{"slug": "microsofts-ai-found-570-windows-bugs-before-attackers-did", "title": "Microsoft’s AI Found 570 Windows Bugs Before Attackers Did", "summary": "Microsoft's July 2026 Patch Tuesday released 570 CVEs, the largest monthly security update in company history, driven by its new MDASH AI system that autonomously hunts vulnerabilities. Two zero-days are under active exploitation, with CISA deadlines of July 17 and July 28. MDASH, a multi-model agentic scanning harness, achieves high recall rates and is now permanently feeding the patch stream, making higher volumes the new normal.", "body_md": "Microsoft’s July 2026 Patch Tuesday just shipped 570 CVEs — the largest monthly security release in the company’s history. The reason it’s so big is also the story: Microsoft’s own agentic AI system has been hunting vulnerabilities at machine speed and feeding them directly into the patch stream. It found most of them before any attacker did. That’s genuinely good news. The catch is that your patch management process just got permanently harder.\n\n## Patch Now: Two Zero-Days Are Already Being Exploited\n\nBefore getting into the interesting parts, here’s what requires immediate action. Two of the three zero-days in this release are confirmed under active exploitation and have been added to CISA’s Known Exploited Vulnerabilities catalog.\n\n**CVE-2026-56164** hits SharePoint Server. It’s a missing-authentication flaw — an unauthenticated attacker can reach it over the network with no user interaction required. CISA’s remediation deadline for this one is today, July 17. That should tell you something about urgency. Worth noting: its CVSS score is 5.3, rated “Moderate.” Do not let that fool you. When a bug is actively exploited with no authentication barrier, the score is noise.\n\n**CVE-2026-56155** hits Active Directory Federation Services. Successful exploitation yields administrator privileges. It requires local access and low initial privileges, which makes it a classic privilege escalation path. CISA deadline: July 28.\n\nApply both of these now. Everything else in the release can wait behind them.\n\n## What MDASH Actually Is\n\nMicrosoft’s MDASH — the Microsoft Security multi-model agentic scanning harness — is the system responsible for the volume spike. Announced in May 2026, it orchestrates more than 100 specialized AI agents across three roles: auditor agents that hunt for candidate vulnerabilities, debater agents that challenge the findings through cross-model argument, and prover agents that confirm exploitability before the flaw reaches a human engineer.\n\nThe architecture deliberately avoids single-model dependency. A configurable ensemble of frontier models handles the heavy reasoning; cost-effective models run the high-volume scanning passes. The result is a system that doesn’t need the most expensive model for every task and doesn’t fail if one provider has an outage.\n\nThe performance numbers are striking. MDASH achieves a [96% recall rate against five years of confirmed MSRC vulnerabilities in clfs.sys](https://www.microsoft.com/en-us/security/blog/2026/05/12/defense-at-ai-speed-microsofts-new-multi-model-agentic-security-system-tops-leading-industry-benchmark/) and 100% in tcpip.sys. It scored 96.55% on the CyberGym industry benchmark — a jump of roughly 10% in under three weeks after Build 2026. It found its first major bug, CVE-2026-33824 (a double-free in Windows’ IKEEXT service reachable over UDP 500 without authentication), by reasoning across six source files simultaneously — something a human reviewer scanning files in isolation would likely miss.\n\nMDASH started feeding the patch stream in May 2026 with 16 vulnerabilities. In July, it contributed to a release more than three times that size.\n\n## The Math Now Works Against You\n\nOn July 9, Windows chief Pavan Davuluri confirmed what had been obvious since May: [MDASH now feeds the patch stream permanently, and higher volumes are the new normal](https://blogs.windows.com/windowsexperience/2026/07/09/evolving-windows-vulnerability-management-to-meet-the-speed-of-ai-powered-discovery/). July’s 570 CVEs is roughly four times what the same month delivered last year. Microsoft is not going to slow MDASH down to spare IT teams the workload.\n\nThe broader pattern is worse. FIRST, the global incident response and security community, now forecasts roughly 66,000 CVEs in 2026 — up from about 29,000 in 2023. Microsoft isn’t alone: OpenAI is running a similar initiative called Daybreak, and Anthropic’s Claude Mythos Preview scanned more than 23,000 open-source code paths in two months this spring. AI-driven vulnerability hunting is becoming a standard capability across every major lab.\n\nMeanwhile, the window between patch release and active exploitation has shrunk. [Research shows attackers now reverse-engineer released patches within approximately three days](https://www.bleepingcomputer.com/news/microsoft/microsoft-july-2026-patch-tuesday-fixes-massive-570-flaws-3-zero-days/) — sometimes within hours for high-profile fixes. AI accelerates that timeline too.\n\nThe asymmetry is real: defenders must patch everything, attackers only need one opening.\n\n## What to Do\n\nThe CISA Known Exploited Vulnerabilities catalog has become the most useful triage tool available to most teams. If a CVE is on that list, it has confirmed exploitation and a remediation deadline — that’s your priority queue. Everything else gets risk-scored against your environment.\n\nFor July specifically:\n\n- Deploy the July Patch Tuesday updates. Start with SharePoint (CVE-2026-56164) and ADFS (CVE-2026-56155).\n- Check whether\n[Tenable’s full CVE breakdown](https://www.tenable.com/blog/microsofts-july-2026-patch-tuesday-addresses-569-cves-cve-2026-56155-cve-2026-56164)covers components in your stack — 570 entries means something in here probably touches your infrastructure. - If you’re eligible for the MDASH Defender Portal preview, enable it. Getting ahead of findings before they ship to Patch Tuesday gives you a lead time advantage.\n\nThe longer-term adjustment is about process. Monthly patching is not adequate when the monthly volume is 570 items and the exploitation window is three days. Automated patch deployment, continuous vulnerability scanning, and tighter CVSS-independent prioritization are no longer nice-to-haves. The AI acceleration that made MDASH possible is the same force compressing your response window.\n\nMDASH finding bugs before attackers do is unambiguously good. The operational cost of that advantage lands on your team. Plan accordingly.", "url": "https://wpnews.pro/news/microsofts-ai-found-570-windows-bugs-before-attackers-did", "canonical_source": "https://byteiota.com/microsofts-ai-found-570-windows-bugs-before-attackers-did/", "published_at": "2026-07-17 07:12:11+00:00", "updated_at": "2026-07-17 07:32:19.055176+00:00", "lang": "en", "topics": ["artificial-intelligence", "ai-agents", "ai-safety", "ai-products", "ai-infrastructure"], "entities": ["Microsoft", "MDASH", "CISA", "CVE-2026-56164", "CVE-2026-56155", "Pavan Davuluri", "OpenAI", "Anthropic"], "alternates": {"html": "https://wpnews.pro/news/microsofts-ai-found-570-windows-bugs-before-attackers-did", "markdown": "https://wpnews.pro/news/microsofts-ai-found-570-windows-bugs-before-attackers-did.md", "text": "https://wpnews.pro/news/microsofts-ai-found-570-windows-bugs-before-attackers-did.txt", "jsonld": "https://wpnews.pro/news/microsofts-ai-found-570-windows-bugs-before-attackers-did.jsonld"}}