Microsoft has released updates for an unprecedented 570 CVEs during this month’s Patch Tuesday on July 14.
The patch deluge came after warnings from the tech giant that its use of agentic AI to find new flaws would lead to an increase in security updates for customers.
Trey Ford, chief strategy and trust officer at Bugcrowd, said this was the new normal for the foreseeable future.
“The real story is economic. AI has collapsed the cost of finding vulnerabilities, and this increase in volume is a new floor, not the ceiling … at least for a while,” he added.
“Leadership teams need to stop treating patch volume as a monthly surprise, we must fund it as a fixed operating cost, because the intake will not be going back down for a while. The organizations that win won’t be the ones that patch fastest this month. They’ll be the ones who built a process that scales when the next couple months continue to increase.”
Read more on vulnerability management: Anthropic Launches Project Glasswing to Use AI to Find and Fix Critical Software Vulnerabilities
Among the vulnerabilities in July’s Patch Tuesday are three zero-day vulnerabilities; two of which have been exploited in the wild.
CVE-2026-56155 is an elevation of privilege (EoP) vulnerability in Active Directory Federation Services which allows an authorized attacker to elevate privileges locally.
“Eight other vulnerabilities are also published today in Active Directory Federation Services, all ranked as Important on Microsoft’s proprietary severity ranking scale,” explained Rapid7 principal software engineer, Adam Barnett.
“The advisory doesn’t explicitly describe the location of the attacker, but it’s likely that an attacker would need an existing toehold on the target system to chain together with the elevation of privilege opportunity on offer here.”
The second exploited zero-day is CVE-2026-56164, another EoP bug but this time in Microsoft SharePoint Server. No existing privileges are required to launch an attack, and exploitation has been branded “low complexity” by Microsoft.
The US Cybersecurity and Infrastructure Security Agency (CISA) has urged organizations to harden their SharePoint systems in response to exploitation of this and two other vulnerabilities published earlier this year.
The publicly disclosed zero day is CVE-2026-50661: a Windows BitLocker security feature bypass flaw which could allow attackers to access encrypted data. Exploitation would require an unauthorized attacker to have physical access to a target machine.
A New Era of Mass Updates
In total, July’s Patch Tuesday saw the release of updates for 254 EoP vulnerabilities, 145 remote code execution (RCE) bugs, and 102 information disclosure flaws. Fifty-nine were rated critical, of which the vast majority (48) were RCE flaws.
However, Microsoft isn’t the only vendor to increase its volume of updates for users. Google fixed over 460 Edge/Chromium flaws this month, and Adobe recently switched its patching cadence to twice a month.
Qualys security research manager, Mayuresh Dani, commented, “This trend was predicted and we’re seeing the evidence of it happening now. As more advanced and frontier AI models become available, we can expect an upward trend to continue and then slow down.”
“What we’re observing is that AI automated fuzzing, LLM-assisted variant hunting, and static analysis at scale are discovering bugs faster than enterprises can remediate.”
Qualys urged organizations to:
- Move from CVSS-only prioritization to Exploit Prediction Scoring System (EPSS) and CISA KEV
- Graduate to a tiered-patching SLA mechanism. For example, a KEV-listed CVE or EPSS >0.5 should be patched within 24-36 hours. Classification should be risk-based and will be different each organization
- Introduce attack surface reduction and mitigation mechanisms, such as ensuring systems like Active Directory Federation Service aren’t internet-connected, on-premises SharePoint doesn’t have public access, and remote management tools aren’t reachable from anywhere
- Improve patching practices so it is easier to validate updates, and monitor installs and system stability on a select group with automated rollback support. Approved patches should then be pushed to all required systems