Microsoft Releases Patch for 622 Vulnerabilities, Including Two In-the-Wild Zero-Days
The update signals faster AI-driven bug discovery, forcing urgent patching choices for enterprise defenders.
Overview
- Microsoft published fixes for 622 vulnerabilities across Windows, Office and other products and is urging organizations to prioritize remediation for two actively exploited zero-days and a publicly disclosed BitLocker bypass.
- The two exploited zero-days are CVE-2026-56155, an Active Directory Federation Services flaw that can allow local privilege elevation to administrator, and CVE-2026-56164, a SharePoint Server flaw exploitable over the network without authentication to gain elevated rights.
- Microsoft highlighted CVE-2026-50661, a BitLocker security-feature bypass that can expose encrypted data to attackers with physical access and was publicly disclosed before this patch release.
- Security vendors flagged additional high-severity flaws that need immediate attention, including a VMSwitch bug rated 9.9 (CVE-2026-57092) and critical SharePoint issues, and researchers warned that some public disclosures may be linked to outside researchers though attribution is unconfirmed.
- Microsoft says AI tools framed as MDASH are surfacing more bugs faster across the Windows codebase, a shift that could speed exploit development and is already prompting faster, broader patching by other vendors such as Adobe.