Microsoft Releases Record 622 CVEs in Patch Tuesday; CISA Accelerates Alert for SharePoint

The July cycle marks the largest in the history of the program. CISA added three actively exploited SharePoint vulnerabilities on the same day. Triage has become the real bottleneck of the operation.
Microsoft has released fixes for 622 CVEs in this Tuesday's Patch Tuesday on July 14, marking the largest volume in a single cycle since the program's inception. Two of these bugs—one in Active Directory and another in SharePoint Server—are actively being exploited as zero-days. A third is publicly known, although it has not yet been exploited.
On the same date, CISA issued a specific alert regarding the active exploitation of three distinct CVEs in on-premises SharePoint. These three, CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164, allow for remote code execution and privilege escalation without authentication, entering the Known Exploited Vulnerabilities (KEV) catalog with a mandatory remediation deadline for federal agencies. The affected versions include SharePoint Server Subscription Edition, 2019, and 2016.
The operational detail of concern is the post-exploitation persistence described by the agency. Attackers extract machine keys from IIS and use deserialization techniques to maintain access even after the patch. Applying the update does not close the incident. Response teams operating on-premises SharePoint will need to rotate machine keys, review IIS logs, and hunt for residual artifacts before considering the environment clean.
Where the Issue Stops Being Microsoft
The privilege escalation in Windows VMSwitch (CVE-2026-57092, CVSS 9.9) is the single most severe vulnerability of the cycle. VMSwitch is the component of Hyper-V that separates loads within the same physical host. An escalation at this point breaks the isolation between virtual machines on the same server, making this flaw critical in multi-tenant environments and for providers consolidating clients on shared hardware. Azure Stack HCI and private clusters running Hyper-V are on the front line of exposure.
Analysts from the Zero Day Initiative noted in their analysis of the previous cycle that Patch Tuesday has ceased being a monthly exercise and now requires near-daily triage. The 622 fixes in a single month far exceed the historical record of the program. Vulnerability management teams that operated on a monthly cadence must now process disclosures from third parties and vendors on a biweekly basis to avoid accumulating patching debt.
What Changes for the CIO in Frankfurt, London, and Tokyo
CISA's legal obligation is limited to U.S. federal agencies, but inclusion in the KEV serves as a global technical signal. European banks running on-premises SharePoint, including Deutsche Bank and BNP Paribas, as well as financial groups in Japan like MUFG and Mizuho, treat the list as an internal compliance benchmark even without direct jurisdiction from the U.S. agency. External auditors use the KEV as a baseline in SOC 2 and ISO 27001 routines.
In India, service providers catering to global clients face a tighter window. TCS, Wipro, and Infosys operate patching and SIEM contracts for dozens of U.S. banks and insurers, and inclusion in the KEV triggers internal correction SLAs, typically between 24 and 72 hours for active vulnerabilities. Multi-year contracts impose penalties for non-compliance, pushing operations into a state of alert until the cycle is closed. For Brazil, the calculation is similar: banks running on-premises SharePoint in environments regulated by the Central Bank rely on a circular regarding cybersecurity risk management that treats the KEV as a technical reference, even though there is no formal obligation.
What Is Not in the Announcement
Neither Microsoft nor CISA named the groups behind the exploitation. There is no public attribution to state or financially motivated actors this Tuesday. This absence is noteworthy: in previous cycles where SharePoint was targeted by coordinated campaigns, initial attribution came from private threat intel vendors rather than the government and pointed to groups linked to China and Russia. The lack of naming in this round does not signify an absence of known attackers, only that the agency chose not to confirm publicly.
The real bottleneck of the cycle is human. According to Tuesday's CVEbrief, the volume of critical disclosures has increased by about 700% compared to the day before. Vulnerability management teams with ten people or fewer, which comprise the majority of Global 2000 operations, cannot prioritize six hundred items in three business days. The operational question has shifted from "when to apply" to "what to accept as residual risk until the next cycle," with explicit business decisions on which servers remain exposed for an additional week. The answer to this question is where CISOs will spend the next fifteen days, not on the technical application of the patch.