TheVortiq
Automatización

Microsoft sets record with 622 security patches in a single Tuesday

The figure triples the previous record, driven by automation in vulnerability detection

July 16, 2026 · 4 min read

A security and privacy dashboard with its status.

TL;DR: Microsoft released 622 CVEs in a single Patch Tuesday, more than triple the previous record, with 58 critical and two active exploits. AI in bug detection is likely the cause, marking a new normal in cybersecurity.

What happened?

Last Tuesday's July 2026 Patch Tuesday, Microsoft released security updates for 622 vulnerabilities (CVEs) specific to its products, far surpassing the previous record of 206 from the month before, according to The Register. Additionally, 428 Chromium CVEs affecting Edge were included but do not count toward Microsoft's total. Of the 622, 58 are critical, two are under active exploitation, and one has been publicly disclosed. This milestone triples the previous record, surprising the security community and sparking intense debate about the underlying causes.

Notable vulnerabilities

Among the actively exploited ones are CVE-2026-56155, an elevation of privilege in Active Directory Federation Services (ADFS) with a CVSS of 7.8, allowing a local attacker to gain administrator privileges due to insufficient granularity in access control. The second, CVE-2026-56164, is another elevation of privilege in SharePoint with a CVSS of 5.3, enabling an unauthenticated attacker on the network to elevate their permissions in SharePoint. The public vulnerability is CVE-2026-50661, which allows physical bypass of BitLocker with local access, potentially compromising data on lost or stolen devices. In the critical category, CVE-2026-48561 stands out, a remote code execution in Copilot with a CVSS of 9.6 that can be exploited without user interaction, making it a particularly serious threat. Also patched were 16 remote code execution flaws in Office, with CVSS 7.8, and other vulnerabilities in Exchange, Windows, .NET, and Visual Studio. In total, the 58 critical ones cover multiple attack vectors, from RCE to spoofing and denial of service.

Why is this important?

The magnitude of the patch triples the previous record, suggesting that artificial intelligence applied to bug hunting is accelerating vulnerability detection. Microsoft did not confirm the use of AI, but the security community takes it for granted given the unprecedented volume. This means companies must update their patch management processes to handle massive volumes regularly, increasing operational load and risk if not prioritized correctly. Historically, Patch Tuesdays have been growing in size, but this jump is exponential: in January 2020, Microsoft patched 49 CVEs; in 2023, it hovered around 100; and now 622. This could mark a turning point where automation in vulnerability detection generates a patch overload that saturates IT teams.

Consequences for businesses and users

Organizations must urgently implement patches, especially the two active exploits and the public vulnerability. The high number of critical flaws in widely used products like Office, Exchange, and Copilot requires a risk-based approach. IT administrators will need to automate patch deployment and improve visibility of their software inventory. For users, the risk of attacks increases if they don't update; the exploitation of Copilot without user interaction is particularly concerning, as it could allow malicious code execution on machines without clicks. Additionally, small and medium-sized businesses, with fewer resources, may be especially affected if they cannot keep up with patching. The economic impact is also relevant: downtime for applying patches and potential security breaches can lead to millions in losses.

Context and trends

This event confirms the trend toward massive patches, similar to what happened with the acceleration of AI in development. The industry must adapt: traditional patching windows, like monthly patching, may be insufficient. It is recommended to adopt automated patching tools and intelligent prioritization. Microsoft has not indicated whether this will be the new norm, but all signs point to yes, given the steady increase in the number of reported CVEs. Comparatively, in 2024, the monthly average was 90 CVEs; now it exceeds 600. This could lead to a change in Microsoft's strategy, such as introducing out-of-cycle patches or grouping by criticality. The security community is also debating whether AI is generating false positives or if there really are that many new vulnerabilities. In any case, the pressure on security teams is enormous.

Recommendations

  • Install the July 2026 patches as soon as possible, prioritizing active exploits (CVE-2026-56155 and CVE-2026-56164) and the public vulnerability (CVE-2026-50661).
  • Review the configuration of ADFS, SharePoint, BitLocker, Exchange, and Copilot, applying any additional mitigations Microsoft may have provided.
  • Assess the IT team's capacity to handle recurrent massive patches and consider automation through tools like WSUS, SCCM, or third-party solutions.
  • Implement a risk-based prioritization process using CVSS and known exploitability.
  • Stay informed about future Patch Tuesdays, which may follow this trend, and prepare rapid response plans.
  • For home users, ensure Windows Update is set to install updates automatically.

Keep reading