Five hundred and seventy fixes arrived on a single Tuesday

The Microsoft Security Response Center published its July update on Tuesday 14 July, and the list did not end where anyone expected. Microsoft fixed 570 vulnerabilities in one release. Its previous record, set six weeks earlier in June, was 206. Fifty-nine of the July flaws are rated critical, and 48 of those allow remote code execution. The full breakdown runs to 254 elevation-of-privilege bugs, 145 remote code execution bugs, 102 information disclosure bugs, 35 denial-of-service bugs, 17 security feature bypasses and 16 spoofing flaws. The total excludes the Chromium flaws that Edge inherits.

Why it matters. A monthly patch window is a fixed quantity of engineering hours. The number of items being pushed through it has almost tripled, and the vendor has said in writing that this is not a spike. Every process that assumes an administrator can read the list, weigh each entry and decide, broke on Tuesday.

Two are already being used against ADFS and SharePoint

Three of the 570 are zero-days, and two of those are under active attack. CVE-2026-56155 is an elevation-of-privilege flaw in Active Directory Federation Services, where access control that is not granular enough lets an authorised attacker raise their privileges locally. CVE-2026-56164 is an elevation-of-privilege flaw in SharePoint Server, where a missing authentication check on a critical function lets an unauthenticated attacker raise privileges across the network. The third, CVE-2026-50661, is a publicly disclosed BitLocker security feature bypass.

Neither exploited bug is exotic, and that is the point. Active Directory Federation Services is the machine that issues your federation tokens. SharePoint is where your contracts, board packs and customer lists sit. An attacker who elevates privileges on either one does not need a second exploit to reach the rest. If you run either on your own premises, they are the only two entries on the July list that need a decision today.

The BitLocker bypass attacks a legal defence, not a laptop

CVE-2026-50661 lets an attacker with physical access reach data on an encrypted volume. Read as an engineering problem, it is a device bug that requires the machine in hand. Read as a European compliance problem, it is something else. Article 34 of the GDPR says a controller need not notify affected individuals when the exposed data was rendered unintelligible to unauthorised parties, and full-disk encryption is the reason most lost or stolen laptops never become a notifiable event.

The consequence. That reasoning rests on the encryption holding. A published bypass makes it arguable, and the argument now carries a CVE number that any supervisory authority can look up. The 72-hour clock in Article 33 does not pause while you work out your position. Firms that lean on BitLocker as their answer to a lost device should get this patch onto the estate before the next laptop goes missing, and should be able to show the date it landed.

Microsoft says the flood is the new baseline

The jump is not a bad month of code. On 9 July, five days before the release, Microsoft published a post on the Windows Experience Blog explaining that it has run an AI system called MDASH, its multi-model agentic scanning harness, across the Windows codebase. MDASH scans critical binaries and uses several models to validate what it finds. Its first public haul, in May, was 16 previously unknown CVEs, four of them critical remote code execution flaws in core components including the TCP/IP kernel stack, the IKEv2 service, Netlogon and the DNS API library. Microsoft told customers plainly to expect a higher volume of security updates in every release.

This is not confined to one vendor. Chrome 150 shipped with 433 security fixes. Adobe has moved to twice-monthly releases and Mozilla to a two-week cadence. The industry has mechanised the discovery of its own bugs, and it has kept pace on shipping them to you. Your capacity to absorb them has not moved at all.

Change the metric before you change the schedule

The instinct is to ask for more patching hours. That is the wrong lever, because the input is now uncapped. The workable response is to stop treating the CVE list as a queue to be cleared and start treating it as a signal to be filtered. Two filters do almost all of the work: is it being exploited, and is the affected system reachable from outside. Three of the 570 flaws met the first test this month. That is a list a human can actually read.

The bottom line. The board metric has to move with it. A patch-coverage percentage is now a measurement of Microsoft's scanner rather than of your defences, and it will look worse every month while meaning less. Report instead the time it took to patch the exploited and internet-facing flaws. That number is yours, it is small enough to defend, and it is the one an attacker cares about.