When AI starts finding bugs: Microsoft's 622-CVE Patch Tuesday is a triage problem, not just a patching one
Microsoft shipped 622 CVEs in a single Patch Tuesday on July 14, 2026. That is more than triple June's previous record of around 200, and nearly five times May's volume. Two of them are actively exploited zero-days. If you run a security operations team, you woke up to a triage queue that would have taken a month to work through just two years ago.
The exploited pair are CVE-2026-56155 and CVE-2026-56164. CVE-2026-56155 is an elevation-of-privilege vulnerability in Active Directory Federation Services with a CVSS base score of 7.8. An authenticated local attacker with standard user privileges can escalate to administrator. CVE-2026-56164 is an EoP flaw in on-premises SharePoint Server (CVSS 8.1) that threat actors are chaining with a deserialization vulnerability to steal IIS machine keys and achieve persistent code execution. CISA issued a dedicated advisory the same day naming this chain explicitly. Both belong in your emergency patching queue before anything else this week.
The record is not a bug, it is the new baseline
Microsoft has been running AI-assisted vulnerability discovery across the Windows codebase for the better part of the last 18 months. The output is catching up with the backlog. June's record of 200 CVEs was itself twice the prior year's average monthly pace. July's 622 is not an anomaly; it is what happens when automated discovery at scale reaches cruising speed.
This matters for how you approach triage, not just patching. Your current prioritization framework, probably a mix of CVSS scores, exploitability assessments, and asset criticality, was calibrated for a world where monthly patch volumes were in the dozens to low hundreds. At 622, the math breaks differently. You cannot read every advisory; you cannot manually check every affected system. Vendor-analyzed priority tiers become more valuable, not less. CrowdStrike's July analysis identifies EoP at 41% of the release and flags the two zero-days explicitly; Rapid7's Emergency Threat Response is similarly targeted.
What to actually prioritize this cycle
Beyond the two actively exploited zero-days, a few items stand out. CVE-2026-50661 is a BitLocker Device Encryption bypass (CVSS 6.1) requiring physical access. Lower operational priority for most organizations, but worth attention for environments where unattended devices are a realistic attack vector: branch offices, kiosks, and field hardware.
The broader category to watch is the 166 remote code execution vulnerabilities in this release. Not all will be practically exploitable, but RCE at that volume means some will be. Cisco Talos published Snort rules for prioritized July CVEs within hours of the Patch Tuesday release. If you run Snort or Suricata, pulling those signatures is a cheap defense-in-depth measure while patches are being staged.
The AD FS issue deserves a closer look
CVE-2026-56155 in AD FS deserves attention beyond its CVSS score. AD FS is authentication infrastructure. A privilege escalation there means an attacker who has already compromised a low-privilege account inside your network can potentially reach the credentials and session tokens that AD FS manages. The requirement for an authenticated local attacker is the limiting factor, not a comfort. Threat actors who are already inside a network via phishing, VPN credential theft, or an unpatched perimeter vulnerability routinely operate as low-privilege authenticated users before escalating. CVE-2026-56155 is exactly the kind of flaw they look for at that stage.
The practical read
Patch CVE-2026-56155 and CVE-2026-56164 this week, not this month. Check your SharePoint Server deployments against the CISA July 14 advisory and consider machine key rotation as a post-patch action. For the other 620 CVEs, use a vendor-analyzed priority tier rather than raw CVSS sorting. The volume is not going to decrease; the triage processes that worked at 100 CVEs per month need rethinking for a world where 600 is the new normal.
Gigia Tsiklauri is a Security Architect and founder of Infosec.ge. Get in touch if your team needs help thinking through patch prioritization frameworks for large-volume release cycles.