Microsoft’s July Patch Tuesday addressed 570 vulnerabilities, including 57 critical issues, while Adobe released fixes for 89 vulnerabilities across its products. Microsoft also patched three zero-days, including two vulnerabilities already exploited in attacks affecting Active Directory Federation Services and Microsoft SharePoint Server.
The scale of this month’s release — and the targeting of exposed, high-privilege infrastructure such as AD FS and SharePoint — is prompting renewed calls for organisations to prioritise remediation based on exploit activity, exposure and business risk, rather than relying on CVSS scores alone.
Mayuresh Dani, Security Research Manager at the Qualys Threat Research Unit, provided the following commentary on how vulnerability discovery is changing and how organisations should decide what to address first:
“This trend was predicted and we’re seeing the evidence of it happening now. As more advanced and frontier AI models become available, we can expect an upward trend to continue and then slow down. Companies like Adobe have moved to bi-monthly security releases to stay ahead of adversaries. Chrome and Apple have shipped patches at a much faster rate than they typically do too. What we’re observing is that AI automated fuzzing, LLM-assisted variant hunting, and static analysis at scale are discovering bugs faster than enterprises can remediate.
Organisations should:
- Move from CVSS-only prioritization to something along the lines of EPSS + CISA KEV, or the Likely Exploited Vulnerabilities model.
- Graduate to a tiered patching SLA mechanism. For example, a KEV-listed CVE or EPSS >0.5 should be patched within 24-36 hours. Your next tier is the internet-facing high-privilege infrastructure such as VPN gateways and remote admin console. Such classifications should be done per organization. Gone are the days where everyone just depended on the CVSS score.
- In the meantime, introduce attack surface reduction and mitigation mechanisms. Services such as AD FS exposed to the internet, SharePoint on-premises with public access, and remote management tools reachable from anywhere should be tackled first before the patching begins.
- Improve patching practices, where it is easier to validate a patch, monitor installs and system stability on a select group with automated rollback support. Such approved patches should then be pushed to all required systems.”
The full Qualys July 2026 Patch Tuesday analysis, including details of the most critical vulnerabilities and available mitigations, is available here: https://blog.qualys.com/vulnerabilities-threat-research/2026/07/14/microsoft-and-adobe-patch-tuesday-july-2026-security-update-review

