Critical Microsoft Active Directory Zero-Day Actively Exploited
Key Takeaways A critical zero-day elevation of privilege vulnerability (CVE-2026-56155) in Microsoft Active Directory Federation Services (AD FS) is under active exploitation. The flaw allows a...
Key Takeaways
- A critical zero-day elevation of privilege vulnerability (CVE-2026-56155) in Microsoft Active Directory Federation Services (AD FS) is under active exploitation.
- The flaw allows a low-privilege, authenticated local attacker to achieve administrative access on affected systems.
- Microsoft has rated the vulnerability as “Important” with a CVSS 3.1 base score of 7.8, confirming in-the-wild exploitation.
- Patches were released on July 14, 2026, for various Windows Server versions and relevant Windows 10 builds.
Microsoft has issued urgent security updates addressing CVE-2026-56155, a zero-day elevation of privilege vulnerability within Active Directory Federation Services (AD FS) that is currently being actively exploited. This critical flaw enables an attacker with low-level authenticated local access to escalate their privileges to administrator status on compromised systems.
Table Of Content
AD FS Zero-Day Under Active Exploitation
The vulnerability, tracked as CVE-2026-56155, stems from insufficient granularity in access control mechanisms within AD FS. This Microsoft service is widely deployed by organizations to facilitate single sign-on (SSO) and federated authentication across various applications and services.
Microsoft has classified this vulnerability with an “Important” severity rating and confirmed that malicious actors are already exploiting it in real-world scenarios. The flaw carries a CVSS 3.1 base score of 7.8, indicating a significant risk. Its exploitability assessment highlights the existence of functional exploit code, while the attack vector is rated as local, requiring low complexity, minimal privileges, and no user interaction. Although an attacker must first achieve authenticated access to a vulnerable host, successful exploitation can lead to a complete compromise of the system’s confidentiality, integrity, and availability.
Enterprise Impact and Attack Vector
The successful exploitation of CVE-2026-56155 grants attackers administrator privileges, making this vulnerability particularly dangerous in enterprise environments. AD FS infrastructure often connects to core Active Directory domains, identity services, and sensitive applications, making AD FS servers prime targets. These servers are crucial for processing authentication requests and issuing security tokens necessary for accessing corporate resources.
An attacker who gains local administrative control over an AD FS server could manipulate federation settings, access sensitive authentication credentials, disable security controls, or leverage the compromised server as a pivot point for broader network intrusions. This weakness falls under CWE-1220, which describes insufficient granularity of access control—a category where software fails to enforce authorization restrictions with adequate detail, allowing users with limited rights to execute actions that demand higher permissions.
Patch Availability and Recommendations
Microsoft released fixes for a broad spectrum of affected Windows versions on July 14, 2026. Supported systems include Windows Server 2012, 2012 R2, 2016, 2019, 2022, and 2025, along with their respective Server Core deployments. Updates are also available for older Windows 10 versions that share vulnerable platform components. Organizations utilizing AD FS are strongly advised to prioritize the deployment of Microsoft’s July security updates, especially on federation servers accessible to administrative users or those connected to critical identity infrastructure.
Microsoft credited Jeremy Kingston and Scott Clark from its Detection and Response Team (DART) for reporting the issue. The company has not publicly disclosed the technical specifics of the exploit, a measure that could provide defenders with additional time to patch systems while exploitation remains observed.
What You Should Do
- Immediately deploy Microsoft’s July 14, 2026 security updates to all affected AD FS servers and related Windows systems.
- Verify that the relevant cumulative or security-only updates have been installed and confirm the updated build numbers post-patching.
- Review changes to local administrator groups on AD FS servers and monitor for any unusual process executions.
- Investigate unexpected modifications to federation configurations and authentication-related events for signs of follow-on activity.
- Reduce unnecessary local privileges on AD FS servers and implement robust monitoring for privileged logins to limit exposure until all systems are patched.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.