Intelligence
criticalVulnerabilityActive

Microsoft's Record 622-Vulnerability Patch Cycle Reveals Active Exploitation of Directory and Collaboration Tiers

Microsoft released patches for 622 vulnerabilities in a single cycle, including two zero-days already exploited in the wild affecting Active Directory and SharePoint Server, plus a publicly disclosed BitLocker flaw. The scale and active exploitation indicate broad attack surface across enterprise authentication and document collaboration infrastructure.

S
Sebastion

Affected

Microsoft Active DirectoryMicrosoft SharePoint ServerMicrosoft BitLocker

Microsoft's release of 622 patches in a single cycle represents the largest volume on record, with particular concern attached to two zero-day vulnerabilities already exploited in production environments. The targeting of Active Directory and SharePoint Server indicates adversaries are prioritising authentication and content collaboration layers over traditional endpoint attack surfaces, reflecting a strategic shift toward compromising identity stores and document repositories where defenders typically maintain weaker detection capabilities.

The active exploitation of these flaws before public disclosure suggests either targeted nation-state activity or widely-used exploit infrastructure circulating among criminal groups. Active Directory attacks are particularly consequential because successful compromise enables lateral movement, token theft, and persistence mechanisms that defeat endpoint-focused defences. SharePoint Server compromise similarly grants access to sensitive organisational documents and can serve as a distribution point for further attacks. The public disclosure of the BitLocker vulnerability compounds the risk by potentially enabling offline attacks against encrypted volumes.

Organisations running affected versions face immediate risk from opportunistic and targeted attackers. The volume of patches suggests Microsoft prioritised critical fixes, but organisations must distinguish between the two exploited zero-days and the remaining 620 vulnerabilities to sequence remediation appropriately. Patching Active Directory and SharePoint infrastructure often requires careful staging to avoid service disruption, creating a window where systems remain exposed during the application phase.

Defenders should prioritise network monitoring for exploitation indicators related to Active Directory authentication anomalies and SharePoint access patterns. Threat intelligence teams should monitor for public exploit code release and correlate patch timing with observed incident response activity at client organisations. The breadth of the patch set suggests either a compressed release cycle following delayed disclosure or a systematic review that identified numerous additional vulnerabilities alongside the exploited zero-days.

The record patch volume and active exploitation pattern reflects a maturing threat environment where identity infrastructure and collaboration platforms have become primary targets. Organisations should treat this cycle as a forcing function to audit their Active Directory and SharePoint configurations, implement additional authentication controls such as MFA enforcement, and strengthen monitoring of these critical systems. The exploitation timeline between initial discovery and public awareness is unclear, meaning organisations may already be compromised without detection.

Sources