Microsoft’s July 2026 Patch Tuesday was the largest in the program’s history: 569 CVEs addressed in a single release, including 56 rated critical and three zero-days already under active exploitation. For Windows Server administrators, this month is less about routine maintenance and more about triage. Here is what to prioritize.

Zero-Days Under Active Exploitation
Two vulnerabilities stand out because Microsoft confirmed active exploitation before the patch shipped.
CVE-2026-56155 is an elevation of privilege flaw in Active Directory Federation Services (AD FS), rated important with a CVSS score of 7.8. Microsoft credits its own Detection and Response Team with catching exploitation in the wild; a successful attack grants administrator privileges. Any server running AD FS should be patched immediately.
CVE-2026-56164 affects Microsoft SharePoint Server (2016, 2019, and Subscription Edition) and was also exploited as a zero-day, though rated moderate at CVSS 5.3. Microsoft notes that AMSI integration can help detect malicious POST requests as a mitigation while patches are rolled out.
BitLocker Bypass With Public Exploit Code
CVE-2026-50661 is a security feature bypass in Windows BitLocker, CVSS 6.1, rated important. Exploit code was publicly disclosed before a patch was available, and it may be linked to the previously disclosed “GreatXML” BitLocker bypass. Microsoft assesses exploitation as less likely since it requires physical access to the device, but organizations with high-value laptops or servers in less controlled locations should not delay this patch.
Critical Remote Code Execution Flaws
CVE-2026-55944 affects Microsoft Dynamics NAV and Dynamics 365 Business Central (on-premises), CVSS 9.8, rated critical and assessed as “exploitation more likely.” No authentication or user interaction is required; a crafted login request alone can trigger the vulnerability through unsafe deserialization.
Windows DHCP Server and DHCP Client also received a batch of nine CVEs this month, five of them critical, covering remote code execution, elevation of privilege, and denial of service. CVE-2026-50518 (DHCP Server RCE, CVSS 9.8) and CVE-2026-50370 (DHCP Server Service RCE, CVSS 8.8) are the two most severe in that group. Any domain-joined server running the DHCP role should be patched as a priority.
Kerberos RC4 Hardening Reaches Final Enforcement
This release completes the multi-year rollout of Kerberos RC4 hardening. Audit mode has been removed, leaving Enforcement mode as the only supported behavior for RC4 usage on Windows domain controllers. Environments that still have legacy applications or devices depending on RC4 encryption types should confirm they have migrated to AES before this update lands, since there is no longer a monitoring-only fallback.
Other Notable Changes
Hotpatching for Windows Server on Azure is now generally available, letting eligible servers apply certain security updates without a reboot. This release also includes TDI transport hardening and a bundled upgrade of curl to version 8.21.0.
Recommended Actions
Given the scale of this release, prioritize in this order: patch AD FS and SharePoint servers first given confirmed zero-day exploitation, then Dynamics NAV/Business Central and DHCP servers given critical RCE ratings, then BitLocker-enabled devices, and finally confirm Kerberos RC4 dependencies are resolved before the enforcement change takes effect. Standard patch management practices still apply: test in a staging environment where possible, but do not let testing delay deployment of the zero-day fixes.



