Cybersecurity · Wednesday, 15 July 2026
01 · Briefing · what happened
Microsoft shipped a record patch load — nearly triple last month's — and AI is why
July's Patch Tuesday fixed 570 to 622 flaws depending on how you count, almost three times June's record, with three zero-days already under attack. Microsoft blames AI-driven flaw discovery. The finding got faster; the fixing didn't.
Key takeaways
- Microsoft's July Patch Tuesday fixed a record load of flaws — 570 to 622 depending on the count, nearly triple last month — and it blames AI tools that now find bugs far faster than before.
- Three of the flaws are zero-days and two are already being exploited; one is in SharePoint, which the US cyber agency CISA warned about the same day. Let your devices auto-update.
- The lasting shift: finding flaws got fast, but fixing them across millions of machines stayed slow — so the backlog of known, unpatched holes is now the real exposure.
The biggest patch day on record
On Tuesday, Microsoft released fixes for a record-smashing pile of security flaws — 570 by BleepingComputer’s and Krebs on Security’s count, which includes only what Microsoft shipped that day, or 622 across its full product suite by SecurityWeek’s and CyberScoop’s tally
Nearly 60 of the flaws are rated “critical” — meaning an attacker could seize remote control of a Windows machine with little or no help from the user
Dustin Childs, who tracks flaws at Trend Micro’s Zero Day Initiative, called it “the mother of all releases” and noted the year’s flaw count already exceeds every previous year’s total
Why the flood: AI finds bugs faster than people fix them
Microsoft attributes the surge to vulnerability discovery aided by artificial intelligence
But the discovery side and the repair side move on different clocks. Finding flaws got cheap and fast; applying fixes across millions of machines did not. Every organisation now faces a longer list of known holes than it can close in a month — so it must choose which to patch first and let the rest wait. Dark Reading framed Tuesday as a preview of the “prioritization challenges” defenders now face
Three zero-days already being used
Three of the flaws are zero-days, and two are already being exploited in live attacks
The SharePoint flaw isn’t hypothetical. The same day, CISA — the US cyber-defence agency — urged organisations to harden their on-premises SharePoint servers, saying it is aware of active exploitation letting attackers gain unauthorized access
Not just Microsoft — the whole industry patched at once
Tuesday is an industry-wide ritual, and this week the pile stacked up. Adobe issued fixes for 88 flaws across 12 products, including eight critical bugs in ColdFusion rated top priority
The angle for you. If you run Windows, let automatic updates install and restart when prompted — the two flaws under active attack are the kind that turn a small foothold into full control, and the patch is the fix. Same for your Mac, phone, and browser: the flood makes “I’ll update later” the most expensive habit in security, because the flaws are public and the attackers are already moving. You don’t need to know which CVE is which. You need the update to land.
What this changes
The one-off record isn’t really the story. The structural shift is: AI has permanently raised the rate at which flaws are found, on both sides of the fence — defenders and attackers use the same tools. Discovery will keep climbing. Repair capacity won’t climb to match, because patching a fleet of machines is slow, careful, human work that AI doesn’t speed up the same way. The growing pile of known-but-unpatched flaws — not any single secret bug — is where the risk now pools.
02 · Lesson · why it matters
Why finding flaws faster can leave you more exposed, not less
When you spot problems faster than you can fix them, the danger stops being the hidden flaw and becomes the pile of known ones you haven't gotten to.
Two numbers that don’t add up
Microsoft fixed a record load of security flaws this week — somewhere between 570 and 622, depending on how you count, and nearly triple the month before. The reason isn’t that its software suddenly got worse. It’s that finding flaws got faster. Artificial intelligence can now read through code and surface weak points at a speed no human review team could match.
That sounds like good news. More flaws found means more flaws fixed, means safer software. But sit with the two numbers underneath the headline. The rate of finding just tripled. The rate of fixing — the slow, careful work of testing a patch and installing it across millions of machines — did not. And when one of those numbers races ahead of the other, something quietly piles up in between.
A flow and a stock
Think of it as water. Discovery is a tap: flaws found per month. Repair is a drain: flaws actually patched, everywhere, per month. As long as the drain keeps up with the tap, the sink stays empty and nobody drowns. The whole system of security rested, for years, on that rough balance — finding was hard enough that fixing could keep pace.
AI opened the tap wide. The drain didn’t get any bigger, because installing patches is human work — someone has to test that the fix doesn’t break the accounting system, schedule the downtime, restart the servers. AI reads code fast; it doesn’t make a company willing to reboot its payroll server on a Tuesday afternoon.
So the sink fills. Not with unknown dangers — with known ones. Flaws that have been found, announced, and patched by the maker, but not yet installed by the people who need them. That growing pool of known-but-unfixed holes is a new thing, and it is the thing to watch.
You get breached by the flaw everyone knew about
Here is the part that flips the intuition. We picture a breach as the work of a secret weapon — some flaw no one saw coming. Most of the time it isn’t. Most of the time, the attacker walks in through a hole that was found months ago, announced publicly, and patched by the vendor — on a machine where nobody applied the patch.
The public announcement is the map. It tells defenders where to fix, and it tells attackers exactly where to look. Two of this week’s flaws were already being used in real attacks before most organisations had patched them — one in SharePoint, the document server many companies run. The US cyber agency put out an alert the same day. Those flaws live in the gap between “announced” and “installed everywhere,” and that gap is where the attacks happen. The wider the pile of unpatched-but-known flaws, the more doors are standing open with a sign pointing at each one.
Triage means something is always left open
Faced with 570 flaws from Microsoft in one week — plus 88 from Adobe, plus critical ones from SAP, plus everyone else’s — no team can fix them all at once. So they do the only rational thing: they triage. Patch the worst first, the ones being actively exploited, the ones on the most exposed machines. The rest wait.
But “the rest wait” is not a neutral phrase. Every flaw you deprioritise stays open. Triage doesn’t clear the pile; it just chooses which parts of the pile to leave for later. And “later” is exactly the window an attacker needs. The faster the tap runs, the longer the queue, the more that gets left for a later that may not come before someone tries the door.
The arrangement nobody redesigned
None of this is anyone’s villainy. The model we’ve used for decades — find a flaw, tell the vendor, ship a patch, users install it — was built for a world where the first step was slow and costly. That slowness was doing quiet work: it kept the tap small enough for the drain to matter. It set the terms everything downstream lived under, and it looked like just how security works.
AI removed the slowness from finding. It did not remove it from fixing, and it can’t — the bottleneck there isn’t discovery, it’s the human decision to interrupt a working system to repair it. So the balance the old model depended on is gone, and nobody deliberately replaced it with a new one. The flood isn’t a bad month. It’s the shape of things now, and the fixing side was never built for it.
Where you sit in the pile
This isn’t a story about distant server rooms. Your phone, your laptop, your browser, the bank that holds your money — each is a machine sitting in someone’s patch queue, including your own. The “I’ll update later” you clicked past is you, personally, holding one of those known doors open a while longer. The habit felt harmless when finding flaws was slow. It isn’t anymore.
And no one seat sees the whole pile. Microsoft can ship the fix but can’t install it on your laptop. Your bank can patch its servers but not the vendor software it runs. CISA can warn but not reach every machine. Each defender closes the doors they can reach, and none of them can see, let alone shut, all of them at once. The gap between what’s known and what’s fixed is now bigger than any single hand can close — which is worth remembering the next time a headline makes it sound like one company’s patch made everyone safe. It shipped. Whether it landed is a hundred million separate decisions, and one of them is yours.
03 · Lab · your turn
The Patch Queue
Rehearse a fixed repair rate against a rising flood of flaws, and feel the backlog itself become the exposure.
04 · Hope · carry this
A flood of flaws sounds like bad news, but every one in it was found and named — dragged into the light before an attacker had it alone. The doors were always there; the difference now is that they're marked, and marked doors get closed, sooner or later, by people whose quiet work is closing them.
More from Cybersecurity