On 14 July 2026, Microsoft released the largest Patch Tuesday update in its history, addressing
569 CVEs with 56 rated critical and 510 rated important
. For UK SMEs running Windows, Office, Exchange Server, SharePoint, or Azure services, this represents an urgent security event requiring immediate attention—particularly because
two of the vulnerabilities are already being exploited in the wild
.
This isn’t a routine monthly update. As the
Zero Day Initiative pointed out, this is “The Mother of All Releases” and “to call this record-breaking is an understatement”
. The sheer volume reflects Microsoft’s new AI-powered vulnerability scanning system, and
the tsunami could last for many months—possibly years, as Microsoft’s MDASH system actively analyses critical Windows components
.
If your business runs Microsoft systems—and nearly every UK SME does—here’s what you need to know and what to do this week.
Two Zero-Day Vulnerabilities Under Active Attack
The most urgent concern is the two vulnerabilities attackers are already exploiting:
CVE-2026-56155: Active Directory Federation Services Privilege Escalation
CVE-2026-56155 is an elevation of privilege vulnerability affecting Active Directory Federation Services with a CVSSv3 score of 7.8, exploited in the wild as a zero-day and credited to Microsoft’s own Detection and Response Team (DART)
.
Due to access control flaws, a user with low local privileges can elevate them to administrator level
.
If your business uses AD FS for single sign-on or federated identity—common in organisations using Microsoft 365 alongside on-premises Active Directory—this vulnerability allows an attacker who has already gained limited access to escalate to full administrative control.
The vulnerability has already been added to the CISA Known Exploited Vulnerabilities catalog
, confirming active exploitation.
CVE-2026-50661: Windows BitLocker Security Bypass
CVE-2026-50661 is a publicly-known security feature bypass vulnerability in Microsoft BitLocker, allowing an unauthorized attacker with physical access to bypass Windows BitLocker
.
This flaw allows an attacker with physical access to an affected system to bypass BitLocker’s Device Encryption feature and gain access to encrypted data
.
Whilst this requires physical access to a device, it’s a critical concern for businesses with laptops used by remote workers, devices taken off-site, or equipment awaiting secure disposal.
It’s very probable that this is a patch for the GreatXML vulnerability which Nightmare Eclipse announced the day after Patch Tuesday June 2026
, and
researchers already have public proof-of-concepts for the BitLocker flaw
.
Why This Release Breaks All Records
Microsoft is publishing 622 vulnerabilities on July 2026 Patch Tuesday, including a record-breaking 416 Windows vulnerabilities
. To put this in context,
this marks the largest Patch Tuesday release ever, crushing the previous record of 198 CVEs in June
.
The breakdown is sobering.
Elevation of privilege (EoP) vulnerabilities accounted for 43.8% of the vulnerabilities patched this month, followed by remote code execution (RCE) vulnerabilities at 25.1%
. Products affected span the entire Microsoft ecosystem: Windows Server, Windows 10 and 11, Microsoft 365, Office 2016-2021, Exchange Server, SharePoint, SQL Server, Azure services, and even
Age of Empires II: Definitive Edition, where opening a malicious game scenario file without the patch for CVE-2026-50663 could enable an attacker to place malicious files in unexpected locations, potentially enabling code execution
.
Microsoft has fundamentally changed how it presents Patch Tuesday information.
Rapid7 experts note that the release notes no longer list CVEs individually; instead, there is a summary table organised by product families and a new section titled “Notable CVEs”
.
Critical Vulnerabilities UK SMEs Must Prioritise
Beyond the two actively exploited zero-days, several critical-severity vulnerabilities demand immediate attention:
- CVE-2026-48561 (Microsoft Copilot RCE):
A remote code execution vulnerability in Microsoft Copilot with a CVSS score of 9.6, exploitable by an unauthorized attacker to execute arbitrary code on affected systems - CVE-2026-55008 (Exchange Server Spoofing):
A spoofing vulnerability in Exchange Server with a CVSS score of 9.6; an attacker sends a specially crafted email and the victim simply opens it in OWA—and arbitrary JavaScript is executed in their session - CVE-2026-57092 (Windows VMSwitch VM Escape):
A critical security flaw in Windows VMSwitch that could be exploited by cybercriminals to escape a VM boundary and compromise the host machine - SharePoint Deserialization Flaws:
CVE-2026-50522 and CVE-2026-58644 (both CVSS 9.8)—a pair of RCE vulnerabilities in SharePoint servers involving deserialization of untrusted data, unauthenticated, and without user interaction - DHCP Server Vulnerabilities:
CVE-2026-50370 and CVE-2026-50518 are heap-based buffer overflows in the Windows DHCP Server service, exploitable by an unauthorized attacker over an adjacent network and over a network, respectively
If your business runs Exchange Server on-premises, hosts SharePoint, uses Hyper-V virtualisation, or operates Windows DHCP servers, these vulnerabilities represent remote code execution paths that attackers can exploit without user interaction.
How to Deploy July 2026 Updates Safely
The volume of fixes makes this month’s update both critical and potentially disruptive. Here’s a structured approach for UK SMEs:
1. Prioritise the Actively Exploited Vulnerabilities First
Deploy patches for CVE-2026-56155 (AD FS) and CVE-2026-50661 (BitLocker) immediately on production systems. These are confirmed as under attack and should take precedence over all other updates.
2. Test Before Wide Deployment
Organisations should conduct thorough testing before deploying patches widely on production systems; that said, applying the patches widely shouldn’t be delayed longer than necessary as hackers start to work out how to weaponise newly reported vulnerabilities
.
If you have a test environment, deploy the updates there first and verify critical business applications still function. If you don’t have a test environment, consider deploying to a small subset of similar systems first before rolling out company-wide.
3. Back Up Systems Before Patching
A best practice is to make sure you have backed up systems before applying updates; every month, users experience issues with Windows updates that lead to systems not booting, application and hardware compatibility issues, or even data loss in extreme cases
.
This is particularly important given the record volume of changes. Ensure you have working backups and a tested restore process before beginning updates. Our article on Microsoft 365 backup strategies for small businesses covers best practices for cloud workloads.
4. Schedule Updates for Servers and Critical Infrastructure
Windows 10 versions 21H2 and 22H2 receive KB5099539, while Windows 11 splits between KB5101650 for 24H2 and 25H2, and KB5099414 for 23H2
. Server updates should be scheduled during maintenance windows with rollback plans in place.
For businesses running servers and workstations in production environments, coordinate with your IT support provider to schedule updates during low-usage periods.
5. Don’t Forget Office, Exchange, and SharePoint
Office got a split treatment this month: modern versions of the Microsoft 365 stack and Office 2021 each received 10 cumulative updates covering 82 flaws, whilst Office 2016 requires 18 individual patches for the exact same vulnerability count
.
If you’re still running Office 2016, you face a significantly more complex patching process. This is an opportune moment to review whether it’s time to move to a modern, supported version.
The Broader Context: Why Patch Volumes Are Exploding
This isn’t an anomaly.
At Microsoft, the reason is called MDASH—multi-model agentic scanning harness; a few days before the release, Microsoft officially acknowledged that its AI-powered vulnerability scanning system is actively analysing critical Windows components, and warned customers that the volume of updates in each release will only increase
.
For UK SMEs, this creates a permanent shift in patch management requirements.
If such patch releases become the norm, without a radical overhaul and automation of vulnerability management processes, security and IT teams will have nothing to do but apply updates; there are indications that this is the new normal
.
The organisations that will cope best are those with:
- Automated patch deployment processes with testing and rollback capabilities
- Clear prioritisation frameworks based on CISA KEV, CVSS scores, and asset criticality
- Tested backup and recovery procedures
- Managed IT support that monitors and applies security updates proactively
Our recent article on how UK SMEs should handle Microsoft’s record-breaking patch volumes in 2026 provides a detailed framework for managing this new reality.
Don’t Forget Related Security Measures
Whilst patching is critical, it’s not the only defensive measure UK businesses need:
- Multi-factor authentication: Essential for protecting against credential compromise, particularly for administrative accounts and cloud services
- Network segmentation: Limits lateral movement if an attacker does exploit a vulnerability
- Email security:
Phishing remains the dominant vector, identified by 38% of businesses, and among those breached, 51% experienced phishing only
. See our guide on spotting and stopping phishing emails in 2026 - Offline backups: Critical for ransomware protection, ensuring encrypted or deleted data can be restored
- Regular security reviews: Particularly of firewalls and security configurations
What This Means for Kent Businesses
The UK government reports that 43% of UK businesses identified a cyber security breach or attack in the last 12 months, equating to roughly 612,000 organisations
. With vulnerability volumes increasing and
over half of UK businesses having experienced a cyber-security breach in the past 12 months
, the gap between threat volume and SME defensive capability is widening.
For businesses in Kent and the South East, the practical challenge is clear: you cannot ignore a release containing 569 vulnerabilities, two of which are actively exploited. But deploying them safely requires planning, testing, and expertise.
This is where proactive IT support makes the difference between a managed security posture and a reactive scramble every Patch Tuesday. Automated deployment, staged rollouts, backup verification, and 24/7 monitoring ensure updates are applied safely whilst maintaining business continuity.
Get Expert Help with Patch Management
If you’re unsure whether your systems have been updated, concerned about potential disruption from such a large patch release, or simply want to ensure your business is protected against actively exploited vulnerabilities, Meridian Micro can help.
We provide comprehensive security and patch management services for businesses across Kent and the South East, ensuring updates are tested, deployed safely, and monitored continuously. Our proactive approach means critical security fixes are applied before attackers can exploit them—not after a breach occurs.
Call us on 01303 883111 to discuss your patch management requirements, or to arrange a security review of your current Windows, Office, and server infrastructure. With patch volumes at record levels and two zero-day vulnerabilities under active attack, now is the time to ensure your defences are current.
