Patch Tuesday · July 2026

July 2026 Patch Tuesday: what UK businesses need to know.

July 2026's Patch Tuesday release covers a broad set of Windows, Office, Exchange and remote-access vulnerabilities. The common thread is realistic exploitation from everyday user actions — opening email, browsing, or connecting to a corporate desktop.

Executive summary

A summer release with heavy endpoint, identity and remote-access risk.

July 2026's Patch Tuesday release covers a broad set of Windows, Office, Exchange and remote-access vulnerabilities. The common thread is realistic exploitation from everyday user actions — opening email, browsing, or connecting to a corporate desktop.

  • Risk theme: Remote Desktop Protocol RCE
  • Risk theme: Windows authentication bypass
  • Risk theme: Exchange Server elevation of privilege
  • Risk theme: Office / Outlook parser flaws
Vulnerabilities remediated

The issues that move the needle this month.

We have focused on the categories with realistic exploitation paths for UK SMEs and regulated firms. Always cross-check with Microsoft's Security Update Guide and your own asset inventory before deployment.

Remote Desktop Protocol remote code execution

A flaw in the RDP stack allows an unauthenticated attacker to run code on a reachable system without user interaction. With remote and hybrid working still the norm, any exposed RDP endpoint is a front-door compromise risk.

Windows authentication bypass

A vulnerability in a Windows authentication component could allow an attacker to bypass identity checks or downgrade protections. For firms relying on Active Directory or hybrid Entra ID, this undermines the trust model that the rest of the estate depends on.

Exchange Server elevation of privilege

An authenticated attacker on a vulnerable Exchange instance can escalate to higher privileges. On-premises Exchange remains one of the most scanned and exploited targets for UK SMEs and regulated firms.

Office and Outlook parser flaws

Multiple document and email parsing issues could execute code when a file is previewed or opened. Phishing campaigns weaponise this type of flaw quickly because it turns a user mistake into an initial foothold.

Affected systems

Where the risk lives.

  • Windows 10, 11 and Server (2016–2025)
  • Remote Desktop Services and RDS gateways
  • Exchange Server (on-premises and hybrid)
  • Microsoft Office, Outlook and Microsoft 365 Apps
Known deployment issues

What to watch for when rolling out.

  • RDP patch caused a small number of thin-client and older Wyse terminals to fail negotiation until firmware was updated.
  • Exchange cumulative update required a re-run of Setup /PrepareSchema in some hybrid environments.
  • Outlook update temporarily changed the default attachment preview behaviour for some users; a profile rebuild restored the previous setting.
  • Office update required a full restart of Teams and any embedded WebView2 applications to load the latest parser fixes.
Pros of deploying
  • Closes a pre-authentication RDP path — a favourite vector for ransomware and brute-force operators.
  • Strengthens identity plumbing, reducing the risk of lateral movement after any initial foothold.
  • Exchange fix protects the most common high-value target in SME environments.
Cons / trade-offs
  • RDP and RDS gateway reboots require careful scheduling for remote workforces.
  • Exchange updates remain operationally heavy and need DAG sequencing in clustered environments.
  • Office parser changes can disrupt third-party add-ins and document workflows.
Hints & tips for a successful deployment

How experienced teams roll these out without drama.

  • Patch internet-facing RDP and RDS gateways first, or move them behind a VPN / gateway service if they are not already.
  • Confirm RDP is not exposed directly to the internet; use a VPN or remote-desktop gateway and enforce account lockout and MFA.
  • Apply Exchange updates in DAG order; verify mail flow, OWA and ActiveSync before moving to the next node.
  • Run an Office pilot on finance, legal or clinical teams before broad rollout — these users stress document parsers the hardest.
  • Force a full restart of Outlook and Teams after deployment; browser-style updates do not fully load while processes are suspended.
How Secure Chain helps

Advice, guidance, or full remediation — your call.

Whether you want a second pair of eyes on this month's release or you would rather hand the entire patching cycle to us, Secure Chain Technology Group can support at any level of involvement.

  • Advisory: a prioritised briefing mapped to your estate and risk appetite, with recommended rollout rings.
  • Guided deployment: we work alongside your IT team — test plans, rollback procedures and change-management evidence.
  • Fully managed remediation: we deploy, validate and report on every patch through our Vulnerability Management-as-a-Service (VMaaS) and Patch Management services.
  • Compliance evidence: reporting aligned to Cyber Essentials Plus, ISO 27001 and DSPT requirements.
← All Patch Tuesday briefings

Always verify against the official Microsoft Security Update Guide and your own asset inventory before deployment.