Security analysts are struggling to reckon with the sheer volume of common vulnerabilities and exposures (CVEs) addressed in Microsoft’s July Patch Tuesday update, which contains fixes for at least 600 flaws, rising to well over 1,000 when Chromium and Chromium Edge issues are counted.
With the latest drop obliterating last month’s record, which in turn blew the previous record to pieces, attention is focusing less on the most immediately addressable flaws, and more on the artificial intelligence (AI) induced crisis in vulnerability and patch management.
Action1 director of vulnerability research, Jack Bicer, said: “Microsoft has warned that organisations should expect security updates to become more frequent as the company expands its use of AI to uncover vulnerabilities and accelerate patch development, while continuing to rely on human engineers for final validation and release decisions.
“For defenders, this means the challenge is no longer just keeping up with attackers, but also keeping pace with an accelerating stream of security fixes. With three zero-days already being exploited in the wild, this month’s updates should be treated as a high priority.”
Ivanti vice president of security product management, Chris Goettl, said it was not just Microsoft facing the pain: “In general, the Patch Apocalypse continues to drive a faster pace for detection of high-risk exposures and fast and continuous remediation capabilities.”
Goettl noted that besides Microsoft’s rapidly-growing updates, Adobe is now shifting from monthly to twice-monthly update bulletins, as has Cisco, while Mozilla is now on a weekly update cadence, as is Google. Additionally, last month the US Cybersecurity and Infrastructure Security Agency (Cisa) lowered the remediation target for the highest-risk flaws in its Known Exploited Vulnerabilities (Kev) catalogue to just 72 hours.
However, Nick Carroll and Rain Baker of Nightwing’s ShadowScout Team said the term Patch Apocalypse was unhelpful.
“We think it should be seen as a healthy evolution in software security. As AI tools help vendors like Microsoft, Adobe, SAP, and Oracle discover more issues, customers will naturally see a higher volume of security updates,” they wrote.
“We urge organisations to move away from rigid, time-based patching schedules and adopt continuous, risk-based workflows. Leverage tools like Microsoft Intune and Azure Update Manager, automate your updates where possible, and always prioritise actively exploited vulnerabilities first.
“By mapping your specific risk landscape and relying on timely vendor releases, your organisation can stay ahead of the curve, secure your vital data, and thrive in this new era of threat intelligence,” they said.
Goettl also shared some words of advice for security teams. “Consider shifting to a more continuous remediation approach if you have not already done so. The continued increase in both CVE discovery and update frequency due to AI accelerated vulnerability discovery is going to continue to increase and regulatory pressure to resolve highest-risk exposures in a matter of days to hours will become the new normal,” he said.
“[Also], update your browsers! All of them. They are on a weekly basis at this point, but consider checking for and updating twice a week, if not daily, to reduce the exploit window for known exploited vulnerabilities.”
Not just an AI problem
But nor is AI is the only disruptor in play, as Rapid7 principal software engineer Adam Barnett pointed out: “After years of relative stability, the Patch Tuesday process has experienced significant turbulence so far in 2026. As well as the AI-fuelled exponential growth of vulnerability reporting and discovery, Microsoft is grappling with the emergence of a series of vulnerabilities disclosed in such a way as to bring maximum discomfort for Redmond.
“Pseudonymous researcher Nightmare Eclipse dropped another Defender elevation of privilege vulnerability in the hours following Patch Tuesday June 2026, which Microsoft subsequently published and patched as CVE-2026-50656, along with a terse acknowledgement of the vulnerability’s celebrity nickname of RoguePlanet,” said Barnett.
“Recently, Nightmare Eclipse has given conflicting estimates of what sort of surprises Microsoft can expect today, as well as claiming that the CVE-2026-50656 patches introduce a new avenue for a disk exhaustion attack. Today, a new proof of concept for a further vulnerability nicknamed LegacyHive has emerged from the same source, which appears to allow a non-privileged user to mount another user’s user hive.”
Zero-days
Amid the chaos, three zero-days – two of them exploited in the wild – stand out. These are CVE-2026-50661, a security feature bypass (SFB) flaw in Windows BitLocker, CVE-2026-56155, an elevation of privilege (EoP) flaw in Active Directory Federation Services, and CVE-2026-56164, another EoP flaw in Microsoft SharePoint Server.
As usual, the Action1 team ran the rule over the impact of the latest zero-day flaws. Company president and co-founder, Mike Walters, explained how the BitLocker flaw could enable an unauthorised attacker with physical access to a device to defeat the device encryption features, gaining access to data stored on encrypted system drives.
“The vulnerability does not impact system availability but has a high impact on both confidentiality and integrity of protected data. Organisations relying on BitLocker to protect sensitive information on laptops, desktops, and servers face an increased risk if devices are lost, stolen, or accessed by unauthorised individuals,” said Walters.
“A successful attack could expose confidential business data, regulated information, intellectual property, or credentials that organisations expect to remain protected by disk encryption. Systems deployed in remote locations or shared environments may be particularly vulnerable.”
Turning to CVE-2026-56155 in Active Directory Federation Services, Action1’s Bicer described how insufficient granularity of action control would allow an attacker who has authorised to the affected system to elevate to admin rights and take complete control of it.
“Once elevated, an attacker could execute privileged commands, modify system settings, install malicious software, create additional administrative accounts, or disable security controls,” said Bicer. “In environments using AD FS for authentication and identity services, administrator-level compromise can lead to unauthorised access to sensitive business resources, disruption of critical services, deployment of ransomware, theft of credentials, and broader compromise of enterprise infrastructure.”
And finally, Action1 CEO and co-founder Alex Vovk addressed the SharePoint Server flaw, which stems from a missing authentication issue allowing an unauthenticated attacker to elevate their privileges over the network. Since it is remotely exploitable and needs to user interaction, attackers can also target vulnerable servers directly.
“An attacker can send specially crafted network requests to access functionality that should require authentication, resulting in privilege escalation,” said Vovk. “Organisations using SharePoint for document management, collaboration, and business workflows face increased risk if vulnerable servers are exposed.
“With elevated privileges, attackers can modify SharePoint content, compromise collaboration environments, and establish a foothold for further attacks against enterprise infrastructure. Since SharePoint often stores sensitive corporate information, compromise of these systems can have significant operational and security consequences.”

