Full Report
Microsoft shipped its largest Patch Tuesday on record today, and two of the fixes close holes that attackers are already exploiting. The release covers 622 of Microsoft's own CVEs by its Security Update Guide count, more than triple June's previous high of around 200. Those two live bugs are the ones to grab first. Microsoft credits incident responders for both. Both are
Analysis Summary
# Vulnerability: Active Exploitation of SharePoint and AD FS Elevation of Privilege
## CVE Details
- **CVE ID:** CVE-2026-56164 (SharePoint), CVE-2026-56155 (AD FS), CVE-2026-50661 (BitLocker), CVE-2026-55040 (SharePoint JWT)
- **CVSS Score:**
- CVE-2026-56164: Rated "Low/Medium" by Microsoft (No specific score provided in text)
- CVE-2026-55040: 5.3 (Rapid7) / 9.1 (ZDI)
- **CWE:** Not specified (Focus on Elevation of Privilege and Auth Bypass)
## Affected Systems
- **Products:** Microsoft SharePoint Server, Active Directory Federation Services (AD FS), Windows (BitLocker)
- **Versions:**
- SharePoint Server 2016 and 2019 (Note: These reached End of Extended Support on July 14, 2026).
- All versions using AD FS for identity federation.
- **Configurations:**
- Local access for the AD FS flaw.
- Network access for the SharePoint flaw.
- Kerberos RC4-dependent environments (Impacted by hardening).
## Vulnerability Description
This summary covers the record-breaking July 2026 Patch Tuesday (622 CVEs). Two primary zero-days are under active attack:
1. **CVE-2026-56164:** A SharePoint elevation of privilege flaw allowing unauthenticated attackers to escalate privileges over the network.
2. **CVE-2026-56155:** An AD FS flaw involving weak access controls that allows authenticated attackers to escalate privileges on the identity provider server.
3. **CVE-2026-55040:** A JWT authentication bypass in SharePoint. While patched, it is half of an unauthenticated RCE chain (the RCE half is expected in August 2026).
## Exploitation
- **Status:** **Exploited in the wild** (CVE-2026-56164 and CVE-2026-56155); Publicly disclosed (CVE-2026-50661).
- **Complexity:** Low (SharePoint); Not specified for others.
- **Attack Vector:**
- Network (SharePoint)
- Local (AD FS)
- Physical (BitLocker)
## Impact
- **Confidentiality:** High (Access to document stores and identity signing tokens).
- **Integrity:** High (Privilege escalation).
- **Availability:** Not the primary impact focus.
## Remediation
### Patches
- Apply the July 14, 2026, Microsoft Security Updates immediately.
- **Critical Note:** SharePoint 2016 and 2019 have reached end-of-life and lack a paid Extended Security Update (ESU) program. Migration is required.
### Workarounds
- **SharePoint:** Enable Antimalware Scan Interface (AMSI) in **Full Mode** on the server to blunt attacks against CVE-2026-56164.
- **Kerberos:** Ensure environments are no longer reliant on RC4, as the "rollback switch" (RC4DefaultDisablementPhase) has been removed.
## Detection
- **Indicators of Compromise:** Monitor for unusual elevation of privilege events on SharePoint servers and AD FS infrastructure.
- **Detection methods and tools:** Audit logs for identity token signing on AD FS and document access anomalies in SharePoint.
## References
- hxxps://msrc.microsoft.com/update-guide/releaseNote/2026-Jul
- hxxps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-56164
- hxxps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-56155
- hxxps://www.rapid7.com/blog/post/ve-cve-2026-55040-microsoft-sharepoint-jwt-token-authentication-bypass-fixed/