Microsoft has released security updates for a high-severity vulnerability affecting Active Directory Federation Services, or AD FS, after confirming that attackers are already exploiting it in real-world environments. The flaw has also been added to the US Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities catalogue, which signals that organisations should treat patching as an immediate priority rather than routine maintenance.
AD FS is often placed at the centre of an organisation's identity infrastructure. It supports single sign-on and federated authentication, allowing employees to use one identity to access multiple internal and external applications. That makes any vulnerability affecting an AD FS server especially serious, because a successful compromise could give attackers influence over the systems responsible for issuing authentication tokens and controlling access.
What Is CVE-2026-56155?
The vulnerability is tracked as CVE-2026-56155 and carries a CVSS v3.1 score of 7.8, rated High.
It is an elevation-of-privilege flaw that allows an authenticated attacker with relatively limited local permissions to obtain administrator-level access on an affected system. The weakness is linked to insufficiently granular access controls within AD FS.
This is not a remote, unauthenticated vulnerability that can be exploited directly from the internet. An attacker must first gain authenticated access to the vulnerable host.
However, that requirement should not be viewed as reassuring. In many intrusions, attackers begin with a compromised account, stolen credentials, malware on a workstation or access obtained through another vulnerability. Once they reach an AD FS server with a low-privileged account, this flaw may allow them to escalate their access and take control of the system.
Why Local Privilege Escalation Still Presents a Major Risk
The attack vector is classified as local, but exploitation reportedly requires:
Functional exploit code is believed to be available, and Microsoft has confirmed active exploitation.
A local privilege-escalation vulnerability often becomes the second or third step in a wider attack chain.
For example, a threat actor may first compromise an ordinary account through phishing, password reuse or exposed remote access. That account may not initially have enough permissions to alter system settings or access sensitive identity data.
CVE-2026-56155 could then provide the attacker with the administrative privileges needed to disable security controls, establish persistence and move deeper into the environment.
This makes the vulnerability particularly dangerous during post-compromise activity. It may not provide the initial entry point, but it can transform a limited foothold into full control of a critical identity server.
Why AD FS Servers Are High-Value Targets
AD FS servers authenticate users and issue security tokens that connected applications rely upon when deciding whether to grant access.
In many organisations, these servers form a bridge between Active Directory and business services such as:
If an attacker gains administrative control over an AD FS server, the consequences may extend far beyond that single machine.
The attacker may be able to manipulate federation settings, interfere with authentication flows or abuse the server's trusted position within the identity environment.
Attackers Could Alter Federation Settings
One possible outcome is the modification of critical federation configurations.
An attacker with administrator privileges may attempt to weaken authentication requirements, redirect trust relationships or introduce changes that preserve access even after the original compromised account is disabled.
Federation settings are rarely changed during ordinary daily operations. Any unexpected modification should therefore be treated as suspicious and investigated immediately.
A malicious change may also be difficult to recognise if it is designed to resemble a legitimate administrative adjustment.
Sensitive Authentication Materials May Be Exposed
AD FS environments may contain sensitive identity-related information, including certificates, configuration data and authentication secrets.
An attacker who obtains local administrator access may attempt to retrieve these materials and use them to impersonate users or create fraudulent authentication tokens.
This possibility makes AD FS compromise especially concerning. A traditional server breach may expose files or applications hosted on that machine. A compromised federation server may instead undermine trust across multiple connected services.
The advisory warns that attackers could access authentication materials, disable security controls, manipulate token-based access and use the server as a launchpad for broader intrusion activity.
A Compromised Federation Server Can Support Lateral Movement
Once an AD FS server is under attacker control, it can become a valuable staging point for movement into other parts of the network.
The server is often connected to Active Directory, identity services and business-critical applications. It may also have trusted communication paths that ordinary endpoints do not.
An attacker could use this position to:
This means incident responders should not investigate the AD FS server in isolation. They should examine the wider identity environment and determine whether the compromise affected connected applications, administrative accounts or trust relationships.
Microsoft Has Limited the Public Technical Details
Microsoft has not publicly released full technical information about the vulnerability.
This appears intended to give organisations additional time to patch while active exploitation continues.
Although withholding details may slow some attackers, it also means defenders have less public information available for building highly specific detection rules.
Organisations should therefore focus on broader signs of compromise, including unexpected privilege changes, suspicious processes, unusual administrative activity and unauthorised federation modifications.
The absence of public exploit details is not a reason to delay. Active exploitation has already been confirmed, which means capable threat actors understand enough about the flaw to use it.
Which Windows Versions Are Affected?
Microsoft has identified affected versions across both Windows Server and older Windows 10 releases.
Affected products listed in the advisory include:
The most urgent concern is likely to be Windows Server systems operating as AD FS federation servers.
However, organisations should not assume that a supported operating-system version is automatically protected. The relevant security update must still be installed and verified.
Older server platforms deserve particular attention because they may be managed under extended-support arrangements, isolated from routine update processes or retained for compatibility with legacy applications.
Install Microsoft's July Security Updates Immediately
Microsoft recommends prioritising the July security updates across all affected AD FS servers.
These systems should be treated as critical identity infrastructure. Patching them should receive the same urgency as updates affecting domain controllers, privileged-access systems and externally exposed authentication services.
Before deployment, administrators should still follow an appropriate change process, including:
The fact that AD FS supports business authentication means administrators must balance speed with operational care. A rushed update that disrupts federation services could prevent legitimate users from accessing essential applications.
However, active exploitation means organisations should not postpone the update for an extended testing cycle.
Verify That the Correct Build Was Installed
A successful Windows Update message does not always prove that every relevant system received the intended security fix.
After deployment, administrators should confirm that the installed operating-system build and update level match Microsoft's latest security release.
This is especially important in environments where:
A complete remediation process should include both deployment and verification.
The advisory specifically recommends confirming the updated build numbers after installation.
Review Local Administrator Group Membership
Because the vulnerability allows privilege escalation, security teams should examine local administrator groups on affected servers.
They should look for:
An attacker who successfully exploited the vulnerability may have added an account to the local Administrators group to maintain access.
Even if the server has already been patched, unauthorised privilege changes made before remediation could remain in place.
Administrators should therefore compare current membership against an approved baseline rather than checking only for obviously suspicious names.
Monitor for Unusual Processes and Configuration Changes
Security teams should investigate unusual processes, unexpected software execution and unauthorised configuration changes on AD FS servers.
Particular attention should be given to:
Because the technical details remain limited, behavioural monitoring becomes especially important.
A single process may not look malicious on its own. The surrounding context—such as a low-privileged account suddenly performing administrative actions—may reveal the real risk.
Authentication Logs May Reveal Follow-On Activity
Organisations should review authentication events for abnormal sign-ins or token-related activity.
Suspicious indicators may include:
If attackers gained administrator privileges on an AD FS server, they may have attempted to compromise connected services or establish additional access elsewhere.
This is why the investigation should include identity logs, Active Directory events, application-access records and network telemetry—not only the local Windows logs from the federation server.
Reduce Unnecessary Local Privileges
The principle of least privilege can limit the number of accounts capable of reaching the vulnerability.
Users and service accounts should have only the local permissions required for their function. Low-privileged access is still enough to exploit this flaw, but reducing the number of accounts that can log on to an AD FS server narrows the available attack surface.
Organisations should review:
AD FS servers should not be treated as general-purpose administrative machines. Access should be restricted to authorised identity and infrastructure personnel.
Closely Monitor Privileged Accounts Until Patching Is Complete
Administrative accounts and privileged sign-ins should receive heightened monitoring until every affected system has been patched and validated.
Any unexplained privileged activity on an AD FS server should be investigated promptly, particularly when it follows access by a low-privileged account.
Where possible, organisations should enforce:
The mitigation guidance recommends reviewing local administrator groups, restricting unnecessary local privileges and closely monitoring privileged logins.
Patching Alone May Not Be Enough After Exploitation
Installing the update prevents future exploitation of the vulnerability, but it does not automatically remove access already established by an attacker.
If suspicious activity is found, the organisation may need to conduct a full compromise assessment.
That investigation should determine:
Depending on the findings, remediation may require credential resets, certificate replacement, removal of unauthorised accounts and restoration of federation settings from a trusted baseline.
In serious cases, rebuilding the server may be safer than attempting to clean it in place.
Final Thoughts
CVE-2026-56155 is particularly dangerous because it affects a service placed at the heart of many enterprise authentication environments.
Although attackers require existing local access, the vulnerability can elevate a low-privileged account to administrator level without user interaction. On an AD FS server, that could allow threat actors to alter federation settings, access authentication material, weaken security controls and use the server to attack connected applications.
The combination of active exploitation, available functional exploit code and inclusion in CISA's Known Exploited Vulnerabilities catalogue makes this an urgent patching priority.
Organisations should install Microsoft's July security updates, verify the resulting build numbers, review local administrator groups and monitor authentication activity closely. Where suspicious access is detected, teams should investigate the wider identity environment rather than treating the issue as an isolated server vulnerability.
When the affected system is responsible for deciding who can access critical business applications, protecting that server means protecting the trust model of the entire organisation.


Comments