Microsoft’s July 2026 Patch Tuesday dropped today with a number that should reframe how you think about software security: 570 vulnerabilities patched in a single release. That’s not a rough estimate — it’s a record, up 316% from July 2025’s 137, and Microsoft has already told you to expect more. Three of these were zero-days. Two were already being exploited in the wild before the patch dropped. And the engine driving this surge isn’t a bigger security team. It’s AI.
The Two You Need to Patch Today
Before the context, the action: two actively exploited zero-days demand immediate attention.
CVE-2026-56164 is a SharePoint Server privilege escalation that CISA added to its Known Exploited Vulnerabilities catalog on July 14 — the day before this patch dropped. An unauthenticated attacker can hit it over the network, no user interaction required. CVSS rates it 5.3 (Moderate) — ignore that number. Active campaigns are using it to steal IIS machine keys and deploy malware on SharePoint servers. It affects all supported versions: 2016, 2019, and Subscription Edition.
CVE-2026-56155 hits Active Directory Federation Services and was discovered by Microsoft’s own Detection and Response Team — meaning they found it while responding to actual attacks. Successful exploitation hands an attacker administrative privileges. If your identity infrastructure runs ADFS, this is not optional.
A third zero-day, CVE-2026-50661 (BitLocker security bypass), was publicly disclosed before patches were ready. It requires physical access, so the urgency is lower — but it belongs on your list. Additionally, two Windows DHCP vulnerabilities (CVE-2026-50518 and CVE-2026-56159) both rate CVSS 9.8 and are flagged “Exploitation More Likely.” A Dynamics NAV/Business Central flaw (CVE-2026-55944) is also CVSS 9.8, exploitable with no authentication via a crafted login request.
Why 570? Meet MDASH
The reason this Patch Tuesday looks nothing like any before it is a system Microsoft first detailed in May 2026: MDASH — the Multi-model Agentic Scanning Harness. It runs multiple AI models against Windows binaries, validates findings automatically to filter false positives, then routes confirmed vulnerabilities to human engineers who review and approve fixes before anything ships.
MDASH explains the surge. According to BleepingComputer’s reporting on Microsoft’s AI security plans, the company has been explicit: “As AI helps defenders discover more issues, customers will see a higher volume of security updates included in each security release.” Through July 2026, Microsoft has already patched 1,308 vulnerabilities — compared to 680 in the same period last year. That’s a 92% year-to-date increase with no signs of slowing.
There’s an uncomfortable implication buried here. 570 bugs in Windows doesn’t mean Windows suddenly got much worse. It means AI is finding vulnerabilities that were always present — bugs that human researchers simply weren’t locating fast enough. The software you shipped last year likely has dozens of undiscovered vulnerabilities. We’re only now getting the tooling to see them. This isn’t a new wave of insecurity — it’s finally seeing clearly what was always there. For a related example of AI-assisted vulnerability discovery used against developers, see Cursor IDE’s unpatched git.exe RCE, which stayed hidden for months before full disclosure.
Your Patching Window Just Shrunk to Three Days
Microsoft has updated its patching guidance, and the new target is jarring: deploy updates within three days, not the thirty that most enterprise environments have been operating on. The reasoning is blunt — AI can take an unpatched vulnerability and produce a working exploit in hours, not weeks. The window between public disclosure and active exploitation has collapsed from days to hours across the industry.
If your organization runs a monthly patch cycle, that’s now a liability. Microsoft now recommends deferral periods of less than three days with a maximum grace period of two days. This isn’t aspirational guidance — it’s a response to measured exploitation timelines that AI has fundamentally changed.
Microsoft Is Not Alone
The day before Patch Tuesday, Adobe announced it’s moving to twice-monthly security bulletins — published on the second and fourth Tuesday of each month. Adobe’s CSO Aanchal Gupta cited the same dynamic: AI is compressing the window between vulnerability disclosure and active exploitation “from days to hours.” Adobe’s first batch under the new schedule included 88 CVEs, with seven rated CVSS 10.0 in ColdFusion and Campaign Classic. Moreover, CISA’s active exploitation warnings on SharePoint — parallel to a spate of AI-coded malware hitting developers — signal that this is an industry-wide inflection, not a Microsoft-specific spike. Earlier this month, Langflow became CISA’s first AI agent added to KEV, underscoring the accelerating pace.
What to Do Now
Prioritize in this order: the two CISA-confirmed exploited zero-days (SharePoint CVE-2026-56164 and ADFS CVE-2026-56155) first. Don’t let the Moderate CVSS score on SharePoint cause you to deprioritize it — real-world severity and CVSS scores are increasingly misaligned when unauthenticated network access is in play. Next, address the CVSS 9.8 RCEs in DHCP and Dynamics. Then, work through the 59 Critical-rated vulnerabilities systematically, prioritizing remote code execution over elevation of privilege.
Longer term, your patch deployment cadence needs to move from quarterly or monthly toward continuous. The full breakdown of all 570 CVEs is available on BleepingComputer. The industry is telling you this directly. Microsoft says three days. AI agrees — just from the other side of the table.













