Blackpoint Cyber Threat Notice: July 2026 Patch Tuesday Updates
Overview
This month’s Patch Tuesday brought a record 570 vulnerabilities from Microsoft, plus critical updates from SAP and Progress Software. Here’s a look at what we’re watching, what’s already been actioned, and what your team should prioritize next.
Microsoft
Microsoft’s July 2026 Patch Tuesday addressed 570 vulnerabilities, the largest release on record, including three zero-day vulnerabilities: two exploited in the wild and one publicly disclosed prior to a patch being available. Last month, Microsoft announced the use of AI to help identify vulnerabilities, which likely contributed to the increase in disclosed vulnerabilities in July 2026.
CVE-2026-56155 | 7.8 High | Elevation of Privilege vulnerability impacting Active Directory Federation Services (AD FS)
- Insufficient access control granularity in AD FS allows an authenticated attacker to elevate privileges locally to administrative access.
- Confirmed actively exploited in the wild. No technical details on the exploitation method have been released.
CVE-2026-56164 | 5.3 Medium | Elevation of Privilege vulnerability impacting Microsoft SharePoint Server
- Missing authentication for a critical SharePoint function allows an unauthorized attacker to elevate privileges over a network without credentials.
- Confirmed actively exploited in the wild. No technical details on the exploitation method have been released.
- CISA released SharePoint Hardening guidelines due to new SharePoint exploitations.
CVE-2026-50661 | 6.1 Medium | Security Feature Bypass vulnerability impacting Windows BitLocker
- Publicly disclosed prior to patch availability. An attacker with physical access to a target device can bypass BitLocker Device Encryption and access encrypted data.
- No evidence of active exploitation at the time of writing.
Microsoft also patched hundreds of additional vulnerabilities across Office, Windows, Azure, and other products this cycle.
SAP
SAP’s July 2026 updates addressed 16 vulnerabilities, including three critical flaws impacting NetWeaver, Approuter, and Commerce Cloud.
CVE-2026-44747 | 9.9 Critical | Memory corruption vulnerability impacting SAP NetWeaver
- Allows an authenticated attacker to exploit logic errors in memory management, potentially leading to unauthorized data access, modification, or system unavailability.
CVE-2026-27690 | 9.1 Critical | HTTP Request Smuggling vulnerability impacting SAP Approuter
- Allows unauthenticated attackers to exploit specially crafted HTTP requests to access other users’ responses and trigger denial-of-service conditions against cloud applications deployed on SAP BTP.
CVE-2026-44761 | 9.1 Critical | Default credentials vulnerability impacting SAP Commerce Cloud
- Default credentials allow attackers to obtain valid access tokens and read or modify data through exposed Commerce Cloud APIs.
SAP has not identified evidence of active exploitation for these vulnerabilities at the time of writing; however, SAP platforms remain a recurring ransomware and nation-state target.
Progress Software
Progress confirmed that a high-severity, unauthenticated path traversal zero-day vulnerability in ShareFile Storage Zone Controller (versions 5.x and 6.x) was behind last week’s emergency shutdown of customer Storage Zone Controllers following a credible external threat warning.
- A CVE identifier has been reserved and is expected to be published within two weeks.
- An authenticated administrative user can read arbitrary files, write attacker-controlled content to arbitrary directories, or enumerate the server’s filesystem layout.
- Progress has released fixed versions 5.12.5 and 6.0.2 and reports no indication of unauthorized access to customer accounts or data at the time of writing.
What is Blackpoint doing?
As the threat landscape shifts, Blackpoint stays ahead by building and deploying real-time detections tuned to the latest adversary tradecraft. When threats are identified, Blackpoint takes decisive action by hunting down and actioning every associated IOC across customer environments before attackers can establish a foothold or move laterally.
Recommendations
- Immediate Action: Apply the July 2026 Patch Tuesday updates and update ShareFile Storage Zone Controller to version 5.12.5 or 6.0.2.
- Enable AMSI with Request Body Scan set to Full on SharePoint Server to mitigate CVE-2026-56164.
- Restrict administrative and remote access to trusted users and networks.
- Enforce MFA to reduce risk from stolen or reused credentials.
- Review SAP Approuter and Commerce Cloud deployments for default or unrotated credentials.
- Limit exposure of management interfaces and administrative portals to the internet.
- Review EDR, IDS, and vulnerability scanning coverage across affected assets.
References
DATE PUBLISHEDJuly 14, 2026
AUTHORBlackpoint Cyber
SHARE ON
Blackpoint AI: A Decade in the Making
Webinar - July 22
Automated attacks need automated defense. Learn how Blackpoint AI protects your clients from identity threats by containing threats in as little as 21 seconds.*
*Under two minutes on average