Microsoft's Record 622-Flaw Patch Tuesday and Two Active Zero-Days: What UK Small Businesses Must Do Today

Threats & Attacks

Microsoft's Record 622-Flaw Patch Tuesday and Two Active Zero-Days: What UK Small Businesses Must Do Today

Microsoft patched 622 vulnerabilities on 14 July 2026. That is the largest single Patch Tuesday release in the company’s history. Two of those vulnerabilities are not theoretical risks sitting in a research lab. They are being actively exploited right now, confirmed by CISA’s Known Exploited Vulnerabilities catalogue.

For UK small businesses running Microsoft infrastructure, the window between ‘patch available’ and ‘attackers using it’ is measurably narrowing. The data from this release makes that case without any embellishment required.

The Two Zero-Days That Matter Right Now

CVE-2026-56164: Microsoft SharePoint Server. This is the one that should be causing immediate action. CISA added it to the KEV catalogue on 14 July 2026. The vulnerability allows an unauthenticated attacker to elevate privileges over a network. No login required. No credentials to steal first. If an attacker has any access to your network, this vulnerability gives them a route to escalate that access through SharePoint.

SharePoint is not an enterprise-only product. Many small and medium businesses use on-premises SharePoint for document management, intranets, and collaboration. Many MSPs manage SharePoint deployments for clients. If that describes your environment, this vulnerability is your problem today.

CVE-2026-56155: Microsoft Active Directory Federation Services. Also CISA KEV-listed, also added 14 July 2026. This one requires an attacker to already have an authorised account, but the bar is not high. Any legitimate user can trigger a local privilege escalation. In practice, that means an attacker who has compromised a single low-privilege account, or any malicious insider, can use this to escalate their access within your identity infrastructure.

AD FS (Active Directory Federation Services) is the technology that underpins single sign-on for many businesses: one login that works across multiple applications. If your business uses AD FS, this vulnerability is in the authentication layer. That is not a peripheral system.

What 622 CVEs in One Release Actually Tells You

The headline number deserves scrutiny rather than panic. A single vendor releasing 622 vulnerability patches in one month is anomalous. The previous record was considerably lower.

What it does not mean: that Microsoft products are uniquely insecure compared to other vendors. What it does mean: accumulated technical debt in a product portfolio this large produces a significant remediation burden. For small businesses and their MSPs, the operational consequence is real. Patch fatigue is a documented phenomenon. When the volume of updates is this high, the risk of incomplete patching increases.

The two KEV-listed vulnerabilities are the items that require immediate attention. The remaining 620 require normal patch management discipline: applied promptly, tested where feasible, confirmed complete.

Also worth noting from the NVD data published on 14 July: CVE-2026-54990, a heap-based buffer overflow in the Remote Desktop Client (CVSS 9.8), allows unauthenticated remote code execution. CVE-2026-56190, a vulnerability in Windows RDP, also allows unauthenticated remote code execution (CVSS 9.8). If your business uses Remote Desktop Protocol for remote access, these two warrant immediate attention alongside the KEV items.

This is directly relevant to the remote access security choices UK SMBs make. RDP exposure to the internet combined with unpatched vulnerabilities of this severity is a ransomware deployment waiting to happen.

The SonicWall Problem Running Concurrently

Two additional CISA KEV entries from 14 July 2026 concern SonicWall SMA1000 appliances: CVE-2026-15409 (server-side request forgery, unauthenticated remote exploitation) and CVE-2026-15410 (code injection, authenticated remote OS command execution).

SonicWall appliances are common in SMB and MSP environments as network security appliances and remote access gateways. The combination of an unauthenticated entry point (CVE-2026-15409) with a subsequent code execution capability (CVE-2026-15410) is a two-step attack chain. Step one gets in without credentials. Step two runs arbitrary commands as an administrator.

If your business uses a SonicWall SMA1000, or your MSP deploys one on your behalf, this is a patching conversation for today, not this month’s maintenance window.

Why This Is Directly Relevant to Supply Chain Risk

The vulnerability combination here, authentication bypass in SharePoint, privilege escalation in AD FS, remote code execution in RDP, and the SonicWall attack chain, maps directly onto how small businesses become entry points for attacks on their larger clients.

Attackers do not always want the data held by a ten-person accountancy firm. Sometimes they want the access that accountancy firm has to its clients’ financial systems. A compromised SharePoint deployment at a small professional services firm can be the first step in a campaign targeting that firm’s upstream relationships.

This is not a theoretical supply chain risk scenario. It is the operational pattern documented repeatedly in post-incident analyses. Small businesses that hold access to larger organisations are disproportionately targeted precisely because their patch management and security monitoring is less rigorous.

If your business provides services to larger clients, your security posture is their supply chain risk. That context reframes patching from ‘internal housekeeping’ to ‘contractual obligation’.

Why Staying Current on Patches Is a Competitive Signal

Cyber Essentials certification, which the NCSC operates and which is increasingly required for UK government supply chain contracts, requires that high and critical severity vulnerabilities are patched within 14 days. The July 2026 KEV entries are not borderline cases. They are CISA-confirmed active exploitation events.

Being able to demonstrate to a client or procurement team that your patch management process identifies and remediates CISA KEV entries within 24 to 48 hours is a material differentiator. It is the difference between a documented, auditable process and an informal ‘we try to keep things updated’ conversation.

If your MSP cannot provide you with confirmation that July 2026 Microsoft patches have been applied across your estate, that is information you need in writing. Today.

How to Make the Business Case to Your Board or Budget Holder

Three arguments that hold up under scrutiny:

The regulator has confirmed active exploitation. CISA’s KEV catalogue is not speculative. It is a list of vulnerabilities confirmed to be exploited in real attacks. Two Microsoft vulnerabilities and two SonicWall vulnerabilities from this week’s releases are on it. The NCSC monitors and cross-references this data. Unpatched systems facing KEV-listed vulnerabilities are a demonstrable failure of reasonable security measures under GDPR’s technical controls obligation.

The remediation cost is near-zero; the breach cost is not. Applying this month’s Microsoft patches costs operational time. A ransomware deployment via an unpatched SharePoint or RDP vulnerability costs operational time plus ransom demand plus ICO notification obligations plus client notification plus reputational damage. The asymmetry is not subtle.

Your MSP’s patch SLA is a commercial term. If your managed services agreement includes patch management, your MSP has a contractual obligation to apply critical patches within a defined timeframe. If that timeframe is not defined in your contract, it needs to be. If it is defined and not being met, that is a commercial issue, not just a technical one.

What to Do Before Close of Business Today

  1. Ask your MSP or IT provider for written confirmation that Microsoft’s July 2026 patches have been applied to all Windows systems, SharePoint servers, and AD FS infrastructure in your environment. ‘We’re working on it’ is not confirmation. A date-stamped completion report is.

  2. If you use SonicWall SMA1000 appliances, ask specifically whether CVE-2026-15409 and CVE-2026-15410 have been remediated. These are not minor updates. Unapplied, they represent an unauthenticated entry point into your network.

  3. Audit your RDP exposure. If Remote Desktop Protocol is accessible directly from the internet on any system in your environment, that needs to change regardless of patching status. Patch CVE-2026-54990 and CVE-2026-56190, then restrict RDP access to VPN-authenticated sessions only. Both steps are required.

  4. Check your patch management SLA. If your MSP agreement does not specify a timeframe for applying CISA KEV-listed vulnerabilities, add one. 14 days is the Cyber Essentials standard. 48 hours for KEV-confirmed active exploitation is a reasonable expectation.

  5. Document the conversation. If you ask your MSP about patch status today and they cannot confirm, write that down with a date and time. If a breach occurs related to an unpatched system, that documented conversation is evidence of reasonable diligence on your part and potential negligence on theirs.

The research that informed this episode is publicly available from CISA, NIST NVD, and The Hacker News. None of it requires vendor access or specialist tools to find. The gap between published vulnerability data and action taken is not an information problem. It is a process problem. Fix the process.

Before you go: follow the show wherever you listen, leave a rating or review, drop a comment with your thoughts, and share it with someone who would find it useful. If this episode gave you something to act on, that is exactly who needs to hear it.

SourceArticle
CISA KEVKnown Exploited Vulnerabilities Catalogue: CVE-2026-56164, CVE-2026-56155, CVE-2026-15409, CVE-2026-15410
NIST NVDCVE-2026-54990: Heap-based buffer overflow in Remote Desktop Client (CVSS 9.8)
NIST NVDCVE-2026-56190: Use of uninitialized resource in Windows RDP (CVSS 9.8)
The Hacker NewsMicrosoft Patches Record 622 Flaws, Including Two Zero-Days Under Active Attack
Ars TechnicaMicrosoft’s Secure Boot has been broken for a decade and no one noticed until now
NCSCCyber Essentials: Requirements for IT Infrastructure
NCSCVulnerability management: patching guidance for organisations

Filed under

  • smb-security
  • uk-business
  • ransomware-groups
  • remote-access
  • business-risk
  • compliance-failure
  • incident-response