At a glance: Microsoft's July 2026 security updates addressed 622 vulnerabilities, including multiple SharePoint flaws, an exploited Active Directory Federation Services (AD FS) privilege escalation vulnerability, and a critical Hyper-V vulnerability that could allow a threat actor to break out of a virtual machine and gain access to the host system.
Microsoft confirmed exploitation of CVE-2026-56164 and later updated CVE-2026-58644 to indicate active exploitation, while CISA urged organizations to immediately patch and harden SharePoint environments due to ongoing attacks targeting supported on-premises deployments.
Threat summary
On July 14, 2026, Microsoft released security updates addressing 622 vulnerabilities across Windows, Microsoft Office, SharePoint Server, Active Directory Federation Services (AD FS), Exchange Server, Azure components, SQL Server, and other products.
One of the exploited vulnerabilities, CVE-2026-56155, affects AD FS, Microsoft's identity federation platform that provides single sign-on (SSO) and trust relationships between on-premises and cloud applications. Microsoft describes the issue as an elevation of privilege vulnerability caused by insufficient access control restrictions. An authorized threat actor could exploit the flaw to gain administrator privileges on a vulnerable system.
Microsoft also reported prior exploitation of CVE-2026-56164, an elevation of privilege vulnerability affecting SharePoint Server. SharePoint is widely used to store documents, host internal portals, and support business workflows. Security researchers reported that the vulnerability is remotely exploitable and does not require authentication, increasing the risk to internet-facing deployments. On July 14, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert urging organizations to immediately patch and harden SharePoint environments after observing active exploitation of multiple SharePoint vulnerabilities affecting supported on-premises SharePoint Server versions.
On July 15, Microsoft updated the advisory for another SharePoint vulnerability, CVE-2026-58644 (CVSS 9.8), to indicate that exploitation had been detected in the wild. The vulnerability is a remote code execution flaw caused by the deserialization of untrusted data and allows an unauthenticated threat actor to execute code remotely on a vulnerable SharePoint server.
CISA's alert also highlighted the risk posed by CVE-2026-55040 (CVSS 9.1), an authentication bypass vulnerability that allows a remote threat actor to impersonate SharePoint users, including administrators. Researchers demonstrated that it could be used to gain access as an authenticated SharePoint user and then chained with a separate vulnerability to achieve unauthenticated remote code execution. Microsoft patched CVE-2026-55040 in July 2026, while a fix for the remote code execution vulnerability used in the research chain is scheduled for August 2026. Microsoft assessed CVE-2026-55040 as more likely to be exploited, and CISA urged organizations to prioritize patching and hardening SharePoint deployments in response to the growing exploitation activity targeting the platform.
Researchers also highlighted several other critical vulnerabilities that warrant attention. Among them is CVE-2026-57092 (CVSS 9.9), which affects the Windows Virtual Machine Switch (VMSwitch), the Hyper-V component responsible for connecting virtual machines to networks. A threat actor who gains the ability to run code within a guest virtual machine could send a specially crafted network request through VMSwitch to trigger a use-after-free condition on the host. Successful exploitation could result in denial of service or allow the threat actor to escape the virtual machine boundary and gain elevated privileges on the host system, creating a potential path from a compromised guest workload to the underlying Hyper-V infrastructure.
Analysis
Organizations running SharePoint Server Subscription Edition, SharePoint Server 2016, or SharePoint Server 2019 are advised to prioritize deployment of Microsoft's July 2026 SharePoint security updates, including fixes for CVE-2026-56164, CVE-2026-58644, and CVE-2026-55040. Given Microsoft's confirmation of exploitation and CISA's warning, patch validation and verification of successful installation are high-priority activities.
Review SharePoint servers for signs of compromise, particularly unauthorized administrator activity, unexpected web shells, suspicious processes, and modifications to SharePoint application files. CISA also recommends rotating Internet Information Services (IIS) machine keys after completing threat hunting activities because threat actors have been observed targeting those keys during SharePoint intrusions.
Enable Antimalware Scan Interface (AMSI) integration for SharePoint and operate SharePoint web applications with full request-body scanning where possible. Expand logging and monitoring coverage to improve visibility into exploitation attempts and post-compromise activity.
Reduce exposure of SharePoint environments by placing servers behind application-layer security controls, restricting access to SharePoint Central Administration, limiting administrative access paths, and ensuring only required systems can communicate with SharePoint databases and management interfaces. Internet-facing SharePoint deployments warrant immediate review.
For organizations using Hyper-V, apply Microsoft's updates for CVE-2026-57092 and review virtual machine isolation controls. Environments hosting untrusted, third-party, customer, or developer workloads on shared Hyper-V infrastructure face the highest risk because exploitation requires code execution within a guest virtual machine. Separating high-value workloads from lower-trust virtual machines reduces the impact of a successful compromise.