Microsoft’s July 2026 Patch Tuesday delivered fixes for a record 622 vulnerabilities — including two actively exploited zero-days in Active Directory Federation Services and SharePoint Server — while CISA added five flaws to its Known Exploited Vulnerabilities catalog and security researchers disclosed an unpatched code execution bug in the AI coding tool Cursor affecting more than 7 million users.
Microsoft’s Record 622-Vulnerability Patch Round
Microsoft’s July 2026 Patch Tuesday is the largest single-month release on record, covering 622 vulnerabilities across Windows, Office, Azure, Exchange Server, Edge, Defender, and SQL Server. SecurityWeek reported that Windows alone received fixes for 416 vulnerabilities, while the Office suite accounted for 164 patches.
Two bugs were confirmed exploited in the wild before patches shipped. The first, CVE-2026-56155, affects Active Directory Federation Services (AD FS) and allows local privilege escalation to administrator. The second, CVE-2026-56164, is a SharePoint Server flaw exploitable over the network without authentication — also leading to privilege escalation.
A third vulnerability drawing attention is CVE-2026-50661, a BitLocker security feature bypass requiring physical access that was publicly disclosed before Patch Tuesday. Tenable senior staff research engineer Satnam Narang commented that the disclosure “could be related to a flurry of zero-day vulnerabilities disclosed by the researcher known as Nightmare-Eclipse or Chaotic-Eclipse, though no official confirmation was made.”
Zero Day Initiative (ZDI) flagged additional critical flaws deserving priority attention:
- CVE-2026-57092 — Windows VMSwitch (CVSS 9.9)
- CVE-2026-50522 — SharePoint Server (CVSS 9.8)
- CVE-2026-55008 — Exchange Server XSS
- CVE-2026-56190 — Remote Desktop Protocol RCE
- CVE-2026-50518 — Windows DHCP Server RCE
- CVE-2026-55010 — Minecraft Bedrock Dedicated Server RCE
SharePoint Under Active Exploitation Across Multiple CVEs
SharePoint Server is facing a sustained wave of active exploitation in July 2026, with CISA tracking at least five distinct SharePoint CVEs as either exploited or high-risk. According to CISA’s advisory, these flaws collectively enable remote code execution, post-exploitation persistence, IIS machine key theft, and malware deployment across all supported on-premises SharePoint versions — Subscription Edition, 2019, and 2016.
CVE-2026-56164 (the unauthenticated privilege escalation zero-day) was added to CISA’s Known Exploited Vulnerabilities catalog on the same day as Patch Tuesday, with a three-day patching deadline for federal agencies under BOD 26-04.
CVE-2026-58644 (CVSS 9.8), a deserialization of untrusted data flaw, was patched in the same update but was not initially flagged as exploited. Microsoft subsequently updated its advisory after exploitation was detected. SecurityWeek reported that CISA added it to the KEV catalog two days later, again with a three-day remediation window. Microsoft described the attack vector: “In a network-based attack, an attacker authenticated as at least a Site Owner could write arbitrary code to inject and execute code remotely on the SharePoint Server.”
Two earlier SharePoint flaws also remain active concerns:
- CVE-2026-32201 — a spoofing issue patched in April, exploited as a zero-day
- CVE-2026-45659 — a code execution bug patched out-of-band in May, added to CISA’s KEV list in early July
CISA recommends organizations monitor SharePoint servers for unusual activity and verify that security products cover all SharePoint web applications.
CISA KEV Catalog Adds Fortinet FortiSandbox Flaws
Alongside the SharePoint entries, CISA added two OS command injection vulnerabilities in Fortinet FortiSandbox — CVE-2026-25089 and CVE-2026-39808 — to its KEV catalog. Both flaws allow attackers to execute arbitrary code or commands on vulnerable appliances and were patched in June and April respectively.
Exploit intelligence firm Defused flagged both as exploited in the wild in mid-June, according to SecurityWeek. Federal agencies face the same three-day patching mandate under BOD 26-04.
Progress ShareFile Zero-Day Confirmed After Service Disruption
Progress Software confirmed on July 14, 2026 that a zero-day vulnerability caused the recent ShareFile Storage Zones Controller outage, which had forced the company to disable access for all customers using the on-premises component. SecurityWeek reported that Progress told them: “As of Tuesday, July 14th, access has been restored for Progress ShareFile Storage Zones Controller customers following the service disruption we communicated previously.”
The flaw affects versions 5.x and 6.x of the Storage Zones Controller. In private communication to customers — a copy of which was shared on Reddit — Progress described the bug as a path traversal issue: “An authenticated administrative user can read arbitrary files accessible to the application’s service account, write threat actor-controlled content to arbitrary directories, or enumerate the server filesystem layout.”
Progress stated it has “no evidence of unauthorized access to any ShareFile customer account or data.” However, WatchTowr founder and CEO Benjamin Harris questioned the framing, noting that vulnerabilities requiring administrative access “do not typically trigger such an aggressive” response — suggesting the full scope may not yet be public.
Unpatched Cursor Flaw Enables Auto-Execution of Malicious Binaries
Security firm Mindgard disclosed an unpatched vulnerability in the Cursor AI coding environment on Windows that executes a malicious `git.exe` binary automatically when a developer opens a repository. Cursor has more than 7 million active users, according to Mindgard’s report.
The mechanism is simple: Cursor’s path resolution logic searches for Git binaries in multiple locations, including the workspace root. A malicious `git.exe` placed in a repository’s root directory runs without user warning or approval. Mindgard stated: “The vulnerability is not theoretical and does not depend on a complex chain of exploitation, prompt injection, model manipulation, jailbreaks, memory corruption, or sophisticated attacker tradecraft.”
Mindgard first reported the flaw to Cursor on December 15, 2025. Cursor’s CISO directed the firm to its HackerOne bug bounty program in January 2026, where the issue was confirmed as reproducible — but seven months after initial disclosure, no patch has shipped and no remediation timeline has been communicated.
What This Means
July 2026 marks a notable stress point for enterprise patch management. The 622-CVE Microsoft release is not just a statistical record — it reflects a sustained, broad attack surface across Windows, Office, and server infrastructure that defenders must triage rapidly. The three-day CISA KEV deadline for federal agencies signals genuine urgency, not routine hygiene.
The SharePoint cluster is particularly concerning: five distinct CVEs across a six-month window, multiple exploited as zero-days, and at least one (CVE-2026-58644) moving from “patched but not exploited” to “actively exploited” within days of disclosure. Organizations running on-premises SharePoint should treat patching as an emergency response, not a scheduled maintenance item.
The Cursor disclosure highlights a different risk vector: supply chain and developer tooling. An AI-assisted IDE executing arbitrary binaries silently — with no patch after seven months — represents a credible threat to software development pipelines. Organizations using Cursor should audit repositories for unexpected `git.exe` files and consider restricting Cursor’s execution environment until a fix ships.
Progress’s ShareFile incident, meanwhile, underscores the opacity problem in vulnerability disclosure. Withholding technical details may limit copycat exploitation in the short term, but it also prevents defenders from assessing their actual exposure — a tradeoff WatchTowr’s Harris publicly questioned.
FAQ
What is CVE-2026-56164 and why is it critical?
CVE-2026-56164 is a privilege escalation flaw in Microsoft SharePoint Server that can be exploited remotely without any authentication. It was confirmed exploited in the wild before Microsoft patched it in the July 2026 Patch Tuesday update, and CISA added it to its Known Exploited Vulnerabilities catalog with a three-day remediation deadline for federal agencies.
Is the Cursor git.exe vulnerability patched?
No. As of Mindgard’s public disclosure, no patch has been released. Mindgard first reported the flaw in December 2025, and despite Cursor confirming the issue as reproducible through its HackerOne program in January 2026, no fix or remediation timeline has been communicated to users after seven months.
What should organizations do about the ShareFile zero-day?
Progress Software has released patched versions of the ShareFile Storage Zones Controller for affected versions 5.x and 6.x. Organizations running those versions should apply the patches immediately. Progress stated it has found no evidence of customer data compromise, but WatchTowr’s CEO has publicly questioned whether the full scope of the vulnerability has been disclosed.
Related news
- CISA Adds Exploited SharePoint RCE Zero-Day CVE-2026-58644 to KEV – The Hacker News
Sources
- Fresh SharePoint Vulnerability Exploited Soon After Disclosure – SecurityWeek
- Progress Confirms Zero-Day Vulnerability Behind ShareFile Disruption – SecurityWeek
- Microsoft Patches Record 622 Vulnerabilities, Including Two Exploited Zero-Days – SecurityWeek
- Unpatched Cursor Vulnerability Exposes Users to Code Execution – SecurityWeek
- CISA Urges Immediate Patching of Exploited SharePoint Vulnerabilities – SecurityWeek






