Urgent: Actively Exploited Microsoft ADFS Privilege Elevation Vulnerability…
- CVE ID
- CVE-2026-56155
- CVSS Score
- 7.8
- Affected Products
- Microsoft Active Directory Federation Services
Overview
We are issuing this urgent advisory regarding CVE-2026-56155, a high-severity (CVSS 7.8) elevation of privilege vulnerability impacting Microsoft Active Directory Federation Services (AD FS). This flaw is critical not only due to its high severity but also because it is confirmed to be actively exploited in the wild as a zero-day vulnerability. Microsoft released a patch for this issue as part of its July 2026 Patch Tuesday updates. The vulnerability fundamentally undermines access controls within a critical identity component, allowing an already authorized attacker to significantly escalate their privileges locally. Organizations relying on AD FS for single sign-on (SSO) and federated identity management must prioritize applying the necessary security updates to protect their environments.
Technical Details
CVE-2026-56155 is described as an “Insufficient Granularity of Access Control Vulnerability” within Microsoft Active Directory Federation Services. This means that while AD FS implements access controls, they lack the precision required to prevent an authorized attacker from gaining elevated privileges locally. In essence, the existing access control policies are too broad, inadvertently granting unauthorized agents access to security-sensitive assets. Active Directory Federation Services is a cornerstone for modern enterprise authentication, enabling users to access multiple applications and services with a single set of credentials. Its role in managing trust relationships between identity providers and service providers means that a flaw impacting its access control mechanisms can have wide-ranging security implications across an organization’s entire federated trust chain. While the specific vector of exploitation for this particular vulnerability has not been publicly detailed by Microsoft, the nature of “insufficient granularity of access control” typically involves an attacker manipulating or abusing legitimate functions in an unintended way to bypass finer-grained security checks. Such vulnerabilities often allow an attacker who has already gained a low-level foothold to escalate to a more powerful account, potentially leading to broader compromise. Elevation of Privilege (EoP) vulnerabilities, like CVE-2026-56155, are a consistently significant category of flaws, frequently exploited to transition from initial access to a more dominant position, such as domain administrator or full cloud tenant control.
Real-World Impact
The confirmed active exploitation of CVE-2026-56155 in the wild elevates this vulnerability from a theoretical risk to an immediate threat that defenders must address. Although Microsoft has not disclosed specific details about how the flaw was exploited in attacks, the involvement of Microsoft’s Detection and Response Team (DART) in crediting the discovery suggests it was likely uncovered during active incident investigations. Given that AD FS is widely deployed for federated authentication across diverse enterprise environments, organizations using this service are inherently at risk. A successful local privilege escalation could enable an attacker to further entrench themselves within a compromised system, gain access to sensitive data, or move laterally within the network. In scenarios where AD FS is internet-facing, the potential for remote exploitation, if an attacker can first achieve authorized access through other means, is a significant concern. Past ADFS vulnerabilities have allowed authentication bypasses and information disclosure, underscoring the critical nature of securing this service. The due date of July 28, 2026, for applying mitigations highlights the urgency with which CISA and Microsoft view this particular vulnerability.
Threat Landscape
The current cybersecurity threat landscape is characterized by rapid exploitation of newly disclosed vulnerabilities. Threat actors are highly opportunistic, quickly weaponizing new CVEs, especially when public proofs-of-concept become available, or when vulnerabilities offer pathways to elevated privileges in critical infrastructure. While specific threat actors or campaigns explicitly linked to CVE-2026-56155 have not been publicly named, the nature of ADFS as a central identity management component makes it a prime target for various adversaries, from financially motivated groups to state-sponsored actors. The increasing volume of new CVEs, partly driven by AI-assisted vulnerability discovery, means that the window between disclosure and active exploitation is continuously shrinking. This puts immense pressure on organizations to implement patches promptly. Elevation of Privilege flaws are particularly attractive to attackers as they often represent the crucial step in an attack chain, transforming a limited initial foothold into a full compromise. Organizations across all industries and regions that utilize Microsoft Active Directory Federation Services are potential targets, as ADFS is a foundational technology for many enterprise IT environments.
Remediation
Immediate action is required to address CVE-2026-56155. Organizations must apply mitigations strictly in accordance with Microsoft’s instructions. This remediation effort is mandated under CISA’s BOD 26-04, “Prioritizing Security Updates Based on Risk,” which requires federal agencies to address actively exploited vulnerabilities within specific timeframes. All organizations, regardless of their federal affiliation, should adopt this guidance as a best practice. The specified due date for applying these mitigations is July 28, 2026.
Here are the critical steps your organization should take:
- Prioritize Patching: Identify all Microsoft Active Directory Federation Services deployments within your environment. Apply the latest security updates provided by Microsoft as soon as possible. Given the active exploitation, this must be treated as an emergency patch.
- Compliance with CISA BOD 26-04: Ensure your patching efforts comply with CISA’s BOD 26-04 guidance. This includes adhering to the specified timelines and, for cloud services, following applicable guidance or discontinuing use of the product if mitigations are unavailable.
- Evaluate Internet Exposure: Stakeholders are responsible for thoroughly evaluating each AD FS asset’s internet exposure. Internet-facing AD FS servers represent a higher risk and should be prioritized for patching and enhanced monitoring.
- Forensics Triage Requirements: Be prepared to follow CISA’s “Forensics Triage Requirements.” This implies having incident response capabilities ready to investigate any signs of exploitation, as this is a known exploited vulnerability.
- Monitor AD FS Environments: Implement robust monitoring for your AD FS infrastructure for any anomalous activity, including unusual login attempts, privilege changes, or access patterns. Pay close attention to logs for signs of attempted or successful exploitation.
- Review Access Controls: Beyond patching, review and strengthen the granularity of access controls within your AD FS configuration to minimize potential attack surfaces for similar vulnerabilities in the future.
Delaying remediation of this actively exploited vulnerability could expose your organization to significant risk, including widespread account compromise and unauthorized access to critical systems and data.
Related content
CISA Adds Four Actively Exploited Vulnerabilities, Including SonicWall and Microsoft…
AdvisoryActively Exploited Zero-Days in Microsoft SharePoint and AD FS Demand Immediate Patching
AdvisoryMicrosoft July 2026 Patch Tuesday Addresses Critical Zero-Days and Information Leaks
AdvisoryAitkin County HHS Data Breach Exposes Health and Personal Information
Found something similar in your stack?
Let's find out before it becomes an incident.
Book an advisory call