AI Worked Both Sides of the Security Ledger This Week. Here's What to Actually Run Microsoft's July 2025 Patch Tuesday set a record with over 570 CVEs, including two zero-days under active exploitation. The company attributes the surge to AI-assisted vulnerability discovery, while separate research from Wiz and the AI Now Institute reveals that AI coding agents introduce new attack surfaces through symlink attacks and prompt injection in autonomous workflows. Two of the zero-days Microsoft patched on July 14 are being exploited right now. Here is the one-liner to check whether either is sitting in your stack, and then the more interesting question underneath it: why the pile they were hiding in got so big, and why the same week made your coding agent part of the attack surface. Three things to run in this post, one per section. Start with the patches. Microsoft shipped the largest Patch Tuesday in the program's history on the 14th. Count only what shipped that day and it is about 570 CVEs 59 critical ; count the broader July release and it is 622 62 ; Tenable landed at 569. Pick your methodology, every one set a record. That volume is a triage problem, not an emergency list: two of those CVEs are worth your night, and the rest are worth your week. The two under active exploitation before a fix existed: Cross-reference against the CISA KEV catalog, which is your priority override regardless of CVSS. This pulls the live feed and returns the entries plus the federal due date if they are listed: curl -s https://www.cisa.gov/sites/default/files/feeds/known exploited vulnerabilities.json \ | jq '.vulnerabilities | select .cveID | test "CVE-2026-56155|CVE-2026-56164" | {cveID, vendorProject, product, dateAdded, dueDate, knownRansomwareCampaignUse}' If a row comes back, it is a confirmed-exploited priority override. Patch it, then check whether you were hit before the patch landed. Two more notes for the on-prem crowd. CVE-2026-56164 does not stand alone: the same release separately fixed CVE-2026-55040 , the first half of a different SharePoint chain that Rapid7's Stephen Fewer says reaches unauthenticated RCE once the second, still-embargoed half ships Microsoft's patch expected in August . Patch the farms now and go looking. And the third zero-day, CVE-2026-50661 , is a BitLocker bypass -- publicly disclosed, but it needs physical access and Microsoft rates exploitation unlikely, so it is a slower clock. Why is the pile this big? Microsoft says so directly. In a July 9 post, EVP Pavan Davuluri told customers to expect more updates per release as the company leans on AI-assisted discovery; VP Tom Gallagher said the same in May. Nobody claimed all 570 came from a machine, but the trend is Microsoft's own. Their operational response is the tell: they cut the recommended deferral window for quality updates to under three days, framing it as AI-era speed. Bugs get found and exploited faster, patches get analyzed faster. Microsoft is not claiming attackers run its exact pipeline, only that attackers are adopting AI too. The machine that finds bugs faster runs for both teams. On July 8, Wiz published GhostApproval and the AI Now Institute published Friendly Fire. Same day. Together they break the trust boundary every agentic coding tool is betting on. GhostApproval is a symlink attack, which is a 1990s Unix problem wearing new clothes. The agent reads a file, reasons out loud that it is a symlink pointing at a sensitive path, and writes to it anyway. The approval dialog names only the harmless-looking file; the agent writes to the resolved target. The human is in the loop, and the loop is showing them the wrong thing. Amazon rated its version a high-severity pre-auth write CVE-2026-12958 . Cursor shipped CVE-2026-50549 in v3.0. Google fixed Antigravity. Augment and Windsurf were still open at publication. Current Claude Code builds resolve symlinks. Friendly Fire is the one that changes procurement. Boyan Milanov and Heidy Khlaaf targeted the workflow everyone wants to automate: point the agent at an untrusted third-party repo and ask it to review and patch. The exploit needs no hooks, no skills, no plugins, no MCP server, no malicious config file. It does require the agent running in an autonomy mode -- Claude Code in auto-mode or Codex in auto-review, the setting that hands command approval to the agent instead of you. Then it is a prompt injection sitting in ordinary repo content, a README pointing at a plausible security script, and the agent runs it because it was asked to do security testing. The authors are blunt: a model update alone cannot fix this, because the models still cannot reliably separate the code they are reading from the instructions they are meant to follow. So the practical question is not "is my agent patched." It is "what is my agent allowed to do, and can I see what it does." Start with egress. This is a first look at what your coding-agent processes are actually connecting to: macOS / Linux: current network connections held by coding-agent processes sudo lsof -i -nP | grep -iE 'claude|cursor|copilot|codeium|windsurf|augment|antigravity' It is a snapshot, not monitoring, and that gap is the point of the next section. China's government-run National Vulnerability Database flagged Claude Code versions 2.1.91 through 2.1.196 as a "backdoor" transmitting location and identity without consent, and told developers to uninstall. Anthropic denied an espionage backdoor and called the disputed functionality an anti-abuse experiment; a Claude Code engineer said an anti-distillation steganography mechanism was removed in 2.1.198 on July 1. I cannot adjudicate that and neither can you. What the record establishes is narrow: anti-distillation logic existed and was removed. It does not settle whether it was a backdoor or transmitted what China alleged. Here is the part that survives the dispute, and it is aimed straight back at the lsof output above. Run that command and ask yourself honestly whether you can explain every connection. Most shops cannot. A privileged agent whose egress you do not observe and whose telemetry you cannot enumerate is a trust boundary you are extending blind, regardless of anyone's intent. The fix is not picking a side in a geopolitical fight. It is treating any agent with this much reach the way you would treat any other privileged process: observable egress, documented telemetry, least privilege that constrains what it can spend. While everyone watched the machines, a coalition of Western agencies told you what is actually being exploited. On July 13, NSA led advisory AA26-194A with CISA, the FBI, DC3, the other Five Eyes countries, and European partners: Russian state actors hitting critical infrastructure through public-facing network gear. Not zero-days. Known, already-patched CVEs and elementary config failures -- default SNMP community strings, weak passwords, exposed management interfaces, Cisco Smart Install left on. The advisory reads like a checklist you can run against your own edge. Authorized scanning only, your own devices: Weak/default SNMP community strings advisory calls these out explicitly nmap -sU -p161 --script snmp-info