Cybersecurity Radar — 2026-07-18
Microsoft's record-breaking July 2026 Patch Tuesday unleashed 622 security flaws—including two actively exploited zero-days in SharePoint Server and Active Directory Federation Services—demanding immediate federal action. Identity-based attacks have overtaken exploits as the leading cause of ransomware breaches, while phishing campaigns now drive half of all ransomware incidents. Zero-day vulnerabilities and AI governance gaps continue to define the threat landscape as organizations race to patch critical infrastructure.
Cybersecurity Radar — 2026-07-18
🔴 Critical Alerts
Microsoft July 2026 Patch Tuesday: 622 CVEs Including 2 Exploited Zero-Days
Microsoft released its largest monthly security update on July 14, fixing 622 vulnerabilities—a record-breaking figure three times larger than June. Most critically, two zero-days are already being exploited in active attacks:
- SharePoint Server RCE (CVE actively exploited): Remote code execution flaw allowing unauthorized access
- Active Directory Federation Services (AD FS) vulnerability: Attackers leveraging this to escalate privileges and move laterally across networks
A third zero-day was publicly disclosed but not yet widely exploited. Of the total CVEs, 57 are marked "critical," making this release an urgent priority for enterprise patching.
Recommended Action: Federal agencies must patch by July 18 (CISA mandate). Organizations should prioritize SharePoint and AD FS systems first, then roll out remaining patches across all Microsoft products within 30 days. Disable RC4 Kerberos rollback if applicable to avoid service disruptions.

LegacyHive: New Windows Privilege Escalation PoC Released Post-Patch
Hours after Patch Tuesday, security researchers released a proof-of-concept (PoC) exploit for LegacyHive, a Windows ProfSvc privilege escalation flaw that bypasses the July 2026 security update. While the public PoC requires additional credentials to execute, this demonstrates attackers continue developing exploits that circumvent Microsoft patches.
Recommended Action: Monitor Windows process logs for suspicious ProfSvc activity. Implement Windows Defender Application Control (WDAC) to restrict execution of untrusted binaries. Validate privilege escalation protections are enabled on all endpoints.
Threat Landscape
Identity Attacks Overtake Exploits as Top Ransomware Cause
A significant shift in attack vectors has emerged: phishing and malicious email now account for 50% of all ransomware incidents, overtaking vulnerability exploitation. Multi-factor authentication (MFA) was deployed in 97% of credential-based attacks, yet attackers persisted through social engineering and credential harvesting.
This reflects a strategic pivot by ransomware operators toward human-centric attacks—cheaper, faster, and harder to defend than zero-day hunting. The data suggests that while technical patching remains critical, identity and access controls are now equally essential for ransomware defense.

Zero-Days, AI Governance Gaps, and Global Cybercrime Define This Week's Security Landscape
This week's threat environment reflects three converging trends: (1) accelerating zero-day discovery and exploitation windows; (2) emerging gaps in AI governance creating new attack surfaces; and (3) global cybercriminal networks leveraging nation-state tools and tactics. Threat actors are weaponizing AI-generated phishing content, deepfakes for credential theft, and automated vulnerability scanning against critical infrastructure.

Vulnerabilities & Patches
July 2026 Patch Tuesday: 622 CVEs in Microsoft Ecosystem
Breaking down the 622-CVE release:
- 57 Critical vulnerabilities (immediate exploitation risk)
- 2 actively exploited zero-days (SharePoint Server, AD FS)
- 1 publicly disclosed zero-day (details withheld to allow patching time)
- Kerberos RC4 rollback removal: Silent change that may break legacy service account authentication—test before deploying to production
The Zero Day Initiative describes this as the "bug apocalypse," with severity and complexity of fixes suggesting systemic issues in Microsoft's codebase.

Microsoft's Record 622-CVE Patch Includes Actively Exploited SharePoint Zero-Day
Orca Security's rapid response analysis confirms the SharePoint Server zero-day is being actively exploited in the wild. Cloud infrastructure teams must prioritize patching on-premises and cloud-hosted SharePoint farms. The same analysis provides CVE prioritization guidance for teams with limited patching capacity.

Breaches & Incidents
FBI Surveillance System Hack, DOGE Data Breach, Energy & Water Infrastructure Attacks Define 2026's Worst Incidents
2026 has delivered some of the most destructive breaches of the decade. High-impact incidents include:
- FBI surveillance database compromise: Unauthorized access to law enforcement tracking systems
- DOGE (Department of Government Efficiency) data breach: Massive exposure of federal employee records and intelligence
- Critical energy and water system hacking: Ransomware operators gaining access to SCADA systems controlling power distribution and water treatment
These incidents underscore the maturation of ransomware groups' targeting strategy—shifting from opportunistic breaches to coordinated attacks on critical national infrastructure.

Industry & Policy
CISA Issues Emergency Directive: Federal Agencies Must Patch Oracle E-Business Suite Flaw by Saturday
The Cybersecurity and Infrastructure Security Agency (CISA) has ordered all federal agencies to remediate a critical vulnerability in Oracle E-Business Suite by July 18, 2026. This represents the first emergency patch mandate of 2026, signaling the severity of the exploited flaw. Organizations not able to patch should consider disabling exposed instances or implementing strict network access controls.
July 2026 Patch Tuesday Fixes Record 570 Flaws Including Three Zero-Days
The scale of this month's Microsoft release has prompted industry-wide security reviews. The National Institute of Standards and Technology (NIST) has begun publishing guidance on prioritizing patches in environments with limited resources, emphasizing the need for automated patching infrastructure and continuity planning.
What to Watch
- Post-Patch Exploitation Window: History shows exploit code for Microsoft zero-days emerges 3–7 days after patches drop. Monitor intrusion detection systems (IDS/IPS) for shellcode signatures targeting patched flaws through August 24.
- Identity Attack Acceleration: With phishing now driving 50% of ransomware, expect credential-harvesting campaigns to intensify. Watch for macro-laden Office documents and lookalike phishing domains impersonating trusted vendors.
- AI-Powered Threat Evolution: Threat actors are embedding AI into reconnaissance tools. Expect increased detection evasion, automated vulnerability scanning, and AI-generated spear-phishing tailored to organizational hierarchies discovered via LinkedIn and company websites.
Reader Action Items
-
Patch Microsoft Systems Immediately: Prioritize SharePoint Server and AD FS systems by July 18; deploy remaining 622 patches across all Windows/Office environments by August 18. Test for Kerberos RC4 rollback impacts before production rollout.
-
Review and Strengthen Identity Controls: Conduct a multi-factor authentication audit across all critical systems. Implement passwordless authentication (Windows Hello, FIDO2 keys) where feasible. Increase monitoring of failed login attempts and lateral movement within your network.
-
Establish Incident Response Escalation for Zero-Days: Create a 24/7 escalation procedure for detecting exploitation of unpatched zero-days. Ensure your SOC has access to threat intelligence feeds tracking SharePoint and AD FS exploitation. Conduct tabletop exercises simulating a compromised SharePoint farm to validate response times.
Sources Referenced:
This content was collected, curated, and summarized entirely by AI — including how and what to gather. It may contain inaccuracies. Crew does not guarantee the accuracy of any information presented here. Always verify facts on your own before acting on them. Crew assumes no legal liability for any consequences arising from reliance on this content.