July 2026 Patch Tuesday: Three Exploited Flaws and What Financial Institutions Patch First

Justin Kirsch | | 17 min read
July 2026 Microsoft Patch Tuesday triage for financial institutions: three exploited CVEs and the SharePoint Server flaw with a Sunday federal deadline

It is Friday. Between now and Monday, whoever handles patching at your institution has maybe a dozen usable hours to spend on Microsoft's July security release. Where those hours go matters far more than how many of them there are.

Microsoft's July 2026 release includes more than a dozen CVEs rated CVSS 9.0 or higher. Three vulnerabilities in it are under active exploitation right now. They are not the three you would pick by score, and several of the loudest numbers on the list are not your team's work at all.

This is a triage problem, not a volume problem. What follows is the order we would work it, and why, with every date and score traced to Microsoft's own July 2026 security update data and CISA's live Known Exploited Vulnerabilities catalog.

Three Flaws Are Being Exploited Right Now

Microsoft's Security Update Guide flags three CVEs in the July release as Exploitation Detected: attacks are happening, not predicted. All three are on CISA's Known Exploited Vulnerabilities catalog, each with its own federal remediation deadline.

Those two facts reinforce each other, and it is worth knowing why. CISA publishes three thresholds a vulnerability must clear before it enters the KEV catalog: it has an assigned CVE ID, there is a clear remediation action such as a vendor update, and there is reliable evidence that the vulnerability has been actively exploited in the wild. A KEV listing is not a watchlist or a severity ranking. It is CISA stating that someone is already using this against real targets. When Microsoft's own exploit status and a KEV listing agree, the question of whether to patch is settled, and the only open question is the order.

CVEWhat it isCVSSAdded to KEVFederal due date
CVE-2026-58644Microsoft SharePoint remote code execution9.8July 16, 2026July 19, 2026 (Sunday)
CVE-2026-56164Microsoft SharePoint Server elevation of privilege5.3July 14, 2026July 17, 2026 (today)
CVE-2026-56155Active Directory Federation Services elevation of privilege7.8July 14, 2026July 28, 2026

Two of those three are SharePoint Server. The third is the identity layer. Notice what is missing from the table: not one of the CVSS 9.9 vulnerabilities in this release appears on it.

One note if you are working from reporting published earlier this week: most coverage named only two exploited CVEs, which was accurate when it was written. CVE-2026-58644's exploited status and its KEV listing both landed on July 16, after that cycle closed. If your patch plan came from a Tuesday summary, the month's highest-severity actively exploited flaw is not in it. As our June 2026 Patch Tuesday breakdown for financial institutions showed, exploit status is a moving target for the whole week after release, not a fact you read once on Tuesday.

July 2026 Patch Tuesday triage map for financial institutions: Microsoft services Azure OpenAI CVE-2026-45499, Microsoft Entra Provisioning Service CVE-2026-57100, and Microsoft 365 Copilot CVE-2026-41106 with no KB to deploy, while institutions must patch Microsoft SharePoint Server CVE-2026-58644 and CVE-2026-56164 and Active Directory Federation Services CVE-2026-56155, all three exploited, plus Windows VMSwitch CVE-2026-57092, Microsoft Exchange Server CVE-2026-55008, and the Microsoft 365 Copilot mobile app CVE-2026-48561 via Microsoft Intune.
The July 2026 release sorted by who owns the fix. The three CVSS 9.9 flaws are split across both columns, which is why sorting by score sends a team to the wrong work.

With the map in front of you, the sequencing question mostly answers itself. Work the right column, in deadline order, starting with the one item on it whose clock runs out before Monday.

The federal clock on CVE-2026-58644 runs out Sunday

CISA added CVE-2026-58644 to the KEV catalog on Thursday, July 16, 2026, with a remediation due date of Sunday, July 19. Be clear about whose deadline that is: it binds federal civilian agencies, not your bank or credit union. Treat it as the best available read on how fast the people with the threat intelligence think this needs to be gone. It is a three day window that runs out over a weekend, and the exploitation does not pause for your change-control calendar. If your institution runs SharePoint Server on-premises or hybrid, this is the weekend's job. It is not the only July item on a short clock, since CVE-2026-56164 carries a federal deadline of today, but at CVSS 9.8 it is the most severe of the three.

CVE-2026-58644: The One With a Sunday Deadline

CVE-2026-58644 is a remote code execution vulnerability in Microsoft SharePoint, rated CVSS 9.8. CISA's catalog entry describes it in one sentence: "Microsoft SharePoint contains a deserialization of untrusted data vulnerability that allows an unauthorized attacker to execute code over a network."

Every word in that sentence is load-bearing, and Microsoft's own CVSS vector says the same thing in machine-readable form: AV:N/AC:L/PR:N/UI:N. Attack vector network. Attack complexity low. Privileges required: none, so the attacker needs no account on your system. User interaction: none, so nobody at your institution has to click anything for this to work. The same vector carries E:F and RC:C, Microsoft's notation for functional exploit code and confirmed reporting. CISA classifies the weakness as deserialization of untrusted data, catalogued as CWE-502; Microsoft titles it remote code execution. Both are accurate: the deserialization bug is the mechanism, code execution on your server is the result.

One thing the record does not say: CISA lists this CVE's known ransomware campaign use as "Unknown." That is CISA recording that it does not know, which is not the same as a clean bill of health and not the same as confirmed ransomware use. Take the field at face value and do not let anyone sell you either reading. The case for patching this weekend does not need the embellishment.

First question: which SharePoint are you actually running?

CVE-2026-58644 and CVE-2026-56164 affect Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Server 2019, and Microsoft SharePoint Server Subscription Edition. SharePoint Online is not among the affected products for either. If your institution moved fully to SharePoint Online and retired the on-premises farm, neither is your work this weekend. If you kept a server for a legacy document workflow, a records archive, or an application that never got migrated, it is.

Then be honest about what that server holds. At a bank, a credit union, or a mortgage company, the farm nobody migrated is usually the one still holding loan files, board packets, vendor management documentation, and audit workpapers. CISA's own description of CVE-2026-58644 is that it lets an unauthorized attacker execute code over a network. On that farm, that is not a server problem. It is a nonpublic information problem, and it raises the question the patch itself cannot answer: whether anyone reached it before you did.

The security updates for CVE-2026-58644 ship as KB5002880, KB5002874, and KB5002873. Which one applies depends on your SharePoint version and build. No registry surgery, no workaround: install the update that matches your farm.

This is also not the first time SharePoint Server has been the story this month. CISA has added it to the KEV catalog three separate times in the first 16 days of July 2026: CVE-2026-45659 on July 1, CVE-2026-56164 on July 14, and CVE-2026-58644 on July 16. We covered the first in our breakdown of the SharePoint Server RCE cluster. The catalog does not tell you whether one actor or several are behind these, and we are not going to guess. What it does tell you is the rate: three separate on-premises SharePoint flaws crossed CISA's evidence-of-exploitation bar inside sixteen days. Whoever is doing it, on-premises SharePoint is worth somebody's time right now, which is a strong argument for asking a harder question than "did we patch it": why is this server still on-premises at all?

Not sure which of your servers are exposed?

The institutions that will close this one by Sunday are the ones that already knew they ran SharePoint Server on-prem before Thursday. A Security Grade scan tells you what you are actually running before the next KEV entry lands. And for the days between a KEV listing and a finished deployment, Guardian MxDR is what watches the exposed server while the patch is still pending.

The Two That Do Not Look Like Emergencies

The other two exploited CVEs would not survive a triage meeting that ranks by score. One is a 5.3. The other is a 7.8 in a product many institutions forgot they still run. Both are being exploited today, and both carry KEV deadlines.

CVE-2026-56164 is a Microsoft SharePoint Server elevation of privilege vulnerability with a CVSS base score of 5.3. CISA names the weakness "Missing Authentication for Critical Function." It went on the KEV catalog on July 14 with a due date of today, July 17.

A 5.3 is the kind of score that gets deferred to next quarter's maintenance window. It reads as medium. It reads as "we will get to it." Meanwhile, three vulnerabilities in this same release scored 9.9, and none of them is known to be exploited. Note the wording, because it matters: Microsoft records these as not detected in attacks, which is a statement about what has been observed, not a guarantee about what is happening everywhere. That is exactly why it can change on a Thursday afternoon, as CVE-2026-58644 just did.

Key Takeaway

A CVSS 5.3 is under active exploitation while three CVSS 9.9s in the same release are not known to be. CVSS measures the theoretical severity of a flaw if someone exploits it. It does not measure whether anyone is. Exploitation status is the variable that separates a real emergency from a scheduled maintenance item, and it is the one your triage should sort on first.

This is not an argument for ignoring CVSS. It is an argument about what you sort on first. Score tells you how bad it would be. KEV tells you it is already happening. When those two signals disagree, and this month they disagree loudly, the one describing the present tense wins.

CVE-2026-56155 is an Active Directory Federation Services elevation of privilege vulnerability, CVSS 7.8, exploited, added to KEV on July 14 with a due date of July 28. CISA names the weakness "Insufficient Granularity of Access Control."

ADFS is the one on this list most likely to be quietly load-bearing. For a lot of credit unions, banks, and mortgage companies that have otherwise moved to the cloud, ADFS is the last on-premises identity component still standing: the box that federates authentication to Microsoft 365 and to a handful of line-of-business applications nobody ever rewrote. It rarely gets touched precisely because it works. An elevation of privilege flaw in the component that vouches for who your users are deserves a harder look than its 7.8 suggests.

One operational detail here saves real time, and it is not obvious from the CVE record: the ADFS fix does not ship as a standalone ADFS package. It is delivered inside the Windows Server security updates and monthly rollups, mapped to Windows Server 2012, 2012 R2, 2016, 2019, 2022, and 2025. If your team goes looking for an ADFS patch to download, they will not find one and they will lose an hour to the search. Patch the underlying Windows Server and the fix comes with it. The July 28 due date leaves room to do that through a normal change window, which is the whole point of the tiering covered below. Our May 2026 Patch Tuesday analysis of the Netlogon and DNS flaws made a similar point about where fixes actually live versus where teams expect to find them.

The Biggest Numbers May Not Be Your Work

The highest-scoring vulnerabilities in this release are the ones most likely to land in a board summary or a vendor's scary-headline email this week. Three of them name Microsoft-operated cloud services as their affected product:

  • CVE-2026-45499, CVSS 9.9, affected product Azure OpenAI
  • CVE-2026-57100, CVSS 9.9, affected product Microsoft Entra Provisioning Service
  • CVE-2026-41106, CVSS 9.3, affected product Microsoft 365 Copilot

Here is what is observable in Microsoft's data, stated precisely: each of these three names a Microsoft-operated service as the affected product, and Microsoft publishes no KB or security update entry for any of them. There is no package to deploy, because these are not products installed in your environment. The on-premises CVEs in the same release all carry Security Update entries with KB numbers. These carry none.

We will stop short of the stronger claim you will see elsewhere. An absent KB is not affirmative proof that no action of any kind is required in your tenant, since a configuration change or tenant-side setting would not appear as a KB either. What we can tell you is that there is nothing to deploy, and that the authority for your environment is each CVE's entry in Microsoft's Security Update Guide. Check it. Do not let a 9.9 with no KB consume your Saturday on the assumption that a number that large must be your problem.

Tier-1 Cloud Solution Provider (CSP) ABT Partner Insight

The split that matters in any Patch Tuesday is not critical versus important. It is "Microsoft services this" versus "you deploy this." ABT manages the Microsoft 365 tenants of 750+ financial institutions, and the most common way we see a patch weekend get wasted is a team chasing the highest number on the list into a product they do not operate. Sort the release by affected product before you sort it by score.

Source: Microsoft Security Update Guide, July 2026 release

Now the trap. CVE-2026-48561 is titled "Microsoft Copilot Remote Code Execution Vulnerability," CVSS 9.6, and it is absolutely your work. It looks like it belongs in the list above. It does not.

Microsoft's affected products for CVE-2026-48561 are Microsoft 365 Copilot for Android and Microsoft 365 Copilot for iOS. The mobile apps. Its remediation entries point to the Google Play Store and the Apple App Store. If you have deployed the Microsoft 365 Copilot mobile app to staff devices, that app needs updating, and on managed devices you push it through your mobile device management tooling, which for most of our clients means Microsoft Intune.

The word "Copilot" in a CVE title tells you nothing about whether you have work to do. Read the affected products field, every time.

There is a second counterexample, and it is the one that keeps this section honest. CVE-2026-57092, Microsoft Windows VMSwitch elevation of privilege, is a CVSS 9.9. It ties for the highest score in the entire July release, and it is entirely your work. VMSwitch is the Hyper-V virtual switch, so if you run Hyper-V anywhere in the institution, this one arrives through your ordinary Windows Server updates and Microsoft ships nine KBs for it across Windows Server 2019 through 2025. Microsoft rates it "Exploitation Less Likely," so it is not a weekend item. But if you took "the 9.9s are Microsoft's problem" as a rule rather than a coincidence of which three products drew the top score this month, you would skip it. Two of this month's three 9.9s are Microsoft's to fix. The third is yours.

Rounding out the list: three more high scorers that are yours to patch and are not under exploitation. CVE-2026-55008 (Microsoft Exchange Server spoofing, CVSS 9.6), CVE-2026-50522 (Microsoft SharePoint remote code execution, CVSS 9.8), and CVE-2026-55040 (Microsoft SharePoint Server security feature bypass, CVSS 9.1) are rated "Exploitation More Likely" by Microsoft, and none is on the KEV catalog. That rating is Microsoft's forecast, not a report. These are your next change window, not your weekend, though the two SharePoint items are worth folding into the CVE-2026-58644 outage.

The Directive Everyone Cites Was Revoked Five Weeks Ago

If you have read any patch management guidance in the last four years, you have read about BOD 22-01, the November 2021 CISA directive that created the KEV catalog. It is in vendor whitepapers, in audit checklists, and in a great deal of security content published this week.

It has been revoked since June 10, 2026.

This Directive supersedes and hereby revokes BOD 19-02: Vulnerability Remediation Requirements for Internet-Accessible Systems (April 29, 2019), and BOD 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities (Nov. 3, 2021).

Released June 10, 2026. CISA's directives index now lists BOD 22-01 as "(Revoked)."

The KEV catalog did not go away. The directive that created it did, and the replacement changed how remediation urgency gets set. Under BOD 26-04, urgency is risk-based, driven by four variables:

  • Asset Exposure. Is the vulnerable asset publicly exposed?
  • KEV Status. Is the CVE on CISA's KEV catalog?
  • Exploit Automation. Can an adversary automate all the steps needed to exploit it?
  • Technical Impact. Does an adversary gain partial or total control of the asset?

The directive also specifies that "Days are calendar days," which is why a three day window that opens on a Thursday closes on a Sunday and not on Tuesday.

Here is the part most summaries get wrong. These timelines are tiered, not uniform. The shortest windows apply only to the highest-risk combinations of those four variables. Being listed on the KEV catalog does not by itself impose a three day deadline. Anyone telling you "CISA now requires three day patching" has compressed a risk-tiered table into a headline.

You do not have to take our characterization on faith, because the tiering is observable in this month's own KEV data. Three Microsoft CVEs, all added within 48 hours of each other, all actively exploited, three different windows:

  • CVE-2026-56164: added July 14, due July 17. Three days.
  • CVE-2026-58644: added July 16, due July 19. Three days.
  • CVE-2026-56155: added July 14, due July 28. Fourteen days.

Same catalog, same week, same exploited status, and the ADFS flaw gets nearly five times the runway. That is the risk tiering doing its job.

CISA does not publish its reasoning per entry, so we will not tell you exactly how it set each date. But there is a pattern in Microsoft's own CVSS vectors worth learning to read, because whatever CISA did, this is the logic your own triage should copy. The two three-day items are both AV:N/PR:N: attackable over a network, no credentials required. The ADFS flaw is AV:L/PR:L: local attack vector, and the attacker already needs some privileges. Those are the same dimensions BOD 26-04 names, exposure and automatability, and they track the deadlines exactly. That is the useful takeaway even if the causation is ours to infer: a flaw a stranger can reach anonymously is a different emergency than one that requires a foothold you already have. Sort on reachability, not on score.

One caveat worth stating plainly, because it decides what you do next: AV:N describes the flaw, not your building. It means the vulnerability is attackable over a network, not that your particular server is sitting on the public internet. Whether your SharePoint farm is actually reachable from outside is a fact about your environment that no CVE record can tell you, and it is the single thing most worth knowing before Sunday. BOD 26-04 says as much when it puts the obligation on stakeholders to evaluate "each asset's internet exposure." That is step one below for a reason.

CVE-2026-58644's own KEV record makes the connection explicit, instructing agencies to ensure "compliance with CISA's BOD 26-04" and noting that "Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines."

Now the honest part, and you should hear it from us rather than from an examiner. BOD 26-04 and the revoked BOD 22-01 bind U.S. Federal Civilian Executive Branch agencies. They are not binding on private banks, credit unions, or mortgage companies. Sunday is not your legal deadline. Nobody from CISA is going to fine your institution on Monday.

That is not the argument. The argument is that the KEV catalog has quietly become the closest thing the industry has to a published, government-maintained list of "these are being used against people right now." Examiners read it. Cyber insurance underwriters read it. Plaintiffs' counsel reads it after an incident. And there is no good version of the sentence you would have to say afterward: the vulnerability was publicly known, federally listed as actively exploited, a patch existed, and we did not apply it. Not binding is not the same as not accountable.

What to Patch First, and in What Order

Here is the order we would work this release at an institution running an on-premises SharePoint farm and ADFS, sequenced by exploitation status and deadline rather than by score.

1
Inventory

Confirm whether you run SharePoint Server on-premises or hybrid, and whether ADFS is still in the authentication path. Thirty minutes here saves the weekend.

2
SharePoint

Apply KB5002880, KB5002874, or KB5002873 as matched to your farm for CVE-2026-58644, and take CVE-2026-56164 in the same outage. Both are exploited today.

3
Fold In

The farm is already down for step 2, so fold in the not-yet-exploited SharePoint fixes, CVE-2026-50522 and CVE-2026-55040. Neither would justify a weekend outage on its own. You are taking the outage anyway: one outage, four CVEs closed.

4
Schedule ADFS

Book the Windows Server update carrying CVE-2026-56155 into a change window before July 28. That date is its federal KEV deadline, and it is the only item here still carrying one.

5
Normal cycle

Everything else rides your usual process, with no federal clock: Exchange CVE-2026-55008, Windows VMSwitch CVE-2026-57092 on any Hyper-V host, and the Microsoft 365 Copilot mobile app update for CVE-2026-48561 pushed through Intune.

Steps 1 through 3 are this weekend. Steps 4 and 5 are next week, on purpose, through your normal process with normal testing. That distinction is the entire value of reading the KEV due dates instead of the CVSS column. Two of these items genuinely cannot wait. The rest genuinely can, and burning Saturday on a 9.9 you cannot patch is how the item that actually mattered gets missed.

July 2026 Patch Tuesday order for financial institutions in five steps: inventory SharePoint Server and ADFS, patch the exploited SharePoint flaws CVE-2026-58644 and CVE-2026-56164 this weekend, fold in CVE-2026-50522 and CVE-2026-55040 during the same outage, schedule the ADFS fix CVE-2026-56155 before its July 28 federal deadline, then take Exchange CVE-2026-55008, Windows VMSwitch CVE-2026-57092, and the Copilot mobile app CVE-2026-48561 in the normal change cycle.
The order we would work the July release: exploitation status and deadline first, CVSS score never.

Then there is the part nobody puts in the runbook: somebody has to be watching while the window is open. A three day deadline landing on a weekend is not a change-control cycle, it is a compression of one, and compressed windows are when the thing you patched at noon turns out to have been reached at ten that morning.

This is the part of the job ABT does for 750+ financial institutions. As a Tier 1 Microsoft Cloud Solution Provider, we do the triage described in this article before it reaches your team, which of the month's criticals are actually yours, and we run the managed deployment. Guardian MxDR covers the other half: watching for exploitation of exactly these classes, unauthenticated remote code execution against an exposed document server and privilege escalation through the identity layer, while the patch is not on yet. Detection matters most precisely when the patch is not finished, and on a three day weekend deadline it is not finished for most of it.

None of that substitutes for knowing what you run. The institutions patching CVE-2026-58644 cleanly this weekend are the ones who already knew they had SharePoint Server on-premises before Thursday. No product, ours included, replaces a current inventory. What we can do is make sure yours is current before the next KEV entry lands, because there will be one.

Three days is not a change-control cycle

ABT is a Tier 1 Microsoft Cloud Solution Provider for 750+ financial institutions. We do the triage, run the managed deployment, and Guardian MxDR watches for exploitation of these exact classes while your patch window is still open.

Frequently Asked Questions

Three, all marked Exploitation Detected by Microsoft and all on CISA's Known Exploited Vulnerabilities catalog. CVE-2026-58644, Microsoft SharePoint remote code execution, CVSS 9.8, added July 16, 2026, federal due date July 19, 2026. CVE-2026-56164, Microsoft SharePoint Server elevation of privilege, CVSS 5.3, added July 14, 2026, due July 17, 2026. CVE-2026-56155, Active Directory Federation Services elevation of privilege, CVSS 7.8, added July 14, 2026, due July 28, 2026. Reporting published on July 14 and 15 named only two exploited CVEs, because CVE-2026-58644's exploited status and KEV listing both landed on July 16, after that reporting cycle closed.

No. SharePoint Online is not among the affected products for CVE-2026-58644 or CVE-2026-56164. Both affect the customer-managed on-premises versions: Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Server 2019, and Microsoft SharePoint Server Subscription Edition. If your institution moved fully to SharePoint Online and retired its on-premises farm, neither vulnerability requires action from your team. If you still run a SharePoint server for a legacy workflow, a records archive, or an unmigrated application, both apply to you.

Microsoft ships the security updates for CVE-2026-58644 under KB5002880, KB5002874, and KB5002873. Which one applies depends on your SharePoint Server version and build. The federal remediation due date in CISA's KEV catalog is July 19, 2026, three calendar days after it was added on July 16. That deadline binds U.S. Federal Civilian Executive Branch agencies rather than private financial institutions, so it is not your legal clock. The flaw itself does not care: CISA describes it as allowing an unauthorized attacker to execute code over a network, and it is under confirmed active exploitation. How much that threatens you specifically depends on facts only you have, above all whether the farm is reachable from outside your network, which is why the inventory step comes first.

Two of the three, no. CVE-2026-45499 (Azure OpenAI, CVSS 9.9) and CVE-2026-57100 (Microsoft Entra Provisioning Service, CVSS 9.9) name Microsoft-operated cloud services as the affected product, and Microsoft publishes no KB or security update entry for either, so there is nothing to deploy. The third, CVE-2026-57092 (Microsoft Windows VMSwitch elevation of privilege, CVSS 9.9), is the opposite case: it is a Windows component, it ships ordinary security updates, and it goes through your normal Windows Server patching. The same split runs below 9.9. CVE-2026-41106 (Microsoft 365 Copilot, CVSS 9.3) is Microsoft-serviced with nothing to deploy, while CVE-2026-48561, titled Microsoft Copilot Remote Code Execution, affects the Microsoft 365 Copilot apps for Android and iOS and does require updating that mobile app, via Microsoft Intune or your mobile device management tooling on managed devices. Treat each CVE's entry in Microsoft's Security Update Guide as the authority for your own environment, since an absent KB does not by itself rule out a tenant-side configuration step.

Not as a legal requirement. CISA's Binding Operational Directives, including BOD 26-04 and the now-revoked BOD 22-01, bind U.S. Federal Civilian Executive Branch agencies. They are not directly binding on private banks, credit unions, or mortgage companies. The practical reality is different: the KEV catalog is increasingly treated as a de facto standard of care, and examiners, cyber insurance underwriters, and litigants all read it. After an incident, there is no defensible version of the position that a vulnerability was publicly known, federally listed as actively exploited, had a patch available, and was not applied.

There is no standalone Active Directory Federation Services package to download. The fix for CVE-2026-56155 ships inside Windows Server security updates and monthly rollups, and Microsoft's remediation entries map it to Windows Server 2012, 2012 R2, 2016, 2019, 2022, and 2025. Patch the underlying Windows Server and the ADFS fix comes with it. Its KEV due date is July 28, 2026, a fourteen day window rather than the three days assigned to the two SharePoint Server flaws, so it can generally be scheduled into a normal change window instead of a weekend emergency.


Justin Kirsch

Justin Kirsch

Co-Founder & CEO, Access Business Technologies

Justin Kirsch has spent his career triaging Microsoft security releases for financial institutions, back to the era when a monthly patch cycle was a novelty rather than a routine. As Co-Founder and CEO of Access Business Technologies, the largest Tier-1 Microsoft Cloud Solution Provider dedicated to financial services, he helps more than 750 banks, credit unions, and mortgage companies answer the only question that matters on a patch weekend: of everything Microsoft shipped this month, which items are actually ours, and which ones have to be done before Monday.