Microsoft Patches Record 622 Vulnerabilities, Including Two Exploited Zero-Days

https://www.securityweek.com/wp-content/uploads/2023/12/Microsoft-Security-leaders.jpg

Microsoft on Tuesday announced patches for a record-breaking 622 vulnerabilities, including two bugs in Active Directory and SharePoint Server that have been exploited in the wild as zero-days.

Tracked as CVE-2026-56155, the exploited AD flaw affects Federation Services (AD FS) and could allow attackers to elevate their privileges locally to administrator.

Also leading to privilege escalation, the SharePoint Server flaw is tracked as CVE-2026-56164 and can be exploited over the network without authentication.

Another security defect that Microsoft drew attention to is CVE-2026-50661, a BitLocker security feature bypass issue that can be exploited by physical attackers and which was publicly disclosed before the July 2026 Patch Tuesday.

“We surmise that this could be related to a flurry of zero-day vulnerabilities disclosed by the researcher known as Nightmare-Eclipse or Chaotic-Eclipse, though no official confirmation was made,” Tenable senior staff research engineer Satnam Narang commented.

According to Microsoft’s release notes,...

Copyright of this story solely belongs to securityweek.com. To see the full text click HERE

Read more