Top/Articles/Microsoft Patch Tuesday: What IT Teams Must Apply First (July 2026)
microsoft-patch-tuesday-cover-en

Microsoft Patch Tuesday: What IT Teams Must Apply First (July 2026)

A monthly page that distills Microsoft's Patch Tuesday down to what corporate IT teams must apply first. For July 2026, two unauthenticated takeovers in on-prem SharePoint Server (9.8 each) lead the list, with remote code execution in Exchange, Active Directory, DHCP, and SQL Server also needing attention. Includes a per-product quick-reference table.

RoundupPublished July 15, 2026 Updated today
Table of contents
Key takeaways

A monthly page that distills Microsoft's Patch Tuesday down to what corporate IT teams must apply first. For July 2026, two unauthenticated takeovers in on-prem SharePoint Server (9.8 each) lead the list, with remote code execution in Exchange, Active Directory, DHCP, and SQL Server also needing attention. Includes a per-product quick-reference table.

This page is a monthly summary that pulls, from Microsoft's regular security updates (known as Patch Tuesday), just the answer to one question for corporate IT teams: "what should we apply first this month?" Rather than covering everything, it narrows to the flaws with high exploitation risk, wide reach, and no room to defer, and assigns a priority. Bookmark it and check back each month.

This edition covers July 2026. By various counts, Microsoft fixed over 100 vulnerabilities this month, but they are not all equally urgent. What corporate environments should apply first this month is the two "SharePoint Server" flaws that let attackers take over an internal server with no login. Below, in order of priority.

What to apply first this month (July 2026)

Priority is based on "does exploitation need a login," "how widely used is the product internally," and "are attacks already happening." Even at the same severity number, items that need no login are placed a tier higher.

PriorityProductCVESeverityLoginImpact
TopSharePoint Server
(on-prem)
CVE-2026-50522
CVE-2026-58644
9.8 eachNoTakeover
(RCE)
HighExchange Server
(on-prem)
CVE-2026-550058.8Yes (low)Takeover
(RCE)
HighActive Directory
Domain Services
CVE-2026-491788.8Yes (low)Takeover
(RCE)
HighWindows DHCP
Server
CVE-2026-485648.8Yes (low)Takeover
(RCE)
MediumSQL ServerCVE-2026-54117
CVE-2026-54118
8.8 eachYes (low)Takeover
(RCE)

Top: SharePoint Server unauthenticated takeover (CVE-2026-50522 / 58644)

This is the month's headline. On-premises SharePoint Server, used for intranets and document sharing, has two flaws that let an attacker take over the server over the network with no login at all. They are CVE-2026-50522 and CVE-2026-58644, both rated 9.8. The mechanism is "deserialization of untrusted data" (CWE-502), continuing the lineage of the same hole (CVE-2026-45659) already under attack from May. Cloud SharePoint Online is not affected. If you run the on-prem edition, apply this month's update first. Details and per-edition fixed builds are in our SharePoint vulnerability explainer.

High: remote code execution in Exchange, Active Directory, and DHCP

Next in priority are takeovers (remote code execution) in three products at the core of the internal platform. All are rated 8.8 and need a low-privilege login, but their reach is wide and the impact if breached is large. On-prem Exchange Server (CVE-2026-55005) is the mail platform, Active Directory Domain Services (CVE-2026-49178) is the foundation of internal authentication, and Windows DHCP Server (CVE-2026-48564) hands out IP addresses to devices — all backbone of the internal network. AD DS, running on domain controllers, is especially serious: a takeover ripples across the whole company. If you run these servers, include them in this month's update.

Medium: SQL Server and others, via the normal monthly update

SQL Server (CVE-2026-54117 / 54118) also includes takeovers abusing data deserialization. These need a login and assume permission to connect to the database. CVE-2026-54118 is listed as affecting a wide range from SQL Server 2016 to 2025. Beyond these, many fixes landed in the Windows kernel, Print Spooler, and Remote Desktop components, but most are "privilege escalation by someone already on the device" or "client-side" holes that require luring a user to a malicious server, so they are less prone to indiscriminate attack than the items above. Apply them together via the normal monthly update (Windows Update / WSUS, etc.).

Does it apply to you? A per-product quick reference

Here is "which ones concern us" organized by product. Check only the rows for products you use. The more self-hosted (on-premises) servers you run, the higher your priority.

If you runThis month's actionPriority
On-prem SharePointApply this month first
(unauthenticated takeover)
Top
On-prem ExchangeApply this monthHigh
Active Directory
(domain)
Apply to domain controllersHigh
Windows DHCP ServerApply to those serversHigh
SQL ServerApply via normal monthlyMedium
Windows clients onlyApply Windows UpdateNormal
Microsoft 365
cloud only
Update devices only
(no server action)
Normal

Organizations that only use the cloud (Microsoft 365 / SharePoint Online / Exchange Online) need not act on the server-side flaws, because Microsoft handles those updates. What needs attention is the on-premises products you host on your own servers.

What Microsoft's monthly update (Patch Tuesday) is

On the second Tuesday of every month, Microsoft releases security fixes for Windows, Office, and its various server products together. This is Patch Tuesday, the "monthly update." Bundling them helps companies test and apply in a planned way.

Each fix carries the severity indicator "CVSS" (out of 10) and Microsoft's own exploitability assessment. Beyond the severity number, looking together at "does it need a login (is it unauthenticated)," "are attacks already happening," and "how central is the product internally" makes it easier to decide the order of application. This page presents priorities with that judgment already done for you.

Vulnerabilities confirmed to be under real-world attack are published by the U.S. agency CISA as the "Known Exploited Vulnerabilities (KEV)" list. Our Japanese-language tracking of the latest exploitation is in the CISA KEV dashboard (Japanese); checking it alongside the monthly update sharpens the priorities further.

How to apply each month: operational tips

Here are the basics for running the monthly update safely and reliably. Building a routine you can run the same way every month is, in the end, the best defense.

First, use two tiers by priority: apply the login-free takeovers and the already-exploited holes ahead of testing, and put the rest through your normal validation flow. Trying to run everything at the same speed delays the most dangerous ones. Second, keep an inventory of your on-prem server products. Knowing where each version of core servers like SharePoint, Exchange, AD, and SQL lives lets you immediately narrow down the targets in a month like this one.

For delivery, devices are typically covered via Windows Update or Microsoft Intune, and server fleets via WSUS or related Windows Server update mechanisms. After applying, confirm through reboots and service restarts — don't stop at "delivered," see it through to "in effect." And even after patching, don't forget to check whether you have already been breached. For a hole already under attack, an update prevents further intrusion; it does not guarantee you weren't already breached.

Update history

This page is updated in step with each month's Microsoft monthly update. The key points of past editions are kept here in brief.

  • â–¸July 2026: On-prem SharePoint Server has two unauthenticated takeovers (CVE-2026-50522 / 58644, 9.8 each) as the top priority. Remote code execution in Exchange, Active Directory, DHCP, and SQL Server (8.8 each, low-privilege) also needs attention. Over 100 fixes total.

Sources

avatar-m-1

Makoto Horikawa

Backend Engineer / AWS / Django