Microsoft's 570 Patches Break Old Triage Microsoft shipped fixes for a record 570 vulnerabilities in its July 2026 Patch Tuesday, nearly triple the previous high, driven by AI systems that accelerate flaw discovery. Three zero-days are included, two actively exploited, and the surge renders Microsoft's exploitability index outdated as attackers also leverage AI for weaponization. Security https://sourcefeed.dev/c/security Article Microsoft's 570 Patches Break Old Triage AI discovery turned Patch Tuesday into a firehose. Treat exploitability ratings as outdated signals. Emeka Okafor https://sourcefeed.dev/u/emeka okafor Microsoft shipped fixes for a record 570 vulnerabilities on its July 2026 Patch Tuesday, nearly triple June’s previous high of about 200 and more than four times the 137 fixed in July 2025. Fifty-nine of those bugs are rated critical. Three are zero-days, two already exploited in the wild. Microsoft https://www.microsoft.com attributes the surge to AI systems that find flaws faster across more code. This is not a one-time cleanup of a dusty codebase. It is the new operating tempo for anyone running Windows, SharePoint, Active Directory Federation Services, or adjacent Azure and Microsoft 365 services. The old habit of waiting on Microsoft’s exploitability index and “less likely” labels no longer matches the threat model. Attackers have the same acceleration. Teams that still treat Patch Tuesday as a leisurely review will lose. The numbers that actually matter Elevation of privilege and remote code execution dominate the batch. Those two classes are the usual building blocks for ransomware and lateral movement once an initial foothold exists. pie title July 2026 vulnerability categories "Elevation of Privilege" : 254 "Remote Code Execution" : 145 "Information Disclosure" : 102 "Denial of Service" : 35 "Security Feature Bypass" : 17 "Spoofing" : 16 Of the 59 criticals, 48 are remote code execution. The three zero-days sit at the top of any sensible queue: CVE-2026-56155 Active Directory Federation Services : elevation of privilege, actively exploited. Microsoft’s own Detection and Response Team found it, which usually means it surfaced during incident work. CVE-2026-56164 SharePoint Server : missing authentication for a critical function, network-based privilege elevation, actively exploited. Temporary mitigation is enabling AMSI with Request Body Scan mode set to Full. CVE-2026-50661 BitLocker : security feature bypass that can expose encrypted data given physical access. Publicly detailed; no known active exploitation yet. Also worth flagging outside the pure “zero-day” list: CVE-2026-48561, a 9.6 CVSS remote code execution issue in Microsoft Copilot. An attacker can host a malicious site that causes Microsoft Edge for Android to push crafted prompts into Copilot when a user visits. Note the counting rules. The 570 figure covers the bulk Patch Tuesday drop. It excludes earlier-in-the-month fixes for several Azure and M365 components, plus Chromium/Edge issues that Google already shipped and Microsoft ported. The real surface area for a typical enterprise is larger than the headline number. Exploitability ratings are lagging reality Microsoft still publishes an exploitability index that estimates how likely attackers are to produce a reliable exploit. That model was built for human researchers. It is already behind. The SharePoint zero-day carried a “less likely” rating even after it landed on CISA https://www.cisa.gov ’s Known Exploited Vulnerabilities list on July 1. Researchers have pointed out the mismatch. Anthropic’s red-team work with its Mythos Preview model produced proof-of-concept exploits for 13 of 14 vulnerabilities that Microsoft had labeled “Exploitation Less Likely” or “Exploitation Unlikely.” When both discovery and weaponization compress from weeks toward hours, a human-centered index becomes a false comfort. Plan as if critical, remote-code-execution, and elevation-of-privilege items will be exploitable soon after disclosure. Treat the index as secondary color, not a gate. Practical triage for Windows and Azure stacks Most organizations cannot slam every KB the hour it appears. Prioritize by attack surface and chain potential, not by raw CVSS alone. Zero-days and CISA KEV items first. Patch AD FS and SharePoint servers after a short smoke test, same day or next day in production. If SharePoint is reachable, turn on the AMSI full-body-scan mitigation immediately while the update rolls out. Critical remote code execution next. Focus on networking, media, graphics, Hyper-V, RDP, SMB, and other remote entry points. These are the paths that turn an unauthenticated packet into code execution. The elevation-of-privilege mass. Roughly 250 of this month’s fixes raise local privileges. Prioritize domain controllers, jump hosts, bastion boxes, and any system that already holds high-value tokens. Local EoP becomes remote compromise once an attacker has any initial access. BitLocker and physical-access bugs. Higher priority for laptops and devices that leave controlled facilities; lower for locked data-center hardware with strong physical controls. Copilot and Edge-for-Android paths if the org has mobile Edge users or Copilot integrations that accept external content. Operational hygiene for a batch this size: - Back up systems or at least critical state before broad deployment. High patch volume raises the odds of stability regressions. - Use deployment rings. Pilot for 48–72 hours, then expand. Microsoft has warned against deferring security updates past roughly three days given attacker AI speed. - Confirm the builds: Windows 11 25H2 should reach Build 26200.8875 KB5101650 ; 24H2 reaches 26100.8875. Verify via Settings Windows Update or your management console rather than trusting “installed” status alone. - Remember that Azure, Exchange Online, and several Copilot/OpenAI-related fixes shipped earlier in the month and sit outside the 570 count. Check those channels separately. This approach replaces the old “wait a week and watch the forums” habit. That habit assumed human exploit development timelines. Those timelines no longer hold. The volume is not a Microsoft-only story Other vendors are accelerating for the same reason. Adobe moved to twice-monthly security bulletins and explicitly cited AI. Google’s June batches exceeded 900 fixes. Cisco, Mozilla, and Oracle are shipping more frequently. Microsoft’s internal MDASH multi-model agentic scanner agents that debate root causes across the networking and authentication stack is one vendor’s response to the same pressure attackers face. The result is permanent elevation of monthly patch load across the stack developers actually touch: Windows clients and servers, identity services, collaboration servers, and the management planes that sit in front of them. Expect the numbers to stay high as more of the decades-old codebase gets re-examined by machines that do not get tired. The 570-flaw release is less a scandal about code quality and more a signal that vulnerability management has entered an AI-speed regime. Rank patches by internet-facing surface, identity impact, privilege boundaries, and evidence of active exploitation. The volume will not shrink. The window to act will. Sources & further reading - Microsoft Patches a Record 570 Security Flaws https://krebsonsecurity.com/2026/07/microsoft-patches-a-record-570-security-flaws/ — krebsonsecurity.com - Microsoft Just Patched a Record 570 Flaws in Windows | Lifehacker https://lifehacker.com/tech/microsoft-just-patched-570-flaws-in-windows — lifehacker.com - Microsoft July 2026 Patch Tuesday fixes massive 570 flaws, 3 zero-days https://www.bleepingcomputer.com/news/microsoft/microsoft-july-2026-patch-tuesday-fixes-massive-570-flaws-3-zero-days/ — bleepingcomputer.com - Don't skip today's Windows 11 update. Microsoft just patched a record 570 flaws, 4x last year as AI finds bugs faster https://www.windowslatest.com/2026/07/15/microsoft-patched-a-record-570-windows-11-flaws-in-july-4x-last-year-as-ai-finds-bugs-faster/ — windowslatest.com Emeka Okafor https://sourcefeed.dev/u/emeka okafor · Security Editor Emeka has spent over a decade tracking threat actors, vulnerability disclosures, and the evolving landscape of application security, bringing a sharp continent-spanning perspective to his reporting. He's known for translating dense CVE advisories into clear, actionable context that developers and security teams alike actually read. Discussion 0 No comments yet Be the first to weigh in.