anagnorisis.cloudSign in

← Hourlies

Hourly ·

Microsoft Shatters Patch Record With 570 Security Fixes, AI Driving the Surge

Microsoft's July 2026 Patch Tuesday delivers a record-smashing 570 vulnerability fixes — nearly triple last month's record — as AI-powered discovery reshapes the security landscape on both offense and defense.

Microsoft Shatters Patch Record With 570 Security Fixes, AI Driving the Surge
Image: Jelson25, Public domain (license)

Microsoft dropped its largest-ever Patch Tuesday update on July 14, shipping fixes for a staggering 570 security vulnerabilities across Windows and its broader software ecosystem. The total nearly triples the previous record set just last month, a pace Microsoft executives say is directly attributable to AI-powered vulnerability discovery.

Of the 570 flaws addressed, 59 earned a "critical" severity rating — meaning attackers could seize remote control of unpatched Windows devices with little to no user interaction. Three of the patched vulnerabilities are zero-days already being exploited in the wild.

The actively exploited zero-days include CVE-2026-56155, an elevation-of-privilege flaw in Active Directory Federation Services, and CVE-2026-56164, a SharePoint vulnerability that grants attackers administrative access. A third, CVE-2026-50661, is a BitLocker security feature bypass that could expose encrypted data to anyone with physical access to the device, though Microsoft says it has not yet seen active exploitation.

Microsoft Executive Vice President Pavan Davuluri acknowledged the shift in a July 9 blog post, writing that Windows users should expect "a higher volume of security updates included in each security release" as AI accelerates vulnerability discovery. "The pace of vulnerability discovery is changing with advances in AI making it possible to find more issues, faster, across more code," Davuluri said.

But the AI arms race cuts both ways. Jack Bicer of Action1 flagged CVE-2026-48561, a remote code execution bug in Microsoft Copilot carrying a near-maximum 9.6 CVSS score. An attacker could exploit it simply by hosting a malicious website that triggers crafted prompts when a user visits in Edge for Android.

The offensive side of AI is equally concerning. Satnam Narang of Tenable pointed to recent research from Anthropic, whose Mythos Preview model produced working proof-of-concept exploits for 13 of 14 vulnerabilities that Microsoft's own exploitability index had rated "Exploitation Less Likely" or "Exploitation Unlikely." As Narang put it, "Our way of looking at Patch Tuesday has changed, because the exploitability index is centered around humans, not AI tools."

The surge is not limited to Microsoft. Adobe announced it is moving to twice-monthly security bulletins, also citing AI for accelerating patch cycles. Google shipped over 900 security fixes in June alone, while Cisco, Mozilla, and Oracle have all increased update cadence.

Security experts recommend backing up systems before applying the updates and, given the volume, suggest waiting a few days for any stability issues to surface before deploying across production environments.

Sources: Krebs on Security, BleepingComputer

More Hourlies Stories

Content on Anagnorisis is summarized, paraphrased, and editorialized from publicly available sources for length and clarity. Original sources are linked where available. All trademarks belong to their respective owners.

More from Anagnorisis