AD FS privilege escalation exploited in wild (CVE-2026-56155)
CVE-2026-56155
CVE-2026-56155: Microsoft AD FS local privilege escalation actively exploited (CVSS 7.8). Attackers with low privileges can gain elevated rights. Apply Microsoft's security update.
Actively exploited in the wild - CVE-2026-56155 is a high-severity local privilege escalation vulnerability in Microsoft Active Directory Federation Services (AD FS) that lets an attacker with low privileges elevate to higher privileges on the same system. Apply the vendor patch immediately.
Overview
CVE-2026-56155 stems from insufficient granularity of access control within Active Directory Federation Services (AD FS). The weakness allows an authorized attacker who already has a foothold on the system to escalate their privileges locally. Because the attack vector is local and requires low privileges with no user interaction, it is particularly dangerous for environments where attackers have already established a presence, such as through phishing or credential theft.
Impact
An attacker exploiting CVE-2026-56155 can gain elevated rights on the AD FS server. This could allow them to:
- Modify federation trust configurations
- Access and exfiltrate sensitive token-signing certificates
- Bypass authentication policies for downstream applications
- Move laterally to other identity infrastructure
The CVSS 7.8 rating reflects the ease of exploitation, requiring only local access and low privileges. With active exploitation confirmed by CISA’s Known Exploited Vulnerabilities (KEV) catalog, the risk to unpatched systems is immediate.
Affected Versions
Microsoft has not officially disclosed version range specifics at advisory publication time. Organizations should assume all supported versions of Windows Server running AD FS are affected until proven otherwise. Consult Microsoft’s security response center for exact version details.
Remediation
- Apply the security patch: Microsoft released an out-of-band security update for CVE-2026-56155. Deploy it to all AD FS servers immediately.
- Audit AD FS configurations: Review federation trust policies and ensure least-privilege principles are enforced on AD FS administrative roles.
- Monitor for exploitation: Check event logs for unusual privilege escalation patterns or changes to AD FS trust configurations. Look for
Event ID 512(AD FS configuration change) andEvent ID 503(token issuance event) anomalies.
Mitigation (if patching is delayed)
- Restrict interactive logon to AD FS servers to authorized administrators only.
- Enable Windows Defender Credential Guard on AD FS hosts to isolate secrets.
- Implement network segmentation so AD FS servers cannot be reached from compromised workstations.
Security Insight
This vulnerability reveals a recurring pattern in identity provider software: access control logic is often implemented with coarse permissions, assuming administrators will only operate from trusted contexts. The active exploitation of CVE-2026-56155 mirrors past proxy and relay attacks against AD FS and similar federation platforms, where local escalation chained with network access led to full domain compromise. Microsoft continues to treat identity infrastructure as a high-risk boundary, yet in-the-wild exploitation suggests that hardening the local attack surface on federation servers remains an under-prioritized area. Organizations should apply the same rigor to AD FS host security as they apply to domain controllers.
For ongoing coverage of exploited vulnerabilities, visit our security news section, and explore recent breach reports for indicators of compromise associated with AD FS attacks.
Further Reading
Never miss a critical vulnerability
Get real-time security alerts delivered to your preferred platform.
Related Advisories
Protection mechanism failure in Windows Shell allows an unauthorized attacker to perform spoofing over a network....
Double free in Windows IKE Extension allows an unauthorized attacker to execute code over a network....
Insufficient granularity of access control in Microsoft Defender allows an authorized attacker to elevate privileges locally....
Post-authentication improper control of generation of code ('Code Injection') vulnerability has been identified in the SMA1000 Appliance Management Console (AMC) which in specific conditions could pot...
Other Microsoft Windows 10 1607 Vulnerabilities
Protection mechanism failure in Windows Shell allows an unauthorized attacker to perform spoofing over a network....
Double free in Windows IKE Extension allows an unauthorized attacker to execute code over a network....