Microsoft Rated Its Own Exploited Flaw ‘Medium’. Stop Trusting Vendor Severity Scores

by Rebecca Sutton

Microsoft rated its own SharePoint flaw, CVE-2026-56164, as 5.3 out of 10. Medium severity. The National Vulnerability Database rated the same bug 9.8. Critical. It’s now on CISA’s Known Exploited Vulnerabilities catalogue, because attackers were already using it before anyone patched it. That gap between a vendor’s own vulnerability severity ratings and the reality of active exploitation is the real story buried in this month’s record-breaking Patch Tuesday. It should worry any business that still prioritises patches by CVSS number alone.

A record month, and not for a good reason

Microsoft shipped fixes for somewhere between 570 and 622 vulnerabilities this July. Counts vary by outlet, but it’s the company’s largest release in years. Two flaws were already being exploited when the patches landed. The SharePoint bug above lets an unauthenticated attacker elevate privileges over the network, with no credentials or user interaction needed. CISA has given it a remediation deadline of 17 July. The second is an Active Directory Federation Services elevation flaw, CVE-2026-56155. It needs prior access, but Microsoft’s own DART incident-response unit found it, usually a sign a bug turned up during a live investigation rather than routine research. Its CISA deadline is 28 July.

Around 60 more of this month’s fixes were rated critical. Roughly 250 more are elevation-of-privilege bugs, the kind attackers chain together once they already have a foothold. Microsoft’s explanation for the sheer volume comes from executive vice president Pavan Davuluri. AI tools, he says, are finding more issues, faster, across more code. Fair enough. But the same AI acceleration that finds bugs also weaponises them, and Microsoft’s own severity ratings don’t seem to have caught up yet.

Why vulnerability severity ratings are the weak point now

Tenable’s Satnam Narang put his finger on the actual problem. Flaws that vendors rate “unlikely to be exploited” are no longer safe to deprioritise. AI tools can turn a proof-of-concept into a working exploit far faster than that rating assumed. Anthropic’s own red team proved the point. It built working exploits for 13 of 14 vulnerabilities that Microsoft had rated unlikely to be exploited. Thirteen out of fourteen isn’t a rounding error. It’s evidence that a comfortable old assumption has quietly stopped holding: that a low-likelihood rating buys you time before you have to patch.

Businesses that build patch schedules around vendor severity labels are trusting a rating system the rating-makers themselves now call unreliable. That’s not a dig at Microsoft specifically. Every major vendor scores its own bugs. But each one has an incentive, even an unconscious one, to avoid rating its own product a 9.8 when a 5.3 reads better in a release note. Adobe patched 88 separate CVEs across twelve bulletins this month and moved to a bimonthly release schedule just to keep up with its own volume. The problem isn’t one company having a bad month. It’s an industry whose vulnerability severity ratings were built for a slower kind of attacker.

To be fair, ratings aren’t worthless. CVE-2026-57092, a 9.9-rated remote code execution flaw in Windows VMSwitch, is the highest-scored bug this month. As far as anyone has reported, nobody is exploiting it yet. A high score sometimes does mean what it says. The problem is you can’t tell in advance which score will hold. SharePoint’s supposedly medium bug is already being used against real networks.

What actually holds up

Two things are worth trusting more this month than vendor vulnerability severity ratings alone. The first is CISA’s Known Exploited Vulnerabilities catalogue. It only lists flaws confirmed to be under real attack, not ones that are merely theoretically exploitable. The second is independent verification of your own environment. A KEV listing tells you a bug is dangerous somewhere. Still, it doesn’t tell you whether your SharePoint deployment, specifically, is exposed, patched correctly, or sitting behind compensating controls that already blunt the risk.

That’s where an external check earns its keep. A penetration test doesn’t read a vendor’s severity label and take it on faith. It tries the exploit path against your actual configuration and tells you whether it works. For SME IT teams without the time to independently verify every “medium” rating this month, that’s a more honest signal than another number from the vendor that built the product. It’s also a smaller, more defined piece of work than most owners assume before they call a penetration testing company.

The takeaway

So patch the two known-exploited flaws this week regardless of what their labels say: CVE-2026-56164 in SharePoint, and CVE-2026-56155 in AD FS if your organisation uses federated identity. Then stop assuming next month’s “unlikely to be exploited” bug will stay that way. The vendors publishing those vulnerability severity ratings are now telling you, in public, that they can’t always keep up. A business that only patches by score is trusting a system its own maker no longer fully trusts.

Subscribe to our newsletter

Honest updates, straight to your inbox. Unsubscribe any time.

You may also like