What Changed This Quarter: Microsoft 365, Teams, RingEX, 3CX, and Grandstream (April–July 2026)
Every quarter we review the security patches and feature changes rolling out across the communications and productivity stack most of our clients run: RingEX, 3CX, Grandstream desk phones, Microsoft 365, Dynamics 365, and Teams Premium. Here’s what mattered this cycle, and what we’re keeping an eye on for the next one.
The critical items
Three issues this quarter had public exploit code or confirmed active exploitation, which is why they jumped the queue ahead of everything else:
Grandstream GXP1600 series desk phones had an unauthenticated remote code execution vulnerability (CVE-2026-2329, CVSS 9.3) with public exploit code available. The fix is firmware 1.0.7.81, and any internet-facing or unsegmented handsets are the priority.
3CX shipped a June 5, 2026 hotfix for a third-party web server configuration vulnerability affecting self-hosted deployments reachable from the public internet. 3CX-hosted instances were patched automatically; self-hosted admins needed to apply the update via the Admin Console.
Microsoft 365 / Windows had two: a BitLocker bypass with a public proof-of-concept (CVE-2026-50661), and an actively exploited AD FS / SharePoint privilege escalation flaw (CVE-2026-56155). Both are addressed in the July 2026 cumulative security update.
A few high-severity items rounded out the list, including a Linux kernel privilege escalation and an HTTP/2 denial-of-service flaw affecting 3CX’s underlying infrastructure, and two Teams for Android vulnerabilities — one allowing remote disclosure of auth tokens with no user interaction.
Feature and licensing changes worth knowing about
Security wasn’t the only story this quarter:
- Microsoft 365 rolled out its July 1, 2026 licensing refresh — Business Premium held its price while doubling mailbox storage, and E3/E5 both picked up new security and management features. A new E7 tier launched above E5, the first new top tier since 2015, and Entra Conditional Access for Agents now requires an M365 Agent or E7 license — relevant for anyone piloting AI agents.
- Dynamics 365 made its modern UI the default (the classic toggle is gone) and is rolling out AI agents across Sales, Customer Service, and Field Service as part of its 2026 release wave 1.
- Teams Premium got narrower: as of April 1, 2026, Places and advanced webinar/town hall features moved into core Teams Enterprise. Premium now differentiates mainly on advanced meeting security, branding, and AI features. Anyone who bought Premium before April 1 keeps legacy features until renewal.
- RingEX added AI Receptionist text replies, account-level spam controls, and a real-time call queue dashboard, among other desktop app updates.
- 3CX continues shifting toward its browser-based PWA client over the Electron desktop app, which shrinks the overall attack surface.
A quick note on subprocessors
Every vendor in this stack relies on third-party companies — cloud hosting providers, AI model providers, support and analytics vendors — to help deliver their services. Under GDPR and similar frameworks, these are called subprocessors, and vendors that handle customer data are generally required to disclose who they are and notify customers before adding new ones.
Here’s where each vendor publishes its current list, since these change more often than most people expect:
- Microsoft maintains its Online Services Subprocessor List on the Service Trust Portal (sign-in required). Notably, OpenAI was added as a subprocessor for Microsoft 365 Copilot in June 2026, live as of July 9, 2026 — worth knowing if your organization has Copilot enabled.
- RingCentral publishes its list at ringcentral.com/legal/dpa-subprocessor-list, broken out by product (RingEX, RingCX, RingSense). Mitel’s MiCloud Service is End Of Lifed as of July 2026.
- 3CX discloses subprocessors through its Data Processing Addendum; customers are notified at least 30 days before a new subprocessor is added and can object on data-protection grounds.
- Grandstream doesn’t publish a dedicated subprocessor list in the same format — as a device manufacturer rather than a cloud service, its privacy statement covers third-party service providers (IT management, payment processing, cloud storage) more generally rather than through a GDPR-style subprocessor disclosure.
If your organization has data-residency or compliance requirements tied to any of these platforms, it’s worth checking the current list directly rather than relying on a point-in-time summary like this one — subprocessor lists are amended on their own schedule, independent of the security and feature updates above.
Bottom line
Nothing this quarter requires a full outage window, but the Grandstream and Microsoft items are exploited-in-the-wild or public-PoC issues that shouldn’t wait. If you’re a client and haven’t heard from us about your specific environment yet, reach out — we’re working through confirmations vendor by vendor.
This post reflects publicly available information as of July 17, 2026. Always confirm current patch status directly in each vendor’s admin console.
https://cloudogre.com/q2-2026-microsoft-365-teams-ringex-3cx-grandstream-security-review/








