Microsoft has unveiled its monthly security update for July 2026, addressing a staggering 622 vulnerabilities across various products. Among these, 57 vulnerabilities have been classified as “critical,” underscoring the urgency for businesses to prioritize their cybersecurity measures.
Critical Vulnerabilities and Their Implications
Of particular concern are two vulnerabilities that have already been exploited in the wild. The first, CVE-2026-56155, is an elevation of privilege vulnerability within Active Directory Federation Services (AD FS), stemming from insufficient granularity in access control. This flaw could allow an authorized attacker to escalate their privileges locally. The second, CVE-2026-56164, affects Microsoft SharePoint Server and is characterized by missing authentication for a critical function, enabling unauthorized attackers to spoof network communications.
The breakdown of the 57 critical vulnerabilities reveals a predominant risk associated with remote code execution (RCE), which accounts for 48 of the entries. Other categories include seven elevation of privilege (EoP) vulnerabilities, one spoofing vulnerability, and one security feature bypass vulnerability.
Scope of Remote Code Execution Vulnerabilities
The critical RCE vulnerabilities impact a wide array of Microsoft services and applications, including:
- Windows Media and Media Foundation
- Windows DHCP client and server services
- Microsoft Office suite (Word, Excel, PowerPoint)
- Windows GDI and GDI+
- DirectX Graphics Kernel
- Microsoft SQL Server
- Windows Print Spooler
- Microsoft Dynamics NAV and Dynamics 365 Business Central
- Minecraft Bedrock Dedicated Server
Among these, eleven RCE vulnerabilities have been rated as “more likely” to be exploited. For instance, CVE-2026-50370 and CVE-2026-50518 are heap-based buffer overflows in the Windows DHCP Server service, while CVE-2026-54128 represents a use-after-free vulnerability in the Windows DHCP client.
Additional Vulnerabilities of Note
Microsoft Office applications are notably affected, with several vulnerabilities identified, such as CVE-2026-50314 and CVE-2026-55022, which can be triggered by opening specially crafted documents. Furthermore, critical vulnerabilities extend to cloud services, including Microsoft Copilot and Azure offerings, although exploitation likelihood ratings have not been assigned for these.
In addition to the critical vulnerabilities, Talos has highlighted several “important” vulnerabilities that are deemed more likely to be exploited, such as:
- CVE-2026-49170: Elevation of privilege in Windows StateRepository API Server
- CVE-2026-49795: Windows Kernel elevation of privilege
- CVE-2026-50325: Elevation of privilege in Microsoft DWM Core Library
Response and Mitigation Strategies
In light of these vulnerabilities, Talos is rolling out a new Snort ruleset designed to detect attempts to exploit these weaknesses. Cisco Security Firewall customers are encouraged to update their ruleset to the latest version, while open-source Snort Subscriber Ruleset customers can access the most recent rule pack available for purchase on Snort.org.
Snort 2 rules included in this release cover a range of vulnerabilities, while additional Snort 3 rules are also available, ensuring comprehensive protection against potential exploits.