Post -Patch Tuesday Roundup: July 2026 | Softcat
Skip to main content
Blog

Post -Patch Tuesday Roundup: July 2026

Softcat’s July 2026 Patch Tuesday summary highlights updates from major vendors including Microsoft, Adobe, Cisco SAP, Ivanti, IBM, Fortinet, checkpoint, and Palo Alto as they release patches addressing a wide range of vulnerabilities across their respective platforms.

Post patch tuesday   new

Philip Odjidja

Vulnerability Engineer

Microsoft

Microsoft patched 570 CVEs in its July 2026 Patch Tuesday release, with 56 rated critical, 511 rated as important, and 3 rated as moderate. This marks the largest Patch Tuesday release ever, crushing the previous record of 198 CVEs in June. This month’s release includes three zero-days, two of which were exploited in the wild.

Zero-day vulnerabilities

CVE-2026-56155 - An Elevation of Privilege Vulnerability affecting Active Directory Federation Services. It received a CVSSv3 score of 7.8 and is rated important. Microsoft notes that this flaw was exploited in the wild as a zero-day.  A local attacker can elevate privileges to administrator on an AD FS server.

CVE-2026-56164 – An elevation of privilege (EoP) vulnerability affecting Microsoft SharePoint Server. It has a CVSS v3 score of 5.3and is rated Moderate. Microsoft confirmed that the vulnerability was actively exploited in the wild as a zero-day before a patch was released. The flaw impacts Microsoft SharePoint Server 2016, SharePoint Enterprise Server 2016, *Microsoft SharePoint Server 2019, and Microsoft SharePoint Server Subscription Edition. Successful exploitation allows an unauthenticated remote attacker to gain elevated privileges on vulnerable on-premises SharePoint servers. As a mitigation, Microsoft recommends enabling the Antimalware Scan Interface (AMSI) integration, which can help detect and block malicious HTTP POST requests associated with exploitation attempts.

CVE-2026-50661 – A security feature bypass vulnerability affecting Windows BitLocker. It has a CVSS v3 score of 6.1 and is rated Important. The vulnerability was publicly disclosed before a patch became available and is classified by Microsoft's Exploitability Index as "Exploitation Less Likely." Although a public exploit exists, successful exploitation requires physical access to the target device, limiting the practicality of attacks in most environments.

Critical

This month’s updates included patches to address multiple CVEs affecting DHCP Server and Windows DHCP Client. Of the nine CVEs, these five CVE-2026-50518, CVE-2026-50370, CVE-2026-54128, CVE-2026-48564CVE-2026-56159 were rated as critical with a CVSS v3 score ranging from 9.8 to 8.4 and three were assessed as “Exploitation More Likely.”  The remaining four were rated as important and Exploitation Unlikely.

CVE-2026-48561 – A remote code execution flaw in Microsoft Copilot with a 9.6 CVSS threat score that allows an unauthorized attacker to execute code over the network. Microsoft says an attacker could exploit this bug by hosting a malicious website that causes Microsoft Edge for Android to automatically send crafted prompts to Copilot when a user visits the site.

CVE-2026-55011 and CVE-2026-55012 are Microsoft Defender Remote Code Execution vulnerabilities that could allow an attacker to execute arbitrary code on affected systems by exploiting weaknesses in Microsoft Defender components. Successful exploitation may result in unauthorised code execution, potential compromise of system confidentiality and integrity, and disruption of endpoint security operations.

CVE-2026-55129, CVE-2026-55049, and CVE-2026-55045 are Microsoft Office vulnerabilities that could allow attackers to compromise affected Office applications through specially crafted files or malicious content. Successful exploitation may lead to unauthorised code execution, information disclosure, or impact to the confidentiality and integrity of user data.

Important

This month’s updates address 20 Windows Kernel Elevation of Privilege (EoP) vulnerabilities. The identified CVEs have CVSS v3 severity scores ranging from 4.7 to 9.3, with these six vulnerabilities CVE-2026-49798, CVE-2026-49795, CVE-2026-50332, CVE-2026-50423, CVE-2026-50436, CVE-2026-50390 assessed by Microsoft as “Exploitation More Likely.” These vulnerabilities could allow attackers to gain elevated privileges on affected systems, potentially enabling further compromise of system security.

CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164 are vulnerabilities affecting supported on-premises Microsoft SharePoint Server versions, including Subscription Edition, SharePoint Server 2019, and SharePoint Server 2016. Successful exploitation could allow cyber threat actors to gain unauthorized access, achieve remote code execution (RCE), and conduct post-exploitation activities such as stealing Internet Information Services (IIS) machine keys, leveraging deserialization techniques, maintaining persistence, and deploying malware within compromised environments.

Recent updates from other Vendors

Adobe's July security release  addressed 88 unique CVEs across 12 security bulletins covering products including ColdFusion, Commerce, Experience Manager, Premiere Pro, Illustrator, After Effects, Animate, Audition, Bridge, Media Encoder, Creative Cloud Desktop Application, and Content Credentials SDK. It also patched seven max-severity ColdFusion and Campaign flaws, including the ColdFusion flaw CVE-2026-48282, which was later exploited in attacks.

Cisco released security updates for multiple products, including Cisco Identity Services Engine (ISE), Catalyst Center, and ClamAV. The company also confirmed that CVE-2026-20230, a vulnerability patched in June, has been actively exploited in the wild.

Fortinet security release included six PSIRT advisories covering vulnerabilities across multiple products, including FortiOS, FortiPAM, FortiSandbox, FortiSASE, FortiProxy, and FortiAuthenticator.

Ivanti released security updates for two vulnerabilities in Ivanti Xtraction. CVE-2026-14903 and CVE-2026-14902. Affected versions 2026.2 and prior.

BeyondTrust released security updates for two critical authentication bypass flaws in its Remote Support (RS) and Privileged Remote Access (PRA) software.

SAP released its July security updates, addressing multiple vulnerabilities, including four critical flaws affecting SAP NetWeaver, Commerce Cloud, and AppRouter.

VMware released security updates for VMware Avi Load Balancer, addressing multiple vulnerabilities, including authentication bypass and remote code execution flaws.

Palo Alto Networks released PAN-OS patch updates across multiple versions, including fixes and hotfixes for PAN-OS 10.2, 11.1, 11.2, and 12.1 branches, addressing security vulnerabilities and stability issues; review the applicable release notes before upgrading.

Check Point released security updates addressing multiple vulnerabilities, including critical and high-severity issues identified in its Security Advisories. Customers are advised to apply the latest hotfixes and patches, particularly for affected VPN and gateway deployments, to reduce security risks and maintain protection.

SonicWall released a security update  addressing two vulnerabilities affecting SMA 1000 Series appliances. The update covers CVE-2026-15409 – Server-Side Request Forgery (SSRF) Vulnerability (CVSS 10.0 Critical) and CVE-2026-15410 – Code Injection Vulnerability (CVSS 7.2 High) Both vulnerabilities affect SonicWall SMA 1000 Series appliances (including SMA 6210, SMA 7210, SMA 8200v, and CMS deployments) and were reported as being actively exploited in the wild.

As always, users are strongly advised to install the latest security updates as soon as they become available to ensure your systems remain protected against known vulnerabilities and potential cyber threats. Applying updates promptly helps reduce the risk of exploitation, improves overall system stability, and ensures continued protection against emerging security risks.