Actively Exploited Zero-Days in Microsoft SharePoint and AD FS Demand Immediate Patching
- CVE ID
- CVE-2026-56155, CVE-2026-56164, CVE-2026-58644
- CVSS Score
- N/A
- Affected Products
- Microsoft SharePoint Server (Subscription Edition, 2019, 2016), Active Directory Federation Services (AD FS)
Overview
Microsoft has released critical security updates addressing two actively exploited zero-day vulnerabilities affecting SharePoint Server and Active Directory Federation Services (AD FS). These vulnerabilities, identified as CVE-2026-56155 (AD FS) and CVE-2026-56164 (SharePoint Server), allow for elevation of privilege, enabling attackers to gain unauthorized access and potentially full control over affected systems. The Cybersecurity and Infrastructure Security Agency (CISA) has acknowledged the active exploitation of these flaws by adding them to its Known Exploited Vulnerabilities (KEV) Catalog, urging federal agencies to apply patches with strict deadlines. A further SharePoint vulnerability, CVE-2026-58644, was also added to the KEV catalog on July 16, underscoring the ongoing threat to SharePoint deployments.
Technical Details
CVE-2026-56155 is an Elevation of Privilege (EoP) vulnerability impacting Active Directory Federation Services. With a CVSS score of 7.8, this flaw stems from insufficient granularity of access control, allowing a low-privileged local attacker to escalate privileges to administrator level without user interaction. This grants attackers significant control over the authentication infrastructure.
Concurrently, CVE-2026-56164 is another EoP vulnerability, this time affecting Microsoft SharePoint Server and carrying a CVSS score of 5.3. This bug is tied to missing authentication in a critical function, which attackers are actively exploiting to gain unauthorized access to on-premises SharePoint Server instances. Exploitation efforts have involved establishing remote code execution (RCE) and post-exploitation activities such as stealing Internet Information Services (IIS) machine keys and performing deserialization techniques to maintain persistence and deploy malware. The July 16 CISA update also highlighted CVE-2026-58644 as another actively exploited SharePoint EoP vulnerability, reiterating the severe risk to these environments. These vulnerabilities affect all supported on-premises SharePoint Server versions, including Subscription Edition, 2019, and 2016.
Real-World Impact
The active exploitation of these zero-day vulnerabilities poses a severe and immediate threat to organizations relying on Microsoft SharePoint and AD FS for critical business operations and identity management. For SharePoint, successful exploitation can lead to complete compromise of sensitive data stored on collaboration platforms, disruption of document management, and the potential for widespread malware deployment across the internal network. The theft of IIS machine keys further allows attackers to persist within the environment even after initial access might be detected or patched, making remediation efforts more complex and prolonged.
In the case of AD FS, an elevation of privilege can be catastrophic, as AD FS plays a pivotal role in authentication and authorization for numerous applications and services. Gaining administrator privileges in AD FS means an attacker can potentially forge authentication tokens, impersonate users, and gain unauthorized access to a vast array of connected resources, both on-premises and in cloud environments. This could lead to extensive data exfiltration, system sabotage, and a complete breakdown of trust within an enterprise’s identity infrastructure.
Threat Landscape
These actively exploited vulnerabilities underscore a persistent trend of attackers targeting widely used enterprise software and critical infrastructure components. AD FS and SharePoint Server are foundational elements for many organizations, making them high-value targets. The involvement of zero-day exploits, meaning vulnerabilities unknown to the vendor until recently, signifies sophisticated threat actors are at play. The rapid inclusion into CISA’s KEV catalog indicates governmental recognition of the immediate and significant threat these vulnerabilities pose to federal and critical infrastructure entities. The focus on on-premises versions of SharePoint also highlights that legacy or self-hosted infrastructure remains a significant attack surface despite the push towards cloud services. The methods of exploitation, including RCE, credential theft, and persistence through deserialization, are common tactics in advanced persistent threat (APT) campaigns and financially motivated cybercrime operations. Microsoft’s July 2026 Patch Tuesday addressed a record number of vulnerabilities, with experts noting that AI-driven vulnerability discovery may be contributing to the increased volume of disclosed flaws.
Remediation
Organizations must prioritize the immediate application of Microsoft’s July 2026 security updates. For federal agencies, CISA has mandated that the SharePoint Server issue (CVE-2026-56164 and CVE-2026-58644) be addressed by July 17, and the AD FS flaw (CVE-2026-56155) by July 28. All other organizations should follow this aggressive timeline.
Beyond patching, several hardening measures are recommended:
- Verify Patch Installation: Ensure that all patches and security updates from Microsoft are applied correctly and that their installation completes successfully.
- Shorten Patching Cycles: Given the accelerating pace of vulnerability disclosures, organizations should aim to shorten their patching cycles, especially for critical internet-facing systems.
- Enable AMSI Integration for SharePoint: For SharePoint deployments, ensure Antimalware Scan Interface (AMSI) integration is enabled for each web application, following Microsoft’s guidance. Where feasible, select the “Full Mode” option for the Request Body Scan Mode to enhance detection capabilities against web-based attacks.
- Monitor for Exploitation: Organizations should closely monitor affected SharePoint Servers and AD FS instances for any signs of exploitation or unusual activity. Implement robust logging and security information and event management (SIEM) solutions to detect indicators of compromise.
- Incident Response: Have a well-defined incident response plan in place and be prepared to execute it if compromise is suspected. Utilize AMSI and Microsoft Defender Antivirus (MDAV) detections, such as “Exploit:Script/SuspSignoutReqBody.A” for SharePoint Server Subscription Edition, to identify potential threats.
- Principle of Least Privilege: Review and enforce the principle of least privilege for all user and service accounts interacting with SharePoint and AD FS to limit the potential blast radius of a compromised account.
- Network Segmentation: Implement network segmentation to isolate critical AD FS and SharePoint servers from less secure parts of the network, thereby reducing the lateral movement capabilities of attackers.
Adhering to these recommendations will significantly bolster defenses against these and similar sophisticated attacks.
Related content
CISA Adds Four Actively Exploited Vulnerabilities, Including SonicWall and Microsoft…
AdvisoryUrgent: Actively Exploited Microsoft ADFS Privilege Elevation Vulnerability…
AdvisoryUrgent Advisory: SharePoint Zero-Day Under Active Exploitation - CVE-2026-56164
AdvisoryMicrosoft July 2026 Patch Tuesday Addresses Critical Zero-Days and Information Leaks
Found something similar in your stack?
Let's find out before it becomes an incident.
Book an advisory call