
Microsoft just shipped its biggest ever batch of security fixes, and two are already being used in attacks.
This month's Windows update fixed a record number of flaws, and two of them are already being used in real attacks. Applying it promptly is the whole job.
On 14 July Microsoft released its monthly security update, and it was the largest it has ever put out: fixes for around 570 flaws across Windows, Office, SharePoint, Azure and more. The size makes a headline, but it is not the risk. What matters for your business is smaller and sharper. Two of these flaws were already being used in real attacks before the fix arrived, and a third was made public before Microsoft had a patch ready. The job this month is not to read the list. It is to make sure the update actually goes on.
The two already being used in attacks
Both of the exploited flaws let an attacker who already has a foothold give themselves more power on the network, which is how a small break-in turns into a full one. The first, CVE-2026-56155, is in Active Directory Federation Services, the Microsoft component that handles single sign-on when staff log into other systems with their work account. The second, CVE-2026-56164, is in SharePoint Server, the version you run on your own server rather than the SharePoint that comes inside Microsoft 365. If your business runs either on its own kit, these are the ones to prioritise, and Microsoft has confirmed both were being exploited as the update shipped.
The one to know about if staff carry laptops
The third flaw made public this month, CVE-2026-50661, is a way to get around BitLocker, the disk encryption built into Windows that protects the data on a lost or stolen laptop. It needs physical access to the device, so it is not a remote threat, but it changes the maths on a missing machine. Encryption is the reason a lost laptop is usually an inconvenience rather than a reportable data breach, so any business that lets staff take devices off site has a reason to get this one patched.
Why 'apply it soon' is the whole point
None of this calls for alarm. Microsoft's monthly updates are routine, and the fix for all of it is the same ordinary maintenance. The risk sits in the gap between a fix being published and it being installed, because attackers watch these releases closely and go after the machines that have not caught up. A server or a laptop left unpatched for a few weeks after a known, exploited flaw is the softest target there is.
What to do
Get the July update onto your Windows machines, and treat any on-premises servers, especially SharePoint and Active Directory Federation Services, as first in the queue rather than last. If someone manages your IT, a one-line question settles it: has the July update been applied, and were the servers done first? If the answer is not a clear yes, that is this week's job.
What this means for your business
The record number of fixes is the headline, but the number is not the danger. Two of these flaws were already being used against real businesses, and the only thing standing between a published fix and a protected machine is someone applying it. We roll tested updates out across the machines we look after on a set schedule, servers and internet-facing systems first, so there is no long window where a known flaw sits open. If you are not sure when your systems were last brought up to date, that is worth pinning down now rather than after something goes wrong.
#WEARECOBALT
Ready when you are.
Tell us what's slowing your business down. We'll tell you exactly how we'd fix it — plainly, with no obligation.