What is Microsoft Active Directory Federation Services?
Active Directory Federation Services (AD FS) is a Windows Server role that provides single sign-on and identity federation between on-premises Active Directory and external applications, including hybrid Azure AD/Entra ID environments. Because AD FS servers issue and validate authentication tokens for potentially every application an organization federates trust with, the AD FS server itself is one of the highest-value targets in a Windows identity infrastructure — compromising it can unlock trust relationships extending far beyond the local machine.
Overview
Microsoft AD FS contains a vulnerability where insufficient granularity of access control allows an authenticated, low-privileged local attacker to elevate to administrator-level access on the AD FS server. This was patched as part of Microsoft's July 2026 Patch Tuesday — one of the largest in the program's history — and confirmed by Microsoft to have been exploited in the wild as a zero-day prior to the fix.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| Windows Server 2012, 2012 R2, 2016, 2019, 2022, 2025 (including Server Core) running AD FS | All supported builds prior to July 2026 update | July 14, 2026 cumulative/security update |
Technical Details
- Root cause: Insufficient granularity of access control within the AD FS role, allowing operations that should require higher privilege to be performed by a lower-privileged authenticated local user (CWE-1220: Insufficient Granularity of Access Control).
- Attack vector: Local, requiring low privileges and no user interaction (
AV:L/AC:L/PR:L/UI:N). CVSS 3.1 base score: 7.8 (High). - Attack characteristics: Requires local authenticated access to the AD FS server itself — this is a post-compromise or insider-style privilege escalation primitive rather than a remote initial-access vector, consistent with its use in attacks that have already achieved a foothold on the server.
- Impact: Full confidentiality, integrity, and availability impact at the local system level. Once exploited, an attacker with administrator-level access to an AD FS server could alter federation trust settings, access sensitive token-signing material, disable security controls, or pivot further into hybrid identity infrastructure.
Discovery
Credited by Microsoft to Jeremy Kingston and Scott Clark of Microsoft's own Detection and Response Team (DART) — Microsoft's internal incident-response unit. This attribution strongly suggests the vulnerability was identified while investigating an active intrusion rather than through proactive security research.
Exploitation Context
Confirmed exploited in the wild as a zero-day per Microsoft's advisory. This CVE was one of three zero-days addressed in Microsoft's July 2026 Patch Tuesday, which fixed a record-setting number of vulnerabilities overall (reported variously as 569–622 CVEs depending on source methodology). CISA KEV lists ransomware usage for this CVE as unknown, and no public technical writeup of the exploit chain has been published — unlike the companion SharePoint CVE-2026-56164 disclosed the same day, which has received more detailed post-exploitation reporting.
Remediation
- Apply Microsoft's July 14, 2026 security update immediately to all Windows Server hosts running the AD FS role.
- Audit AD FS server local accounts and group memberships for unauthorized additions, particularly any accounts recently elevated to administrator.
- Review AD FS and Windows security event logs for signs of local privilege escalation activity or unusual administrative actions predating the patch.
- Restrict local logon rights on AD FS servers to the minimum necessary set of administrators, and monitor for any unexpected interactive or RDP sessions.
- Rotate AD FS token-signing certificates if compromise is suspected, given the potential for federation trust material to have been exposed.
- Follow CISA BOD 26-04 guidance and the July 28, 2026 remediation deadline.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2026-56155 |
| Vendor / Product | Microsoft — Active Directory Federation Services |
| NVD Published | 2026-07-14 |
| NVD Last Modified | 2026-07-15 |
| CVSS 3.1 Score | 7.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CWE | CWE-1220 find similar ↗ |
| CISA KEV Added | 2026-07-14 |
| CISA KEV Deadline | 2026-07-28 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2026-07-14 | Patched as part of Microsoft's July 2026 Patch Tuesday; added to CISA KEV same day |
| 2026-07-28 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| NVD — CVE-2026-56155 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| Microsoft MSRC — CVE-2026-56155 | Vendor Advisory |
| Zero Day Initiative — The July 2026 Security Update Review | Security Research |
| BleepingComputer — Microsoft July 2026 Patch Tuesday fixes 3 zero-days | News |