Home/ Blog/ Security news/ Article
Blog · Security news

Two Microsoft zero-days were exploited before the fix shipped

Microsoft's July 2026 Patch Tuesday fixes two zero-days already exploited in the wild: an ADFS and a SharePoint Server privilege bug. CISA gave both short

Two tall stone archways with cracked keystones on an empty plaza

The most useful signal in Microsoft's July 2026 Patch Tuesday is who found the bugs that matter. Two of the three zero-days in this release were already being exploited when the patch shipped on July 14, and neither surfaced from a bug bounty or an automated scanner. Microsoft credited them to incident-response teams: its own Detection and Response Team for the Active Directory Federation Services flaw, and Mandiant plus Google Cloud researchers for the SharePoint one. When an IR team is the finder, the flaw usually turned up while they were cleaning up a real intrusion. The exploitation came first; the CVE is the aftermath.

Both flaws sit on the identity and access plane, and CISA added both to its Known Exploited Vulnerabilities catalog on the same day Microsoft disclosed them. That is a tight loop. Federal agencies have until July 17 to fix the SharePoint bug and July 28 for the federation one. If you run either product on your own servers, treat those dates as your floor, not a suggestion.

The two bugs already in use

CVE-2026-56164 is a missing-authentication flaw in on-premises SharePoint Server. According to Microsoft's advisory, it lets an attacker with no credentials reach a privileged function over the network and raise their access on the server. CVE-2026-56155 is a weakness in how AD FS enforces access control that lets an already-authenticated user climb to higher privileges on the host. The remaining zero-day, a Windows BitLocker weakness tracked as CVE-2026-50661, was made public but carries no reports of exploitation, so it can wait behind the other two.

AttributeCVE-2026-56164 (SharePoint)CVE-2026-56155 (AD FS)
ProductOn-premises SharePoint ServerActive Directory Federation Services
Access neededNone (unauthenticated)Authenticated local user
VectorOver the networkLocal elevation of privilege
Microsoft severityModerateImportant
CISA deadlineJuly 17, 2026July 28, 2026
Credited finderMandiant / Google CloudMicrosoft DART
Source: Microsoft Security Update Guide and CISA KEV, July 14, 2026.

The full release is enormous. BleepingComputer counted more than 570 CVEs, which it called the largest Patch Tuesday Microsoft has ever shipped. Volume like that makes triage the real problem: nobody patches 570 things at once, so the question is which handful to move on today. The KEV listing answers it for you.

The severity labels are pointing the wrong way

Microsoft rated the SharePoint zero-day Moderate and the AD FS zero-day Important. Neither is labeled Critical. Yet both are confirmed exploited and both drew a CISA deadline. If you sort your patch queue by the vendor's severity string, these two drop below dozens of Critical-rated bugs that nobody is using.

We saw the same gap two weeks ago. Microsoft shipped CVE-2026-45659 with an "Exploitation Less Likely" tag in May, and CISA added it to the KEV catalog on July 1 after attacks in the wild. The lesson repeats: a pre-release exploitability guess is not a field observation. When the people who found a bug are an incident-response team, the label has already been overtaken by events. Sort by exploitation status, not by the CVSS band.

On-premises SharePoint is now a standing target

CVE-2026-56164 is the second SharePoint Server flaw CISA has KEV-listed inside two weeks. On-premises SharePoint has become a reliable way into corporate networks, the way internet-facing VPN appliances were a few years ago. If you still run it yourself, the honest posture is assume-breach: patch, then go looking for signs someone was already inside before you did.

Microsoft's interim mitigation for the SharePoint bug is worth doing even after you patch. Turning on the Antimalware Scan Interface and setting request body scanning to Full gives your security tools visibility into the request content hitting the server, which is the same hardening Microsoft has pushed for on-premises SharePoint during earlier exploitation waves. Operators who already enabled it have both partial coverage and a logging vantage point for the hunt.

Why the AD FS bug is bigger than one server

An elevation-of-privilege flaw in AD FS is easy to underrate because it needs an authenticated foothold first. The reason it matters is where AD FS sits. It is the trust anchor that issues the tokens your federated applications accept, so an attacker who gains control there is not compromising one box, they are in a position to influence authentication decisions across every application that trusts it. That is a familiar failure class: we covered a forged-identity flaw in CoreWCF's SAML handling that trusted an attacker as an administrator, and the Azure CLI password spray that walked past MFA through a retired login flow. The identity layer is where a small foothold turns into a large one.

Patch SharePoint today, AD FS by month end

Sequence the work by exposure and deadline, not by the severity label:

  • On-premises SharePoint Server: apply the July update now. If you cannot patch immediately, enable AMSI and set request body scanning to Full, then assume the server may already be touched and start hunting.
  • AD FS: patch by the July 28 deadline, sooner if the server is reachable by anyone who could get an authenticated foothold. Review who can log in locally to the AD FS host and treat that list as privileged.
  • Everything else in the 570: the BitLocker zero-day is disclosed but not exploited, so it sits behind the two KEV items. Work the KEV list first, then the Critical RCEs.

Patching closes the hole. It does not tell you whether someone walked through it in the window before you moved, and for both of these the exploitation predates the fix. That is the part a patch ticket misses: after you update, look at authentication logs on the AD FS host and request patterns on the SharePoint server for the days before you patched. This is exactly the assume-breach hunt a managed detection and response practice runs, and where our threat-hunting and vulnerability-detection work focuses: closing the gap between a patch that stops the next attempt and evidence about the last one.

Topics

Frequently asked questions

What is CVE-2026-56164?

CVE-2026-56164 is a missing-authentication vulnerability in on-premises Microsoft SharePoint Server. Microsoft says it lets an unauthenticated attacker reach a privileged function over the network and raise their access on the server. Microsoft patched it on July 14, 2026, and CISA confirmed active exploitation the same day.

Is CVE-2026-56164 being exploited?

Yes. CISA added CVE-2026-56164 to its Known Exploited Vulnerabilities catalog on July 14, 2026, meaning it confirmed attacks in the wild. Microsoft credited the discovery to Mandiant and Google Cloud researchers, and set a federal patch deadline of July 17, 2026.

What is the AD FS flaw CVE-2026-56155?

CVE-2026-56155 is an elevation-of-privilege flaw in Active Directory Federation Services. An authenticated user can exploit weak access-control enforcement to gain higher privileges on the AD FS host. Microsoft's Detection and Response Team found it, and CISA listed it as exploited with a July 28, 2026 deadline.

Does the AD FS bug affect Entra ID in the cloud?

No. CVE-2026-56155 affects the on-premises Active Directory Federation Services server role, not Entra ID, which is Microsoft's separate cloud identity service. Organizations that still run AD FS to federate applications are the ones exposed. The fix ships in the July 2026 security update for the AD FS role.

Which July 2026 Patch Tuesday flaws should I patch first?

Patch the two exploited zero-days first: SharePoint CVE-2026-56164 by July 17 and AD FS CVE-2026-56155 by July 28. Both are on CISA's KEV list. The BitLocker zero-day CVE-2026-50661 was disclosed but is not reported exploited, so it can wait behind the KEV items.

How do I mitigate the SharePoint flaw if I cannot patch now?

Microsoft's interim step is to enable the Antimalware Scan Interface on the SharePoint server and set request body scanning to Full. That gives your security tooling visibility into request content. It is a stopgap, not a substitute: apply the July update as soon as your change window allows, then hunt for prior activity.

Ready to meet the Guardians?

Deploys fast - agentless for monitoring and cloud, a lightweight agent for deep endpoint security. Just Suriq, standing watch.