CVE-2026-56155
Active Directory Federation Services Elevation of Privilege Vulnerability
Description
Insufficient granularity of access control in Active Directory Federation Services (AD FS) allows an authorized attacker to elevate privileges locally.
In plain language
AI Act nowCVE-2026-56155 is a local privilege-escalation flaw in Active Directory Federation Services (ADFS) that has already been used in real attacks, so if your business runs ADFS on affected Windows versions, you should act now.
CVE-2026-56155 is a privilege escalation in Active Directory Federation Services (ADFS) (CWE-1220) where insufficient access control allows a local attacker with low-level permissions to gain higher privileges; Microsoft and CISA have confirmed it is being exploited in the wild.
What to do now
- Check whether you run Active Directory Federation Services (ADFS) on any of these systems: Windows 10; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server 2019; Windows Server 2022; Windows Server 2025.
- For each affected system, look up the current installed build/patch level and compare it to the fixed versions below.
- Immediately install the vendor fix for each impacted Windows version (use Windows Update or the Microsoft update guide) and confirm the system reaches the fixed build.
- If you cannot patch right away, follow Microsoft/CISA mitigation guidance from the Microsoft update guide, and consider temporarily limiting access to ADFS-related services per vendor instructions.
CVSS Vector Breakdown
AV:LAttack VectorAC:LAttack ComplexityPR:LPrivileges RequiredUI:NUser InteractionS:UScopeC:HConfidentialityI:HIntegrityA:HAvailabilityWeaknesses
Affected Products
Exploitability
Required action: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.
References
- В июле Microsoft исправила рекордные 622 уязвимости в своих продуктахru-ru·Хакер (xakep.ru)· Source-only·
- Цунами уязвимостей: июльский Microsoft Patch Tuesdayru-ru·Kaspersky Daily (RU)· Summary only·
- Researcher Drops New Windows Zero-Day PoC Hours After Microsoft Patch Tuesdayen·The Hacker News·
- AI-driven bug hunting fuels record Microsoft Patch Tuesdayen-us·Help Net Security·
- Records Are Made to Be Broken: Patch Tuesday Raises Triage Stakesen·Dark Reading·
- Microsoft and Adobe Patch Tuesday, July 2026 Security Update Reviewen-us·Qualys Security Blog·
- Microsoft Patch Tuesday for July 2026 — Snort rules and prominent vulnerabilitiesen·Cisco Talos·
- Microsoft Patches Record 622 Flaws, Including Two Zero-Days Under Active Attacken·The Hacker News·
- Microsoft Patches a Record 570 Security Flawsen-us·Krebs on Security·
- Microsoft Patch Tuesday July 2026 - The AI Acopolypse is Hereen·SANS Internet Storm Center·
Unlock Complete Vulnerability Intelligence
Get the full picture for CVE-2026-56155 and every CVE in our database. Create a free account — no credit card required.
Create Free Account