Skip to content
AI Security Wire

Published

- 6 min read

By

AI Is Breaking the Exploitability Index: July 2026 Patch Tuesday

img of AI Is Breaking the Exploitability Index: July 2026 Patch Tuesday

570 vulnerabilities patched in a single month. Two actively exploited at release. A third disclosed ahead of time by a researcher who publishes stripped-down proof-of-concepts alongside Microsoft advisories. July 2026 Patch Tuesday is the largest release in Microsoft’s history, and the number alone is newsworthy. But the more significant development is what Microsoft and independent researchers are now saying about why the number is going up, and what it means for every organization that has been treating the Exploitability Index as a reliable triage signal.

The short version: it isn’t reliable anymore. AI tooling is producing working exploits for vulnerabilities rated “unlikely to be exploited” faster than defenders can act. Microsoft is now recommending patching cadences that would have seemed extreme two years ago.

The Two Actively Exploited CVEs

CVE-2026-56155 is a privilege escalation in Active Directory Federation Services. The vulnerability stems from insufficient granularity in access controls on ADFS service components, allowing a locally authenticated attacker with standard privileges to escalate to SYSTEM. ADFS is exactly the target class where that access matters most: the service holds token signing certificate private keys, and full control of those keys enables offline SAML token forgery across every federated application in the deployment.

Microsoft’s own incident responders identified exploitation in the wild. CISA has added the CVE to the Known Exploited Vulnerabilities catalog with a July 28 remediation deadline. Dustin Childs, head of threat awareness at TrendAI’s Zero Day Initiative, put it plainly: “AD FS is exactly the kind of identity infrastructure attackers love to pivot through once they’re in. It can also be paired with an RCE as we often see in ransomware. Test and deploy this patch quickly.”

CVE-2026-56164 is a privilege escalation in SharePoint Server. Google’s incident responders reported it alongside an anonymous researcher. Unlike the ADFS vulnerability, it is remotely exploitable in low-complexity attacks with no authentication required. CISA’s deadline here is July 17, three days from the Patch Tuesday disclosure, which is itself a signal about the pace of observed exploitation.

Both CVEs were covered under the same CISA notice issued July 14.

The SharePoint RCE Chain That Isn’t Fully Patched Yet

Alongside the actively exploited vulnerabilities, this Patch Tuesday introduced a new wrinkle: a partial fix for an unauthenticated RCE chain that isn’t fully patched.

CVE-2026-55040 is a SharePoint security feature bypass discovered by Rapid7 Senior Principal Security Researcher Stephen Fewer and disclosed in coordination with Microsoft. According to Adam Barnett, Principal Software Engineer at Rapid7, it is “the first in a pair of exploits which, when chained together, can lead to unauthenticated remote code execution against a vulnerable SharePoint server.” The second vulnerability in the chain remains embargoed. Microsoft plans to publish patches for it in August 2026.

This creates a specific exposure window. Organizations that patch CVE-2026-55040 in July are partially protected. Full protection against the RCE chain requires patching a CVE that doesn’t have a public advisory yet. The coordinated disclosure timeline reduces the window for opportunistic exploitation, but it also means defenders cannot fully remediate a known RCE chain until next month’s release cycle.

CISA has also separately urged organizations running SharePoint to apply hardening measures against two older vulnerabilities, CVE-2026-32201 and CVE-2026-45659, which remain under active exploitation.

Where 570 Vulnerabilities Come From

The record patch count was not a surprise. Microsoft pre-announced it. The company acknowledged it has been using AI tooling internally to accelerate vulnerability discovery across its own codebase, and that security researchers and threat actors have been doing the same for their targets.

That last part is the uncomfortable admission. The same AI capabilities Microsoft is deploying for internal red teaming are available to attackers reviewing Microsoft’s own products.

The specific data point that matters most for defenders comes from Anthropic’s Red Team, which used its Mythos Preview model against Microsoft’s own Exploitability Index ratings. The model produced proof-of-concept exploits for 13 of 14 vulnerabilities that Microsoft had classified as “Exploitation Less Likely” or “Exploitation Unlikely.” Satnam Narang, senior staff research engineer at Tenable, cited this in his Patch Tuesday analysis: “Our way of looking at Patch Tuesday has changed, because the exploitability index is centered around humans, not AI tools, and as these tools continue to improve, defense needs to improve alongside it.”

The concrete example from this cycle: CVE-2026-45659, a SharePoint vulnerability Microsoft initially classified as exploitation less likely, was added to the CISA KEV on July 1, two weeks before this Patch Tuesday. The Exploitability Index rating did not reflect the actual attacker interest in the vulnerability.

Microsoft Is Compressing the Patching Window

In response, Microsoft has updated its formal patching recommendations. The new guidance:

  • Deploy critical quality updates within three days of release
  • Set update deadlines to zero or one day
  • Keep the grace period to a maximum of two days

Three days from release to complete deployment is aggressive for enterprise environments with change management processes, testing requirements, and heterogeneous fleets. The previous implicit standard, driven by the monthly Patch Tuesday cadence, was a window measured in weeks. Microsoft is now saying that window is operationally dangerous.

Five Eyes cybersecurity agencies have separately recommended that organizations integrate AI tooling into security operations to “detect vulnerabilities earlier, improve software quality, monitor unusual behaviour, and respond faster to incidents.” The implication is that defender automation is now a prerequisite for staying within the acceptable patching window.

What This Means for Defenders

The Exploitability Index will retain some utility as a relative signal, but treating any vulnerability as low-priority because it is rated “Exploitation Less Likely” carries more risk than it did 18 months ago. Working exploits are being produced at AI speed, and the classification system reflects human attacker economics that no longer apply.

Practically, this means patch prioritization needs a second pass: pull CVEs that affect internet-facing systems, identity infrastructure, and anything in the CISA KEV catalog and treat them as critical regardless of the Exploitability Index rating.

For ADFS specifically, this Patch Tuesday warrants more than just patching. CVE-2026-56155 is being actively exploited, and once ADFS signing keys are extracted from a compromised host, the attacker has persistent authentication capability that survives password resets, account lockouts, and user deletions. The advisory response for confirmed exploitation is to patch, rotate token signing and decryption certificates, and audit all relying party trust relationships — not just apply the update.

References

Frequently Asked Questions

How many vulnerabilities did Microsoft patch in July 2026 Patch Tuesday?
Microsoft released patches for 570+ vulnerabilities, with two confirmed actively exploited at time of release: CVE-2026-56155 (Active Directory Federation Services privilege escalation) and CVE-2026-56164 (SharePoint privilege escalation). A third, CVE-2026-50661 (BitLocker bypass), had been previously disclosed.
What is the AI exploitability problem Microsoft is describing?
Anthropic's Red Team used its Mythos Preview model to produce proof-of-concept exploits for 13 of 14 vulnerabilities rated 'Exploitation Less Likely' or 'Exploitation Unlikely' by Microsoft. This means the Exploitability Index, which guides how urgently organizations prioritize patching, is calibrated for human attacker pace — not AI tooling that can produce working exploits within hours of disclosure.
What are Microsoft's new patching timeline recommendations?
Microsoft has updated guidance to recommend deploying critical quality updates within three days of release, setting update deadlines to zero or one day, and keeping the grace period to a maximum of two days. This is a significant compression from the implicit standard of one month between Patch Tuesdays.