Microsoft’s July 2026 Patch Tuesday is the largest in the company’s history, addressing 622 CVEs across Windows, Office, Azure, SharePoint, Exchange, and more. Buried inside that record volume is the fix that should jump to the top of every cloud security team’s list: CVE-2026-56164, an unauthenticated, actively exploited zero-day in SharePoint Server. If you run SharePoint anywhere in your cloud estate, this is the one to act on today.

The sheer scale of this release is notable in its own right. The record volume is partly attributed to Microsoft’s AI-powered vulnerability discovery system (MDASH), which surfaced a significant number of bugs across the Windows codebase. Of the 622 fixes, roughly 56 to 62 are rated Critical, about 510 are Important, and 3 are Moderate, spanning 254 Elevation of Privilege, up to 166 Remote Code Execution, up to 109 Information Disclosure, 35 Denial of Service, 17 Security Feature Bypass, and 16 Spoofing vulnerabilities. Two of these are confirmed exploited in the wild, and one more was publicly disclosed before a patch existed. But volume is not the story. Prioritization is, and in the cloud that means knowing which of these hundreds of CVEs actually sits on an exposed, reachable asset in your environment.

About CVE-2026-56164

CVE-2026-56164 (SharePoint Server, CVSS 5.3, Actively Exploited)

Do not let the modest 5.3 CVSS score fool you. This is an unauthenticated, network-based privilege escalation vulnerability in SharePoint Server that requires no user interaction and is being exploited right now. It was discovered by Mandiant/Google FLARE incident responders during real-world attacks, which is why it warrants far more urgency than its base score suggests. This is a textbook example of why CVSS alone is a poor prioritization signal: a “medium” score on a pre-auth, zero-click, actively-weaponized flaw is a critical exposure in practice.

SharePoint Server 2016, 2019, and Subscription Edition are all affected. The timing makes it worse: SharePoint Server 2016 and 2019 reached end-of-extended-support on July 14, 2026, the very day this patch shipped, so organizations still on those versions are patching a product that is otherwise out of support. Microsoft recommends enabling AMSI integration with Full Request Body Scan mode as an interim mitigation.

Why this matters for cloud teams specifically: SharePoint Server increasingly runs in IaaS (Azure VMs, EC2, GCE) as part of lift-and-shift migrations and hybrid deployments, often with internet-facing front ends and broad identity permissions attached to the underlying compute. A pre-auth privilege escalation on an internet-exposed SharePoint instance is exactly the kind of foothold that turns into lateral movement across a cloud tenant. The combination of “internet-exposed + unpatched + actively exploited + over-permissioned instance role” is what elevates this from a patch line item to an incident waiting to happen.

Affected Systems

All Windows environments are impacted, with 416 of the 622 fixes touching Windows components (kernel, GDI+, Media, DirectX Graphics, networking). For cloud teams, the priority set is narrower but sharper: internet-exposed SharePoint Server (2016, 2019, Subscription Edition) running in IaaS, AD FS hosts federating identity into your cloud, Hyper-V hosts backing virtualized workloads, DHCP infrastructure, Exchange with OWA, and Dynamics NAV/365 Business Central.

Risk Impact

CVE-2026-56155 (AD FS, CVSS 7.8, Actively Exploited): A local privilege escalation flaw in Active Directory Federation Services that lets an attacker with local access escalate to administrator. Microsoft’s Detection and Response Team (DART) found it during active incident response, confirming exploitation in the wild. Because AD FS underpins federated identity into cloud services, compromise here has outsized blast radius across SaaS and cloud tenants. Any organization running AD FS should patch immediately.

CVE-2026-50661 (BitLocker, CVSS 6.1, Publicly Disclosed Before Patch): A security feature bypass in Windows BitLocker requiring physical access, disclosed publicly before a fix was available. Microsoft assesses exploitation as less likely, but it belongs on the radar for endpoint and physical-security owners.

Beyond the zero-days, several critical CVEs map directly onto cloud infrastructure: CVE-2026-57092 (Hyper-V VMSwitch, CVSS 9.9) is the highest-severity flaw in this release, a use-after-free enabling guest-to-host escape, a serious multi-tenancy and isolation concern anywhere Hyper-V backs virtualized or hosted workloads. CVE-2026-50518 and CVE-2026-56159 (DHCP Server, CVSS 9.8) are buffer overflows exploitable via malicious DHCP packets, alongside three more DHCP CVEs (CVE-2026-50370, CVE-2026-54128, CVE-2026-48564) affecting Windows DHCP Server and Client. CVE-2026-56188 (Windows Server Network Driver, CVSS 9.8) enables unauthenticated RCE via network traffic. CVE-2026-55944 (Dynamics NAV/365 Business Central, CVSS 9.8) is a deserialization flaw enabling unauthenticated RCE. CVE-2026-55008 (Exchange Server/OWA, CVSS 9.6) is a cross-site scripting spoofing bug in Outlook Web Access. CVE-2026-56190 (Remote Desktop Protocol) enables RCE in the RDP stack, a common internet-exposed service on cloud VMs.

Microsoft Office also receives 164 fixes, including nine critical RCEs in Word, PowerPoint, and the broader suite, several exploitable via the Preview Pane, meaning no document open is required to trigger them.

Remediation and Prioritization

Patch the two exploited zero-days first: CVE-2026-56164 (SharePoint) and CVE-2026-56155 (AD FS). Do not wait for CISA KEV listing; Microsoft’s exploited flag is sufficient justification to move now.

For SharePoint, enable AMSI integration with Full Request Body Scan mode as interim mitigation for CVE-2026-56164, and prioritize any internet-facing instance. Organizations still on SharePoint Server 2016 or 2019 should accelerate migration given end-of-support.

Patch all Hyper-V hosts running VMSwitch (CVE-2026-57092) to close the guest-to-host escape path.

Patch DHCP Servers and Clients given five critical RCEs.

Focus first on internet-exposed SharePoint, RDP, and DHCP surfaces rather than treating all 622 as equal.

Deploy Office updates given nine critical, Preview-Pane-exploitable RCEs.

Watch the Kerberos change: the July update removes the RC4 fallback escape hatch introduced in January. Audit service accounts lacking AES keys before deploying, or they may fail authentication post-patch.

Do not rely on “wait a week” testing windows. Attackers can diff patches into working exploits quickly, and with two CVEs already exploited in the wild, that clock has already started.

How Orca Can Help

The hard part of a 622-CVE release is not patching. It is knowing which handful of those CVEs actually matters in your cloud, and Orca’s agentless platform answers that without deploying anything to your workloads.

Orca instantly inventories every asset running an affected version of SharePoint Server, AD FS, Hyper-V, Exchange, DHCP, or Dynamics across your AWS, Azure, and GCP environments, no agents, no scanning windows, no blind spots. More importantly, Orca prioritizes based on real risk rather than CVSS alone, correlating each vulnerability with internet exposure, network reachability, attached identity and permissions, and asset criticality.

For the SharePoint zero-day (CVE-2026-56164), that means Orca doesn’t just tell you an instance is unpatched. It surfaces the internet-exposed, unauthenticated-reachable SharePoint servers whose underlying compute holds sensitive permissions, the exact attack-path conditions that make this pre-auth flaw dangerous, and shows them to you as a prioritized, remediable list. For CVE-2026-57092 (Hyper-V VMSwitch), Orca identifies affected hosts and highlights the guest-to-host escape risk in your virtualized workloads.

The result: your team spends July closing the two actively exploited zero-days and the genuinely reachable 9.8+ criticals first, instead of drowning in a queue of 622 undifferentiated CVEs.