Microsoft Patches Actively Exploited AD FS Privilege Escalation Flaw (CVE-2026-56155)
Microsoft has released security updates for CVE-2026-56155, an actively exploited elevation-of-privilege vulnerability in Active Directory Federation Services (AD FS). The flaw allows authenticated local attackers with low privileges to gain administrator-level access on affected systems.
The vulnerability stems from insufficient granularity in AD FS access controls, enabling attackers to bypass authorization restrictions. With a CVSS 3.1 score of 7.8, the flaw is rated Important and has been confirmed as exploited in the wild. Exploitation requires low complexity, no user interaction, and only local access, though successful attacks can fully compromise system confidentiality, integrity, and availability.
AD FS servers are high-value targets due to their role in single sign-on (SSO) and federated authentication, processing authentication requests and issuing security tokens for corporate services. A compromised AD FS server could allow attackers to alter federation settings, access sensitive authentication materials, disable security controls, or pivot to other network systems.
The issue is classified under CWE-1220 (Insufficient Granularity of Access Control), where software fails to enforce proper authorization checks. Microsoft addressed the flaw in its July 14, 2026, security updates, covering Windows Server 2012 through 2025, including Server Core deployments, as well as affected Windows 10 versions.
Organizations using AD FS are advised to prioritize patching, particularly on federation servers linked to critical identity infrastructure. Security teams should verify patch installation, monitor for unusual activity (e.g., unexpected process executions or federation configuration changes), and review local administrator group modifications.
Microsoft credited Jeremy Kingston and Scott Clark of its Detection and Response Team (DART) for reporting the vulnerability. Technical details of the exploit remain undisclosed, providing defenders additional time to mitigate risks while attacks persist.
Source: https://cybersecuritynews.com/active-directory-services-0-day-exploited/
Microsoft TPRM report: https://www.rankiteo.com/company/microsoft-security
"id": "mic1784096831",
"linkid": "microsoft-security",
"type": "Vulnerability",
"date": "7/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': 'Organizations using AD FS for '
'single sign-on and federated '
'authentication',
'industry': 'Software/IT Services',
'location': 'Global',
'name': 'Microsoft',
'size': 'Large Enterprise',
'type': 'Technology Vendor'}],
'attack_vector': 'Local',
'data_breach': {'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Authentication materials, '
'federation settings'},
'date_publicly_disclosed': '2026-07-14',
'date_resolved': '2026-07-14',
'description': 'Microsoft has released security updates for CVE-2026-56155, '
'an actively exploited elevation-of-privilege vulnerability in '
'Active Directory Federation Services (AD FS). The flaw allows '
'authenticated local attackers with low privileges to gain '
'administrator-level access on affected systems due to '
'insufficient granularity in AD FS access controls.',
'impact': {'identity_theft_risk': 'High (due to access to sensitive '
'authentication materials)',
'operational_impact': 'Full compromise of system confidentiality, '
'integrity, and availability; potential '
'pivot to other network systems',
'systems_affected': 'AD FS servers, Windows Server 2012 through '
'2025, Windows 10 versions'},
'initial_access_broker': {'high_value_targets': 'AD FS servers'},
'investigation_status': 'Patched and disclosed',
'lessons_learned': 'Importance of enforcing granular access controls in '
'identity infrastructure; need for prioritized patching of '
'high-value targets like AD FS servers',
'post_incident_analysis': {'corrective_actions': 'Security updates to enforce '
'proper authorization checks',
'root_causes': 'Insufficient granularity in AD FS '
'access controls (CWE-1220)'},
'recommendations': 'Prioritize patching AD FS servers, verify patch '
'installation, monitor for unusual activity, review local '
'administrator group modifications, and ensure proper '
'authorization checks in identity systems',
'references': [{'source': 'Microsoft Security Update'}],
'response': {'communication_strategy': 'Public disclosure of vulnerability '
'and patch availability',
'containment_measures': 'Patching affected systems',
'enhanced_monitoring': 'Monitor for unusual activity (e.g., '
'unexpected process executions, '
'federation configuration changes, local '
'administrator group modifications)',
'remediation_measures': 'Security updates released for Windows '
'Server 2012 through 2025 and Windows 10 '
'versions'},
'stakeholder_advisories': 'Organizations using AD FS advised to prioritize '
'patching and monitor for exploitation',
'title': 'Microsoft Patches Actively Exploited AD FS Privilege Escalation '
'Flaw (CVE-2026-56155)',
'type': 'Privilege Escalation',
'vulnerability_exploited': 'CVE-2026-56155 (Insufficient Granularity of '
'Access Control - CWE-1220)'}