Full Report
Microsoft security advisory – July 2026 monthly rollup (AV26-698)
Analysis Summary
# Vulnerability: Microsoft July 2026 Monthly Rollup - Critical Exploitation
## CVE Details
- **CVE ID:** CVE-2026-56164 and CVE-2026-56155
- **CVSS Score:** Not explicitly listed in advisory (Typically 7.8 - 9.8 for KEV-listed items)
- **CWE:** Unknown (Likely Memory Corruption or Privilege Escalation based on typical Monthly Rollup profiles)
## Affected Systems
- **Products:**
- Microsoft Windows and associated components (via July 2026 Security Updates)
- Extensive list of Adobe products (After Effects, Animate, Audition, Bridge, Commerce/Magento, ColdFusion, Illustrator, Premiere Pro, etc.)
- **Versions:**
- Adobe After Effects (v25.6.5/v26.2.1 and prior)
- ColdFusion (2021, 2023, 2025 various updates)
- Adobe Commerce/Magento (Multiple versions)
- *Note: Specific Microsoft OS versions are covered under the "July 2026 Security Updates" umbrella.*
- **Configurations:** standard installations of the aforementioned software suites.
## Vulnerability Description
While the provided document highlights the release of the July 2026 monthly rollup, it specifically flags **CVE-2026-56164** and **CVE-2026-56155** as high-priority flaws. These vulnerabilities represent critical security gaps in Microsoft ecosystem components that allow for unauthorized actions. Given their immediate inclusion in the CISA KEV catalog, these flaws likely allow for Remote Code Execution (RCE) or significant Privilege Escalation.
## Exploitation
- **Status:** **Exploited in the wild.** Both CVE-2026-56164 and CVE-2026-56155 have been added to the CISA Known Exploited Vulnerabilities (KEV) Database.
- **Complexity:** Low (Typical for KEV-listed vulnerabilities)
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High
- **Integrity:** High
- **Availability:** High
## Remediation
### Patches
- **Microsoft:** Apply the July 2026 cumulative updates via Windows Update or WSUS.
- **Adobe:** Update specific Creative Cloud and Enterprise applications to the following versions or higher:
- After Effects: 25.6.6 / 26.2.2
- ColdFusion 2025: Update 11+
- Illustrator 2026: v30.6+
- Bridge: 15.1.6 / 16.0.4
### Workarounds
- No specific workarounds are provided in the advisory; immediate patching is required due to active exploitation.
- Restrict network access to vulnerable services (e.g., ColdFusion admin interfaces and Magento backends) until patches are applied.
## Detection
- **Indicators of Compromise:** Monitor for unusual child processes stemming from web servers (IIS) or Adobe-related background services.
- **Detection methods and tools:**
- Utilize vulnerability scanners updated with the July 14, 2026 definitions.
- Check CISA KEV catalog integration for security orchestration (SOAR) tools.
## References
- MSRC July 2026 Release Notes: hxxps[://]msrc[.]microsoft[.]com/update-guide/releaseNote/2026-Jul
- MSRC Security Update Guide: hxxps[://]msrc[.]microsoft[.]com/update-guide/en-us
- CISA KEV Catalog: hxxps[://]www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog
- Government of Canada Advisory (AV26-698): hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/microsoft-security-advisory-july-2026-monthly-rollup-av26-698