Microsoft Ships a Record 622-CVE Patch Tuesday With Two Zero-Days Under Active Attack
Microsoft's July Patch Tuesday breaks its own record — 622 CVEs, two zero-days under active attack, and defender triage stakes rise this week.
Microsoft's July Patch Tuesday breaks its own record — 622 CVEs by Microsoft's official count, two zero-days reportedly under active attack, and a defender triage problem that arrives all at once.
REDMOND, WASHINGTON — Microsoft on July 14, 2026 released its July Patch Tuesday covering a record 622 vulnerabilities by its own Security Update Guide count, including two zero-days that multiple security outlets report are under active attack. The total roughly triples the company's previous monthly record set in June, landing as the largest single Patch Tuesday on record. For defenders, the immediate work is not the headline number but the triage question underneath it: which of the 622 fixes must move first, and how to verify the two exploited flaws against authoritative catalog data.
The scale made even the count contested. Independent reporting from SecurityWeek and others put the Microsoft total at 622, matching the Security Update Guide, while Krebs on Security and several trackers cite roughly 570 under a narrower same-day methodology. The CyberSignal anchors to Microsoft's official figure of 622 and treats the 570 count as a methodology discrepancy. Either way, the message for security teams is the same: this is a triage-first cycle, and the two reportedly exploited zero-days are where verification and patching should begin. It arrives days after Microsoft's own July 10 warning about an AI-accelerated vulnerability cadence.
What Microsoft Published
Microsoft's July 2026 Patch Tuesday addresses 622 vulnerabilities by the company's own Security Update Guide count, making it the single largest monthly release the company has shipped. Reporting from The Hacker News and SecurityWeek places the figure at 622 and notes that roughly 59 of the CVEs are rated Critical, most of them remote code execution issues across Microsoft's server and client products. The volume alone reframes the month: a 622-CVE release forces teams to sequence deployment against exploitation likelihood rather than test and ship everything at once.
The record is best understood in context of how quickly it was set. Microsoft's previous high was the June 2026 cycle, which The CyberSignal covered as a 206-CVE release built around the Nightmare Eclipse zero-days and was itself described as unusually large at the time. July's 622 roughly triples that figure within a single month — an escalation steep enough that The Register framed the month as a "Patchpocalypse" and the SANS Internet Storm Center headlined its diary an "AI Acopolypse." Those framings are quoted as published; the reported facts underneath them are the count, the two exploited zero-days, and the triage pressure that follows.
The Two Zero-Days Under Active Attack
Two of the July CVEs are reported to be under active attack at the time of release. According to The Hacker News and SecurityWeek, the two exploited zero-days affect Active Directory Federation Services (AD FS) and SharePoint Server. The CyberSignal reports the specific CVE identifiers only as attributed by those outlets — the AD FS elevation-of-privilege flaw carried as CVE-2026-56155 and the SharePoint Server flaw as CVE-2026-56164 — and keeps the treatment defender-focused: the relevant question is not how the flaws are being used but which assets they touch and how to confirm coverage.
For defenders, that means two identity- and collaboration-tier priorities. AD FS sits at the center of federated authentication, so any privilege-escalation flaw in that role belongs at the front of the patch queue for organizations that still run it. SharePoint Server is a recurring target this year; The CyberSignal covered a separate SharePoint authentication-bypass flaw, CVE-2026-55040, in the same reporting batch, and the recurrence underscores why internet-reachable SharePoint deployments warrant standing attention. The defender workflow is the same for both: apply Microsoft's update, confirm the build number against the Security Update Guide, and verify KEV status before standing down.
A note on the count: some trackers, including Krebs on Security and BleepingComputer, describe three zero-days this month — the two reportedly exploited flaws plus a third that is publicly known but not reported under attack. The CyberSignal's framing follows the actively-exploited pair, consistent with the SecurityWeek and Hacker News accounts. Whether either exploited flaw is unauthenticated and network-reachable, and its exact CISA KEV timing, are treated below as open questions.
A Continuation of Microsoft's AI-Cadence Warning
The July release does not read as an isolated spike. It lands days after Microsoft's July 10 guidance warning that AI-assisted discovery is compressing the vulnerability cadence, in which the company signaled that machine-assisted code analysis is surfacing bugs faster than the traditional monthly rhythm was built to absorb. Coverage of the July cycle attributes part of the record volume to exactly that dynamic, turning the abstract July 10 warning into an operational reality four days later. The takeaway is a trend line, not a single record month: if discovery keeps accelerating, 600-plus-CVE cycles stop being anomalies and start being planning assumptions.
That reframing changes what patch-triage maturity looks like. An organization that treats Patch Tuesday as a monthly fire drill will not scale to a cadence where any month can triple the prior record. The defensible posture is a standing, risk-based triage pipeline: rank by exploitability and asset exposure, deploy exploited and Critical remote code execution fixes on an expedited track, and let the long tail follow on the normal schedule. Uniform all-at-once deployment of 622 fixes is neither testable nor sustainable, and it delays the handful that carry active-exploitation risk.
The pattern is not unique to Microsoft. The CyberSignal covered Apple's release of more than thirty iOS, macOS, and Safari patches tied to AI-assisted WebKit review in the same period, another sign that AI-accelerated discovery is lifting patch volumes across the major platform vendors at once. For a mixed estate, the consequence is that multiple vendors may ship oversized cycles in the same window, compounding the triage load rather than staggering it.
Reconciling the Record: 622 Versus 570
The most visible discrepancy in this month's reporting is the count itself. Krebs on Security published the cycle as a record 570 flaws, while SecurityWeek, The Hacker News, and the Zero Day Initiative put the Microsoft total at 622. The gap is a methodology difference, not a factual dispute: the narrower same-day count excludes vulnerabilities Microsoft shipped earlier in the month across cloud services such as Azure and Exchange Online, and the large batch of Edge/Chromium flaws Google patched separately upstream. Microsoft's Security Update Guide, which The CyberSignal treats as the official anchor, totals 622.
For defenders, the discrepancy is a reminder about source hygiene. Different trackers legitimately produce different totals depending on whether they count product variants, previously-released cloud fixes, and Chromium issues — so a patch program keyed to a single third-party number risks mis-scoping the month. The durable practice is to drive remediation from Microsoft's per-CVE catalog and severity index, use CISA's KEV catalog to confirm known-exploited items, and treat outlet headlines as awareness signals rather than work orders.
The reconciliation also has a governance dimension for regulated and federal environments. Frameworks such as CISA's BOD 26-04 risk-based patching directive, with its three-day window for the most critical fixes, assume an organization can identify its highest-risk items quickly and act on them faster than the rest. A 622-CVE cycle stress-tests that assumption: agencies bound by short-clock mandates cannot meet them by treating every CVE equally, which is why authoritative severity and exploitation data — not aggregate counts — has to drive the clock.
Scope and Impact
The practical impact of the July cycle is concentrated, not uniform. The overwhelming majority of the 622 CVEs are important-but-not-emergency fixes that belong on the normal deployment track. The urgency is carried by a small subset: the two reportedly exploited zero-days in AD FS and SharePoint Server, and the roughly 59 Critical-rated flaws, most of them remote code execution. That distribution is the whole reason triage matters — the risk is not spread evenly across 622 items, so treating the cycle as one monolithic workload obscures the handful of fixes that need to move today.
The month also fits a broader pattern of Microsoft security activity that The CyberSignal has tracked through the year, including the RoguePlanet Defender system patch and a run of high-severity SharePoint and identity-tier issues. Viewed together, those disclosures describe an environment where Microsoft's most security-sensitive roles — federated identity, collaboration servers, and endpoint defense — are under sustained scrutiny. Exposure is a function of what an organization actually runs: an estate without on-premises AD FS or SharePoint Server has a very different July than one that depends on both.
The reporting for this cycle is unusually well-corroborated for a same-day event. Microsoft's Security Update Guide provides the primary data, and independent analyses from SecurityWeek, The Hacker News, Krebs on Security, Rapid7, the SANS Internet Storm Center, and Cisco Talos align on the core facts: a record release, two flaws reported under active attack, and a triage burden defined by density. Where the accounts differ — most notably on the 622-versus-570 count — the difference is traceable to methodology, which is why the official figure is the right anchor.
Open Questions
Several specifics remain unconfirmed and should be verified against authoritative sources before being treated as settled. The exact CISA KEV catalog status and timing for the two reportedly exploited zero-days had not been independently confirmed by The CyberSignal as of writing; defenders should check the KEV catalog directly. It is likewise not confirmed whether either exploited flaw is unauthenticated and network-reachable, a distinction that materially changes how urgently an internet-facing deployment must act. No threat actor has been named in the reporting reviewed here, and The CyberSignal does not attribute the activity to any group.
The CVE identifiers attributed to the two zero-days are reported strictly as they appear in outside outlets and Microsoft's guide; readers verifying their own exposure should confirm each identifier and affected-build range against the Security Update Guide, not a secondary summary. The count — whether an organization tracks 622 or 570 internally — should be reconciled to Microsoft's official total, with the understanding that the lower figure reflects a narrower same-day methodology rather than a smaller body of work.
The larger open question is trajectory. If Microsoft's July 10 AI-cadence warning is correct that machine-assisted discovery is compressing the vulnerability timeline, the operative uncertainty is not whether July was a record but whether it becomes a baseline. That will only be answered over the next several cycles — and it is the question security leaders should be planning around now, building risk-based triage capacity that scales with volume rather than assuming July was an outlier.
The CyberSignal Analysis
The reported facts above are drawn from Microsoft's disclosure and independent coverage; what follows is The CyberSignal's editorial reading of what defenders should take from them. None of the judgments below are new reported facts.
Signal 01 — The Record Is Not the Story; the Two Exploited Flaws Are
The 622 count is the headline, but it is the least actionable fact in the release. A record number of CVEs tells a security team almost nothing about what to do first; the two reportedly exploited zero-days tell them exactly that. Our reading is that the correct response to a cycle this large is to compress attention onto the handful of items that carry active-exploitation risk. The month is dangerous in proportion to how long the AD FS and SharePoint fixes sit unapplied, not to how many other CVEs share the release notes.
That discipline separates programs that will scale from those that will not. Treating 622 fixes as one undifferentiated workload guarantees the exploited flaws deploy at the same pace as the least urgent ones — the opposite of what the risk profile demands. The defenders who come out of July well are the ones whose pipeline can pull the two exploited zero-days to the front of the queue on release day and let the remainder follow on the normal cadence.
Signal 02 — A 622-vs-570 Gap Is a Triage Problem, Not Just a Counting One
The discrepancy between Microsoft's 622 and Krebs's 570 looks like a scorekeeping footnote, but it exposes a real operational risk: any patch program keyed to a single third-party number is scoping its month against an artifact of someone else's methodology. Our assessment is that the reconciliation itself — knowing why the figures differ and which is authoritative — is a marker of triage maturity. A program that cannot explain its own CVE count for the month is unlikely to be prioritizing within it well.
The practical correction is to drive remediation from Microsoft's per-CVE catalog and CISA's KEV listings rather than aggregate totals. Anchor internal reporting to the official 622, understand that 570 reflects a narrower same-day scope, and treat neither number as a work order. The count is context; the exploitability data is the instruction set.
Signal 03 — AI-Accelerated Discovery Means the Cadence Will Not Slow
The most consequential read of July is that it may not be an outlier. Microsoft's own July 10 guidance framed AI-assisted discovery as a structural change to the cadence, and a 622-CVE release four days later is the first hard data point for that thesis. Our judgment is that security leaders should plan for oversized cycles as a recurring condition rather than a once-a-year event, building triage capacity that scales with volume instead of assuming a return to two-hundred-CVE months.
That assumption cuts across vendors, not just Microsoft. With Apple and others also lifting patch volumes on the back of AI-assisted review, the forward risk is that multiple large cycles land in the same window and compound the load. The organizations positioned to absorb that treat risk-based, exploitation-driven prioritization as standing infrastructure — the same posture short-clock mandates like CISA's BOD 26-04 already assume defenders can sustain.