Microsoft Fixes Record 622 Security Flaws, Two Already Used in Live Attacks
This month's update from Microsoft is the largest on record. Two vulnerabilities in widely used business software were already being exploited by criminals before a fix existed.

Key points
- Microsoft patched 622 security vulnerabilities in a single monthly update, the highest number ever recorded in one release.
- Two of those flaws were zero-days, meaning criminals were already exploiting them in real attacks before Microsoft knew a fix was needed.
- The exploited flaws affect Active Directory and SharePoint Server, both of which sit at the heart of most corporate IT systems.
- A separate bug in BitLocker, the Windows feature that encrypts data stored on a device, was publicly disclosed but not yet seen in active attacks.
Microsoft released its monthly security update this week, and the numbers are striking. Six hundred and twenty-two individual vulnerabilities patched in a single batch, as first reported by SecurityWeek. No single monthly update from Microsoft has ever carried that volume before.
Most of those fixes are routine. Two are not.
How did the criminals get in?
Both exploited flaws are zero-days, which means attackers were already using them as weapons before Microsoft had a chance to issue a repair. A zero-day gives defenders no warning and no window to act. By definition, every organisation running the affected software was exposed.
The first exploited flaw sits in Active Directory, the Microsoft system that businesses use to manage who can log in and what they can access. Think of it as the master keyring for a corporate network. A flaw here can let an attacker impersonate legitimate staff or move freely between systems.
The second sits in SharePoint Server, the Microsoft platform many organisations use to store and share internal documents. Criminals breaking into SharePoint can read sensitive files, plant malicious code, or use the server as a foothold to reach other parts of a network.
Microsoft has not publicly named the criminal groups behind either exploit. Both flaws have now been patched.
A third notable fix covers BitLocker, the Windows tool that scrambles data on a laptop or desktop so it cannot be read if the device is stolen. The BitLocker bug was publicly disclosed before the patch arrived, which puts it in a different category: attackers know it exists and have the blueprint, even if widespread exploitation has not yet been confirmed.
For ordinary employees, the immediate action is simple: let your work computer install its Windows updates now, not next week. IT departments should treat the Active Directory and SharePoint patches as urgent, not scheduled.
If you receive unexpected emails asking you to log in to a company system, or prompting you to open a document, treat them with suspicion. Criminals who break into SharePoint or Active Directory often use that access to send convincing internal-looking messages to other staff.
The record patch count is a data point worth noting. It does not mean Microsoft software is uniquely dangerous, but it does reflect how much of the world's business infrastructure runs on these products and how relentlessly criminals probe them.



