Technology

Microsoft issues record patch Tuesday release with multiple zero-days

The software giant addressed between 569 and 622 vulnerabilities on 14 July, including three zero-days two of which were already under active attack. UK organisations and households face a clear choice between prompt patching and sustained exposure.
Listen
AI-generated image: Microsoft issues record patch Tuesday release with multiple zero-days
AI-generated image for illustrative purposes.
Intelligent summary
  • Microsoft released its largest Patch Tuesday update on record, addressing between 569 and 622 vulnerabilities.
  • Three zero-day flaws were fixed, two of which were already being exploited in the wild in Active Directory Federation Services and SharePoint Server.
  • The updates underscore the importance of prompt patching by UK organisations and individuals rather than dependence on external mandates.

Microsoft deployed its July security updates on 14 July, fixing between 569 and 622 vulnerabilities according to varying tallies used by researchers.

Three of those flaws were zero-days. Two had already been exploited in the wild. The scale marks the largest Patch Tuesday release on record.

The exploited vulnerabilities were both elevation-of-privilege flaws. One resided in Active Directory Federation Services, tracked as CVE-2026-56155. The second affected SharePoint Server under CVE-2026-56164. A third zero-day, CVE-2026-50661, represented a publicly disclosed bypass of Windows BitLocker that could expose encrypted data when an attacker gained physical access to a device.

The updates span Windows, SharePoint and multiple supporting components. Such breadth reflects the persistent discovery rate of security issues inside the software that underpins both enterprise networks and home computers across the UK.

Timely patching as first line of defence

Organisations that delay deployment leave themselves open to attacks that are already circulating. Households running Windows machines encounter the same calculus. The record volume of fixes does not signal catastrophe so much as the ordinary mechanics of widely used code: vulnerabilities surface, vendors respond, users must act.

This reality rewards individual and institutional vigilance. Administrators who maintain disciplined update schedules reduce their attack surface without waiting for regulatory edict. That pattern of private-sector correction, followed by user responsibility, has repeatedly proven more agile than top-down mandates.