Microsoft Patch Tuesday: What IT Teams Must Apply First (July 2026)
A monthly page that distills Microsoft's Patch Tuesday down to what corporate IT teams must apply first. For July 2026, two unauthenticated takeovers in on-prem SharePoint Server (9.8 each) lead the list, with remote code execution in Exchange, Active Directory, DHCP, and SQL Server also needing attention. Includes a per-product quick-reference table.
Table of contents
A monthly page that distills Microsoft's Patch Tuesday down to what corporate IT teams must apply first. For July 2026, two unauthenticated takeovers in on-prem SharePoint Server (9.8 each) lead the list, with remote code execution in Exchange, Active Directory, DHCP, and SQL Server also needing attention. Includes a per-product quick-reference table.
This page is a monthly summary that pulls, from Microsoft's regular security updates (known as Patch Tuesday), just the answer to one question for corporate IT teams: "what should we apply first this month?" Rather than covering everything, it narrows to the flaws with high exploitation risk, wide reach, and no room to defer, and assigns a priority. Bookmark it and check back each month.
This edition covers July 2026. By various counts, Microsoft fixed over 100 vulnerabilities this month, but they are not all equally urgent. What corporate environments should apply first this month is the two "SharePoint Server" flaws that let attackers take over an internal server with no login. Below, in order of priority.
What to apply first this month (July 2026)
Priority is based on "does exploitation need a login," "how widely used is the product internally," and "are attacks already happening." Even at the same severity number, items that need no login are placed a tier higher.
| Priority | Product | CVE | Severity | Login | Impact |
|---|---|---|---|---|---|
| Top | SharePoint Server (on-prem) | CVE-2026-50522 CVE-2026-58644 | 9.8 each | No | Takeover (RCE) |
| High | Exchange Server (on-prem) | CVE-2026-55005 | 8.8 | Yes (low) | Takeover (RCE) |
| High | Active Directory Domain Services | CVE-2026-49178 | 8.8 | Yes (low) | Takeover (RCE) |
| High | Windows DHCP Server | CVE-2026-48564 | 8.8 | Yes (low) | Takeover (RCE) |
| Medium | SQL Server | CVE-2026-54117 CVE-2026-54118 | 8.8 each | Yes (low) | Takeover (RCE) |
Top: SharePoint Server unauthenticated takeover (CVE-2026-50522 / 58644)
This is the month's headline. On-premises SharePoint Server, used for intranets and document sharing, has two flaws that let an attacker take over the server over the network with no login at all. They are CVE-2026-50522 and CVE-2026-58644, both rated 9.8. The mechanism is "deserialization of untrusted data" (CWE-502), continuing the lineage of the same hole (CVE-2026-45659) already under attack from May. Cloud SharePoint Online is not affected. If you run the on-prem edition, apply this month's update first. Details and per-edition fixed builds are in our SharePoint vulnerability explainer.
High: remote code execution in Exchange, Active Directory, and DHCP
Next in priority are takeovers (remote code execution) in three products at the core of the internal platform. All are rated 8.8 and need a low-privilege login, but their reach is wide and the impact if breached is large. On-prem Exchange Server (CVE-2026-55005) is the mail platform, Active Directory Domain Services (CVE-2026-49178) is the foundation of internal authentication, and Windows DHCP Server (CVE-2026-48564) hands out IP addresses to devices — all backbone of the internal network. AD DS, running on domain controllers, is especially serious: a takeover ripples across the whole company. If you run these servers, include them in this month's update.
Medium: SQL Server and others, via the normal monthly update
SQL Server (CVE-2026-54117 / 54118) also includes takeovers abusing data deserialization. These need a login and assume permission to connect to the database. CVE-2026-54118 is listed as affecting a wide range from SQL Server 2016 to 2025. Beyond these, many fixes landed in the Windows kernel, Print Spooler, and Remote Desktop components, but most are "privilege escalation by someone already on the device" or "client-side" holes that require luring a user to a malicious server, so they are less prone to indiscriminate attack than the items above. Apply them together via the normal monthly update (Windows Update / WSUS, etc.).
Does it apply to you? A per-product quick reference
Here is "which ones concern us" organized by product. Check only the rows for products you use. The more self-hosted (on-premises) servers you run, the higher your priority.
| If you run | This month's action | Priority |
|---|---|---|
| On-prem SharePoint | Apply this month first (unauthenticated takeover) | Top |
| On-prem Exchange | Apply this month | High |
| Active Directory (domain) | Apply to domain controllers | High |
| Windows DHCP Server | Apply to those servers | High |
| SQL Server | Apply via normal monthly | Medium |
| Windows clients only | Apply Windows Update | Normal |
| Microsoft 365 cloud only | Update devices only (no server action) | Normal |
Organizations that only use the cloud (Microsoft 365 / SharePoint Online / Exchange Online) need not act on the server-side flaws, because Microsoft handles those updates. What needs attention is the on-premises products you host on your own servers.
What Microsoft's monthly update (Patch Tuesday) is
On the second Tuesday of every month, Microsoft releases security fixes for Windows, Office, and its various server products together. This is Patch Tuesday, the "monthly update." Bundling them helps companies test and apply in a planned way.
Each fix carries the severity indicator "CVSS" (out of 10) and Microsoft's own exploitability assessment. Beyond the severity number, looking together at "does it need a login (is it unauthenticated)," "are attacks already happening," and "how central is the product internally" makes it easier to decide the order of application. This page presents priorities with that judgment already done for you.
Vulnerabilities confirmed to be under real-world attack are published by the U.S. agency CISA as the "Known Exploited Vulnerabilities (KEV)" list. Our Japanese-language tracking of the latest exploitation is in the CISA KEV dashboard (Japanese); checking it alongside the monthly update sharpens the priorities further.
How to apply each month: operational tips
Here are the basics for running the monthly update safely and reliably. Building a routine you can run the same way every month is, in the end, the best defense.
First, use two tiers by priority: apply the login-free takeovers and the already-exploited holes ahead of testing, and put the rest through your normal validation flow. Trying to run everything at the same speed delays the most dangerous ones. Second, keep an inventory of your on-prem server products. Knowing where each version of core servers like SharePoint, Exchange, AD, and SQL lives lets you immediately narrow down the targets in a month like this one.
For delivery, devices are typically covered via Windows Update or Microsoft Intune, and server fleets via WSUS or related Windows Server update mechanisms. After applying, confirm through reboots and service restarts — don't stop at "delivered," see it through to "in effect." And even after patching, don't forget to check whether you have already been breached. For a hole already under attack, an update prevents further intrusion; it does not guarantee you weren't already breached.
Update history
This page is updated in step with each month's Microsoft monthly update. The key points of past editions are kept here in brief.
- â–¸July 2026: On-prem SharePoint Server has two unauthenticated takeovers (CVE-2026-50522 / 58644, 9.8 each) as the top priority. Remote code execution in Exchange, Active Directory, DHCP, and SQL Server (8.8 each, low-privilege) also needs attention. Over 100 fixes total.
Sources
- â–¸Microsoft Security Update Guide (official monthly list)
- â–¸NVD - CVE-2026-50522 (SharePoint, unauthenticated RCE, 9.8)
- â–¸NVD - CVE-2026-55005 (Exchange, RCE, 8.8)
- â–¸NVD - CVE-2026-49178 (Active Directory, RCE, 8.8)
- â–¸NVD - CVE-2026-48564 (Windows DHCP, RCE, 8.8)
- â–¸CISA - Known Exploited Vulnerabilities Catalog (KEV)
- â–¸Related: SharePoint Server takeover roundup (this site)
- â–¸Related: CISA KEV dashboard (this site)

Makoto Horikawa
Backend Engineer / AWS / Django