Microsoft AD FS Zero-Day Actively Exploited to Grant Admin Privileges, Patched in Record July 2026 Patch Tuesday (CVE-2026-56155)
Scope: Microsoft Active Directory Federation Services (Windows Server 2019, 2022, 2025 with AD FS Role Installed)
Severity: Red
CISA added CVE-2026-56155 to its Known Exploited Vulnerabilities catalog on July 14, 2026 alongside Microsoft's July Patch Tuesday, confirming active in-the-wild exploitation of this elevation of privilege zero-day in Active Directory Federation Services before the patch was available. The flaw stems from insufficient granularity of access control within AD FS, allowing a low-privilege authenticated attacker with an existing foothold on a target system to escalate directly to administrator level, granting full control over the AD FS server and its token-signing infrastructure. Zero Day Initiative specifically warns this flaw "can also be paired with an RCE as we often see in ransomware," making AD FS compromise a likely second-stage pivot in ongoing attack chains. Because AD FS bridges on-premises Active Directory with cloud services including Microsoft 365 and Azure, admin-level AD FS compromise exposes authentication tokens, federation settings, and sign-on flows for every connected application. Organizations must apply Microsoft's July 14, 2026 cumulative update immediately, audit AD FS Event ID 1200 logs for anomalous privilege activity, and review token-signing certificate integrity as a post-patch check.
The Uganda National CERT and Coordination Center (CERT.UG/CC) encourages users and administrators to review the recommendations and apply the necessary updates.