The Critical Zero-Day: CVE-2026-56155
The cybersecurity landscape has been rocked by the July 2026 Patch Tuesday, which security researchers are already calling a “bug apocalypse” due to the unprecedented volume of vulnerabilities addressed. Among the hundreds of security flaws disclosed, one particular zero-day has emerged as a major threat to corporate identity infrastructure: CVE-2026-56155. This vulnerability targets Microsoft Active Directory Federation Services (AD FS), a critical component for identity management and single sign-on (SSO) across countless organizations worldwide.
CVE-2026-56155 is an Elevation of Privilege (EoP) vulnerability that has been confirmed by both Microsoft and the Cybersecurity and Infrastructure Security Agency (CISA) to be under active exploitation in the wild. Its inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog on July 14, 2026, underscores the urgency with which security teams must respond to this threat.
Understanding the Vulnerability
The technical root cause of CVE-2026-56155 is classified as Insufficient Granularity of Access Control (mapped to CWE-1220). In essence, the vulnerability allows a local attacker who has already gained a foothold on the system with low-level, authenticated permissions to bypass existing security boundaries. By exploiting this flaw, an attacker can escalate their privileges to “SYSTEM” or local administrator level, essentially taking total control of the AD FS server.
Unlike some high-profile remote code execution (RCE) flaws, CVE-2026-56155 requires the attacker to have already achieved local access. However, in the context of modern multi-stage cyberattacks, this is a dangerous “mid-game” exploit. Threat actors often use initial entry points—such as phishing or compromised user credentials—to gain a low-privilege foothold. Once inside, they turn to vulnerabilities like CVE-2026-56155 to maximize their impact and move laterally through the network.
Affected Systems and Software
The scope of this vulnerability is extensive, affecting numerous supported versions of the Windows Server operating system where the AD FS role is active. Specifically, the following systems are confirmed to be vulnerable:
- Windows Server 2025
- Windows Server 2022
- Windows Server 2019
- Windows Server 2016
- Windows Server 2012 R2
- Windows Server 2012
- Select versions of Windows 10 (Enterprise and Pro)
Because AD FS is often deployed as the “source of truth” for identity authentication in hybrid environments—frequently bridging on-premises Active Directory with Azure AD/Microsoft Entra ID—a compromise of the AD FS server represents a “keys to the kingdom” scenario for an attacker.
Severity and Potential Impact
CVE-2026-56155 has been assigned a CVSS v3.1 base score of 7.8 (High). While not a “perfect 10,” its high severity rating combined with confirmed active exploitation makes it one of the most significant risks currently facing IT administrators. The CVSS vector (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) indicates that the attack complexity is low and no user interaction is required.
The potential impact of a successful exploit is catastrophic for an organization’s security posture:
- Full Administrator Access: Attackers can gain complete control over the host running the AD FS service.
- Credential Theft: With administrative access, attackers can extract sensitive encryption keys, service account credentials, and authentication tokens.
- Lateral Movement: A compromised AD FS server can be used to forge authentication tokens for other services, allowing attackers to move laterally into cloud resources or other integrated applications.
- Bypassing Multi-Factor Authentication (MFA): By controlling the federation service, an attacker may be able to manipulate authentication flows to bypass or disable security controls like MFA for target accounts.
Mitigation and Remediation Steps
There are no known workarounds for CVE-2026-56155 that effectively substitute for the official vendor patch. Organizations are urged to take the following steps immediately:
- Apply Security Updates: Use Windows Update, WSUS, or your endpoint management tool to deploy the July 14, 2026, security patches across all Windows Server instances.
- Prioritize Critical Infrastructure: Focus first on servers running the AD FS role and domain controllers. These should be your highest priority for remediation.
- Audit AD FS Logs: Review security logs for indicators of compromise (IoCs), specifically looking for unusual privilege escalation events or unexpected changes to federation configurations.
- Review Service Permissions: Ensure that service accounts used for AD FS follow the principle of least privilege, although patching remains the only way to address the underlying flaw.
- Compliance Deadlines: Federal agencies and organizations following CISA guidelines must meet the remediation deadline of July 28, 2026.
The active exploitation of CVE-2026-56155 serves as a stark reminder that even well-secured identity systems are targets. Patching this specific zero-day should be the top priority for all security operations centers this week.