, FTP, RDP-related components, and identity infrastructure, face an urgent patching and exposure-reduction task.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
30 events from the most recent confirmed update back to the earliest known activity.
Microsoft published CVE-2026-47300, an ASP.NET Core authentication-algorithm flaw that allows an authorized attacker to elevate privileges over a network. Affected products include supported .NET and Visual Studio release lines below fixed versions.
The CVE-2026-47303 record was updated with affected-version information, description, CWE mappings, an MSRC reference, and a CISA SSVC entry. The vulnerability is an ASP.NET Core authentication-bypass issue that allows an authorized attacker to elevate privileges over a network.
CISA later added SSVC metadata to CVE-2026-47301, indicating no known exploitation, non-automatable exploitation, and total technical impact.
Microsoft published CVE-2026-47301, an improper access control vulnerability in Microsoft Configuration Manager that allows an authorized attacker to elevate privileges over a network. Affected versions include releases prior to 2503, 2509, and 2603.
Microsoft published CVE-2026-47304, an improper verification of cryptographic signatures vulnerability in .NET that allows a network-based security feature bypass. Affected products include Visual Studio 2022 and Visual Studio 2026 release lines below fixed versions.
Microsoft published CVE-2026-50528, a .NET incorrect-authorization flaw that allows an unauthorized attacker to bypass a security feature over a network. Affected products include .NET 8.0, 9.0, 10.0 and multiple Visual Studio release lines.
CISA later added SSVC metadata to CVE-2026-50522, indicating no known exploitation, that exploitation could be automatable, and that the technical impact is total.
Microsoft submitted CVE-2026-50522, a critical SharePoint deserialization vulnerability enabling unauthorized remote code execution against SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition below fixed versions.
Microsoft published CVE-2026-50342, an improper access control vulnerability in the Windows MIDI Service Module that allows local privilege escalation. Affected products include several Windows 11 releases.
Microsoft published CVE-2026-54122, a heap-based buffer overflow in Windows GDI+ that can allow local code execution. The issue affects a wide range of Windows client and server versions.
Microsoft published CVE-2026-54990, a critical heap-based buffer overflow in Remote Desktop Client that allows unauthorized remote code execution over a network. Affected products include multiple Windows 11 releases and Windows Server 2025.
Microsoft published CVE-2026-54992, a heap-based buffer overflow in the Microsoft Message Queuing Queue Manager that allows local code execution. Multiple Windows client and server releases are affected.
Microsoft published CVE-2026-54999, a race-condition remote code execution vulnerability in Windows TCP/IP that is exploitable from an adjacent network. Numerous Windows 10, Windows 11, and Windows Server versions are affected.
Microsoft published CVE-2026-54995, a use-after-free remote code execution vulnerability in the Windows Reliable Multicast Transport Driver (RMCAST). The issue affects multiple Windows 10, Windows 11, and Windows Server versions.
Microsoft published CVE-2026-54118, a deserialization remote code execution vulnerability affecting SQL Server 2016, 2017, 2019, 2022, and 2025. The flaw allows an authorized attacker to execute code over a network.
Microsoft published CVE-2026-55008, an Exchange Server cross-site scripting vulnerability that can enable spoofing over a network. The issue affects specific builds of Exchange Server 2016, 2019, and Subscription Edition.
Microsoft published CVE-2026-50520, a command-injection vulnerability in Visual Studio Code that can allow local code execution. Affected versions span 1.0.0 through versions earlier than 1.128.1.
Microsoft published CVE-2026-57969 affecting Azure CycleCloud, a missing-authentication flaw for a critical function that can allow privilege escalation over a network. Affected versions are earlier than 8.9.1.
Microsoft published CVE-2026-56169, an improper-authentication vulnerability in Windows Admin Center that allows an authorized attacker to elevate privileges over a network. Affected versions are earlier than 2.7.4.
Microsoft published CVE-2026-58595 affecting Microsoft Bing Search for iOS, describing a UI-layer restriction flaw that can enable spoofing over a network. Affected versions are earlier than 33.4.440529002.
Microsoft published CVE-2026-50694, a use-after-free remote code execution vulnerability in Windows Secure Socket Tunneling Protocol (SSTP). The flaw affects multiple Windows client and server versions.
Microsoft published CVE-2026-54107, a Windows Win32k race-condition vulnerability that allows a local authorized attacker to gain elevated privileges. The issue affects multiple Windows 10, Windows 11, and Windows Server releases.
Microsoft published CVE-2026-54117, a deserialization-based remote code execution vulnerability affecting Microsoft SQL Server 2025. The flaw allows an authorized attacker to execute code over a network.
Microsoft published CVE-2026-58608, a Windows Print Spooler race-condition vulnerability that can allow low-privileged authorized attackers to execute code over a network. Multiple Windows 10, Windows 11, and Windows Server releases are affected.
Microsoft published CVE-2026-54982, an integer-underflow remote code execution flaw in the Windows Reliable Multicast Transport Driver (RMCAST). The issue affects multiple Windows 10, Windows 11, and Windows Server releases and is exploitable from an adjacent network.
Microsoft published CVE-2026-58647 affecting Power BI Report Server, a cross-site scripting flaw that can let an authorized attacker perform spoofing over a network. Affected versions include releases earlier than 15.0.1121.120.
Microsoft published CVE-2026-58644, a critical SharePoint deserialization vulnerability allowing unauthorized remote code execution against SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition below fixed versions.
A critical unauthenticated remote code execution vulnerability in the Windows FTP Service, tracked as CVE-2026-49172, was discussed as affecting Windows Server 2019, 2022, and 2025 when the FTP Service is enabled. Recommended mitigations included installing Microsoft's security update, disabling the FTP Service if unnecessary, and blocking external FTP access.
CISA added CVE-2026-56155 in Active Directory Federation Services and CVE-2026-56164 in SharePoint Server to its Known Exploited Vulnerabilities catalog after Microsoft’s July 2026 Patch Tuesday disclosed them as actively exploited zero-days. The same reporting also noted CVE-2026-50661 in Windows BitLocker was publicly known but not yet exploited.
Microsoft's July 2026 Security Updates release addressed 622 Microsoft CVEs across product families including Windows, Office, Edge, Azure, Exchange Server, SharePoint Server, SQL Server, Defender, and Developer Tools. The release notes highlighted CVE-2026-50661 as publicly known and CVE-2026-56155 issues affecting AD FS and SharePoint Server as having detected exploitation.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
36 references tracked. Mallory keeps watching after this page renders.
malware.news
Open sourcemalwarebytes.com
Open sourcehackread.com
Open sourcethecyberexpress.com
Open sourcemsrc.microsoft.com
Open sourcemicrosoft.com
Open sourcemicrosoft.com
Open sourcemicrosoft.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.