622 CVEs in a Single Day. That’s Not a Record — It’s a Reckoning.

On July 14, 2026, Microsoft shipped its largest Patch Tuesday in history — 622 unique security vulnerabilities across Windows, Office, SharePoint, Exchange, Azure, and beyond. That’s more than three times the previous record of around 200 from just a month earlier. Two of those bugs were already being actively exploited in the wild when the patches dropped.

A cluttered server rack with colorful cables connected to switches
Image: Federal Bureau of Investigation via Wikimedia Commons (Public Domain)

If you manage IT infrastructure — and I do, as the Acting Division Manager of ICT in a Philippine government agency — that number should stop you cold. Not because of the magnitude of the patches, but because of what it signals about where security is headed. Microsoft itself told us this was coming. In a July 9 blog post, Windows boss Pavan Davuluri warned that customers should expect “a higher volume of security updates” going forward because AI is helping Microsoft find more bugs than ever before.

That’s the story underneath the headline. AI isn’t just writing code or automating help desks anymore — it’s transforming vulnerability discovery at a pace that our existing patch management processes were never designed to handle. And this July Patch Tuesday is the first real stress test of that new reality.

The Numbers Tell a Story

Let’s break down what actually shipped. According to Microsoft’s Security Update Guide, the 622 CVEs break down across product families:

  • Windows: 416 CVEs — including both exploited zero-days, a VMSwitch RCE at CVSS 9.9, five DHCP RCEs, and 21 NTFS/ReFS driver bugs
  • Office: 82 CVEs (or 164 if you count the duplicate listing for Office 2016)
  • Microsoft Edge: 46 CVEs (21 of which are Microsoft’s own rather than Chromium re-listings)
  • SharePoint Server: 17 CVEs — including an exploited zero-day and a Critical RCE pair at 9.8
  • Developer Tools: 27 CVEs — security feature bypasses across Visual Studio, VS Code, and GitHub Copilot
  • Azure, SQL Server, Exchange, Defender, and others: the remaining 34

Two zero-days demand immediate attention: CVE-2026-56164 in SharePoint Server allows unauthenticated privilege escalation over the network with no user interaction required — and it’s already being exploited. Microsoft credits Mandiant’s incident responders and Google’s FLARE team for the discovery, which strongly suggests this was found inside active attacks. The second, CVE-2026-56155 in Active Directory Federation Services, lets authenticated attackers elevate privileges locally. AD FS is the box that signs the tokens the rest of your infrastructure trusts — a “local” bug on that server is far more dangerous than the label suggests.

There’s also a third zero-day disclosed but not yet exploited: CVE-2026-50661, another BitLocker bypass continuing a pattern we’ve seen throughout 2026.

The RC4 Cleanup That Will Break Things

Buried in the Windows updates is a change that will cause more real-world outages than any of the critical RCEs. Microsoft is finally removing the rollback switch for its Kerberos RC4 deprecation, which began in January 2026. After this update, RC4 will only work for accounts explicitly configured to allow it. If any service account in your environment still requests RC4 Kerberos tickets, authentication will silently fail the moment the update lands.

Microsoft has provided audit events since January to identify these accounts. The fix isn’t complicated — rotate the passwords on flagged service accounts so Windows generates AES keys for them. But if you haven’t done the audit yet, this Patch Tuesday is your deadline, not a suggestion.

This is the kind of change that doesn’t make headlines but will page someone at 2 AM. And it’s exactly the kind of operational detail that gets lost in the noise of a 622-CVE release.

AI: The Double-Edged Sword

Microsoft has been transparent about why July’s Patch Tuesday is so massive. Its MDASH system — a multi-model agentic scanning framework — found 16 bugs in May’s Patch Tuesday entirely by itself. The company has now scaled that capability significantly. As Davuluri wrote, AI helps defenders “discover more issues,” and the result is that customers will see more patches, not fewer. This is part of a broader pattern I covered in how AI coding tools handle your data — the same technology that finds security bugs can also expose sensitive information if not properly audited.

This is genuinely good for security in the abstract. Vulnerabilities that might have lingered in Windows code for years — some of that code dates back decades — are being discovered and closed. The Windows kernel, networking stack, file system drivers, and SharePoint Server all received patches for bugs that AI tools helped surface. Fewer latent vulnerabilities means a smaller attack surface over time.

But there’s a dark side that Microsoft’s blog post didn’t dwell on. Once a patch ships, attackers can diff it against the previous build, find the exact line of code that changed, reverse-engineer the vulnerability, and build a working exploit — often before most organizations have finished testing the update. The old “wait a week” cushion is gone. We’re entering the era of Exploit Wednesday, not just Patch Tuesday.

There’s also the triage crisis. When a single Patch Tuesday carries 600-plus CVEs and a large share are rated High or Critical, the CVSS score stops being a useful sorting mechanism. This month’s two exploited bugs make the point perfectly: neither is a headline 9.8. Both are mid-tier privilege flaws — one in SharePoint, one in AD FS — and both are already being used in attacks. Sorting by severity would have deprioritized the very bugs that were actively harming organizations.

Felix’s Take: What This Means for Teams Like Mine

I manage IT for a government division in the Philippines. We’re not Microsoft’s enterprise customer with a dedicated security operations center — we’re a mid-size agency running a mix of Windows Server, SharePoint, and Office, with a small IT team covering everything from network infrastructure to end-user support.

The old approach to Patch Tuesday was simple: wait a week, see if anyone reports issues, then deploy. That worked when Microsoft was shipping 60 to 80 patches a month. It does not work when they’re shipping 622 in a single day — and when two of those bugs are already being exploited.

Here’s what I’ve changed in our approach, and what I’d recommend for teams in similar positions:

1. Stop sorting by CVSS score. CVSS is designed to measure severity in isolation, not real-world risk. This month’s exploited bugs prove it. Instead, sort by exploitation status: check Microsoft’s “Exploited” flag, CISA’s Known Exploited Vulnerabilities catalog, and EPSS (Exploit Prediction Scoring System) scores. Patch the bugs that are being used first, regardless of their severity rating.

2. Know your crown jewels. For us, that’s SharePoint (our document management system) and Active Directory (everything depends on it). Those two systems got patched on day one, before anything else. Every organization has a different set of crown jewels — identify yours and prioritize accordingly.

3. Audit your RC4 dependencies now. The Kerberos change is the kind of operational trap that’s easy to miss when you’re focused on security vulnerabilities. If you have legacy applications or old service accounts still using RC4, test them against the July update before deploying broadly. A planned outage is always better than a surprise one.

4. Build a patching pipeline, not a patching schedule. The monthly Patch Tuesday cadence is becoming an artifact. With AI discovering vulnerabilities at this scale, we’re going to see more out-of-band updates and more record-breaking Patch Tuesdays. The process has to be continuous — automated testing, staged rollouts, and the ability to push critical patches within hours, not days.

5. Accept that you can’t patch everything. This is the uncomfortable truth that nobody in security wants to say out loud. With 600-plus CVEs per month, even well-resourced teams will struggle to keep up. The goal isn’t to patch every vulnerability — it’s to patch the ones that matter, and have compensating controls for everything else. If you’ve ever had an AI coding tool trigger a security alert, you’ll recognize this feeling — I wrote about exactly that scenario and how to handle it. The same principle applies at scale: don’t panic, triage intelligently. Network segmentation, application allowlisting, and robust monitoring are your safety nets when the patch cadence outruns your deployment capacity.

The Broader Pattern

This isn’t just a Microsoft story. AI is transforming vulnerability discovery across the entire software ecosystem. This raises questions about oversight that go beyond patch management — questions I explored when DeepMind’s CEO proposed a FINRA-like regulator for AI. If AI is both finding bugs and writing exploitable code, who watches the watchers? Open source projects are seeing the same trend — automated fuzzing, static analysis at scale, and LLM-powered code review are surfacing bugs in code that’s been in production for years. The npm ecosystem, the Linux kernel, Android, iOS — every major software platform is going through this.

The end result is the same everywhere: more vulnerabilities found, faster, by both defenders and attackers. As I discussed in my analysis of Satya Nadella’s warning on enterprise AI, the economics of AI adoption create their own set of risks — and security is one area where the cost of getting it wrong compounds rapidly. The competitive advantage will shift from “who can find the most bugs” to “who can triage and remediate the fastest.”

For the security industry, this should be a moment of reflection. We spent two decades building tools and processes to find more vulnerabilities. Now we have them — more than we know what to do with. The bottleneck has moved from discovery to remediation.

Bottom Line

Microsoft’s record-breaking July Patch Tuesday is a milestone, but not the kind we celebrate. It’s the first clear signal that AI-powered vulnerability discovery is reshaping the security landscape faster than our operational processes can adapt. The patches themselves are good — every closed vulnerability is a bullet dodged. But the scale of the release should force every IT team to ask hard questions about their patch management strategy, their triage criteria, and their tolerance for the new normal.

The question isn’t whether AI will find more vulnerabilities. It already has, and it will keep finding them. The question is whether our organizations can keep up. For my team, that means rethinking everything from how we prioritize patches to how we staff our security operations. For your team, it probably means the same thing.

Take the time this week to audit your RC4 service accounts, patch your SharePoint servers, and most importantly — stop treating Patch Tuesday as a monthly event. It’s a weekly one now.

Filed under Tech & Gadgets
Last Update: July 16, 2026 by Felix AlterEgo
0 0 votes
Article Rating
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Newest
Oldest Most Voted