High (7.8) Actively Exploited

AD FS privilege escalation exploited in wild (CVE-2026-56155)

CVE-2026-56155

CVE-2026-56155: Microsoft AD FS local privilege escalation actively exploited (CVSS 7.8). Attackers with low privileges can gain elevated rights. Apply Microsoft's security update.

Affected: Microsoft Windows 10 1607 Microsoft Windows 10 1809 Microsoft Windows Server 2012 Microsoft Windows Server 2016 Microsoft Windows Server 2019

Actively exploited in the wild - CVE-2026-56155 is a high-severity local privilege escalation vulnerability in Microsoft Active Directory Federation Services (AD FS) that lets an attacker with low privileges elevate to higher privileges on the same system. Apply the vendor patch immediately.

Overview

CVE-2026-56155 stems from insufficient granularity of access control within Active Directory Federation Services (AD FS). The weakness allows an authorized attacker who already has a foothold on the system to escalate their privileges locally. Because the attack vector is local and requires low privileges with no user interaction, it is particularly dangerous for environments where attackers have already established a presence, such as through phishing or credential theft.

Impact

An attacker exploiting CVE-2026-56155 can gain elevated rights on the AD FS server. This could allow them to:

  • Modify federation trust configurations
  • Access and exfiltrate sensitive token-signing certificates
  • Bypass authentication policies for downstream applications
  • Move laterally to other identity infrastructure

The CVSS 7.8 rating reflects the ease of exploitation, requiring only local access and low privileges. With active exploitation confirmed by CISA’s Known Exploited Vulnerabilities (KEV) catalog, the risk to unpatched systems is immediate.

Affected Versions

Microsoft has not officially disclosed version range specifics at advisory publication time. Organizations should assume all supported versions of Windows Server running AD FS are affected until proven otherwise. Consult Microsoft’s security response center for exact version details.

Remediation

  • Apply the security patch: Microsoft released an out-of-band security update for CVE-2026-56155. Deploy it to all AD FS servers immediately.
  • Audit AD FS configurations: Review federation trust policies and ensure least-privilege principles are enforced on AD FS administrative roles.
  • Monitor for exploitation: Check event logs for unusual privilege escalation patterns or changes to AD FS trust configurations. Look for Event ID 512 (AD FS configuration change) and Event ID 503 (token issuance event) anomalies.

Mitigation (if patching is delayed)

  • Restrict interactive logon to AD FS servers to authorized administrators only.
  • Enable Windows Defender Credential Guard on AD FS hosts to isolate secrets.
  • Implement network segmentation so AD FS servers cannot be reached from compromised workstations.

Security Insight

This vulnerability reveals a recurring pattern in identity provider software: access control logic is often implemented with coarse permissions, assuming administrators will only operate from trusted contexts. The active exploitation of CVE-2026-56155 mirrors past proxy and relay attacks against AD FS and similar federation platforms, where local escalation chained with network access led to full domain compromise. Microsoft continues to treat identity infrastructure as a high-risk boundary, yet in-the-wild exploitation suggests that hardening the local attack surface on federation servers remains an under-prioritized area. Organizations should apply the same rigor to AD FS host security as they apply to domain controllers.

For ongoing coverage of exploited vulnerabilities, visit our security news section, and explore recent breach reports for indicators of compromise associated with AD FS attacks.

Further Reading

Share:

Never miss a critical vulnerability

Get real-time security alerts delivered to your preferred platform.

Related Advisories

Other Microsoft Windows 10 1607 Vulnerabilities

View all Microsoft Windows 10 1607 vulnerabilities →

Never Miss a Critical Alert

CVE advisories, breach reports, and threat intel — delivered daily to your inbox.